I have been forwarded the following complaint that our server is being used to attempt brute force hacking
* X.X.X.X tpc-030.machxxxxxxxxx.nl 20210522/20:16:24 X.X.X.X - - [22/May/2021:20:16:16 +0200] "GET /wp-login.php HTTP/1.1" 301 523 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" [VirtualHost: www.domain.com]
However the IP (X.X.X.X) is our servers main IP allocated to no account. How am I able to detect which user is doing this? I have ImunifyAV but I can't detect any issues manually.
* X.X.X.X tpc-030.machxxxxxxxxx.nl 20210522/20:16:24 X.X.X.X - - [22/May/2021:20:16:16 +0200] "GET /wp-login.php HTTP/1.1" 301 523 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" [VirtualHost: www.domain.com]
However the IP (X.X.X.X) is our servers main IP allocated to no account. How am I able to detect which user is doing this? I have ImunifyAV but I can't detect any issues manually.