My server is being used to brute force hack another server

[harmonypersechino5348]

I have been forwarded the following complaint that our server is being used to attempt brute force hacking

* X.X.X.X tpc-030.machxxxxxxxxx.nl 20210522/20:16:24 X.X.X.X - - [22/May/2021:20:16:16 +0200] "GET /wp-login.php HTTP/1.1" 301 523 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" [VirtualHost: www.domain.com]

However the IP (X.X.X.X) is our servers main IP allocated to no account. How am I able to detect which user is doing this? I have ImunifyAV but I can't detect any issues manually.

 

[sajithgsm]

Where you get this log? Imunify Incident log?

 

[harmonypersechino5348]

Where you get this log? Imunify Incident log?

No this is a log forwarded to me from the [VirtualHost: www.domain.com] domain they are reporting to me that our server is being used for such activities from what I presume to be their apache log

 

[cPRex]

The first thing I would check would be your local logs for the IP address that is being attacked, to see if you can find any outbound connections there. You could check the Apache log on your machine (/etc/apache2/logs/error_log).

It is normal for outbound traffic to come from the main IP address of the machine, even if that is not associated with an account.

 

[harmonypersechino5348]

The first thing I would check would be your local logs for the IP address that is being attacked, to see if you can find any outbound connections there. You could check the Apache log on your machine (/etc/apache2/logs/error_log).

It is normal for outbound traffic to come from the main IP address of the machine, even if that is not associated with an account.

The domain nor the IP appear to show there.

Would it show if the user was running a php script? I can't find any record of the domains/IPs in

/var/log/
/usr/local/cpanel/logs
/etc/apache2/

Maybe I can enable more extensive logging?

 

[HostNoc]

HI
please scan the domain from which is causing this might be your domain get compromised .scan domain and remove suspicious file and enhance security of your server.
REgards

 

[harmonypersechino5348]

HI
please scan the domain from which is causing this might be your domain get compromised .scan domain and remove suspicious file and enhance security of your server.
REgards

I do not understand what you mean sorry.

The log in my first post (www.domain.com) is an external domain that is reporting to use our server is being used to scan their server. It is taken from their server side logs they have forwarded to me.

 

[cPRex]

It's hard to say where that could be coming from based on the logs. While it may be possible to enable additional logging, that wouldn't help you with things that have already happened, unless the issue is still ongoing.

Since we aren't even sure which domain the issue is coming from you may need to use more advanced networking tools to catch the traffic, or work with an admin to see if you can find more details on the issue, since this wouldn't be related to the cPanel tools on the system.

 

[harmonypersechino5348]

It's hard to say where that could be coming from based on the logs. While it may be possible to enable additional logging, that wouldn't help you with things that have already happened, unless the issue is still ongoing.

Since we aren't even sure which domain the issue is coming from you may need to use more advanced networking tools to catch the traffic, or work with an admin to see if you can find more details on the issue, since this wouldn't be related to the cPanel tools on the system.

It is still ongoing yes. I understand this is not a cPanel issue directly but I am sure others have issues like this perhaps without even knowing.

Thanks for the feedback I will look into those.

 

[cPRex]

So I was thinking a tool like tcpdump, which may already even be installed on your server:

A tcpdump Tutorial with Examples — 50 Ways to Isolate Traffic

50 tcpdump examples that get you maximum results in minimum time. Slice by IP, port, protocol, and application!

danielmiessler.com

It's a very powerful tool and can capture traffic for you to analyze, so if the connection is leaving over port 80 you should be able to see that.

 

[harmonypersechino5348]

So I was thinking a tool like tcpdump, which may already even be installed on your server:

A tcpdump Tutorial with Examples — 50 Ways to Isolate Traffic

50 tcpdump examples that get you maximum results in minimum time. Slice by IP, port, protocol, and application!

danielmiessler.com

It's a very powerful tool and can capture traffic for you to analyze, so if the connection is leaving over port 80 you should be able to see that.

That does seem powerful and a bit complex will have a fiddle with it.

I was hoping to enable some logging and just monitor that for a bit. The scans seem to be to basic wordpress file checks which I am hoping to monitor easily enough through advanced logging. Here are some more logs forwarded to me

* x.x.x.x tpc-033.xxxxx.com 20210708/00:58:17 x.x.x.x - - [08/Jul/2021:00:58:15 +0200] "GET /wordpress/wp-admin/ HTTP/1.1" 301 524 "hxxp : / /xxxxx [.] nl/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.97 Safari/537.36" [VirtualHost: www.xxxxx.nl]
* x.x.x.x tpc-013.xxxxx.com 20210702/21:45:51 x.x.x.x - - [02/Jul/2021:21:45:19 +0200] "GET /wp-admin/ HTTP/1.1" 301 496 "hxxp : / /xxxxx [.] de/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.97 Safari/537.36" [VirtualHost: www.xxxxx.de]
* x.x.x.x tpc-006.xxxxx.com 20210522/23:15:28 x.x.x.x - - [22/May/2021:23:15:14 +0200] "GET /wp-login.php HTTP/1.1" 301 529 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" [VirtualHost: www.xxxxx.com]
* x.x.x.x tpc-030.xxxxx.com 20210522/23:07:00 x.x.x.x - - [22/May/2021:23:06:44 +0200] "GET /wp-login.php HTTP/1.1" 301 523 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" [VirtualHost: www.xxxxx.nl]
* x.x.x.x tpc-015.xxxxx.com 20210522/21:18:33 x.x.x.x - - [22/May/2021:21:18:26 +0200] "GET /wp-login.php HTTP/1.1" 301 515 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" [VirtualHost: www.xxxxx.com]
* x.x.x.x tpc-017.xxxxx.com 20210522/20:39:43 x.x.x.x - - [22/May/2021:20:39:18 +0200] "GET /wp-login.php HTTP/1.1" 301 519 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" [VirtualHost: www.xxxxx.nl]
* x.x.x.x tpc-030.xxxxx.com 20210522/20:16:24 x.x.x.x - - [22/May/2021:20:16:16 +0200] "GET /wp-login.php HTTP/1.1" 301 523 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" [VirtualHost: www.xxxxx.nl]

 

[cPRex]

I wish there were easier ways too. Although this is from several years ago, this user also had good luck with tcpdump:

Outbound wp-login.php brute force attack from my cpanel server

Hello everyone, For the past 2 days I'm getting alerts from other hosts that my host is making brute force attacks on their wordpress installations. Below is a line from the logs they've send me: myip.xx.xx.xx - - [16/Mar/2014:21:59:29 +0100] "POST wp-login.php HTTP/1.1" 200 4813 "-"...

forums.cpanel.net

I'm not aware of any logs that would track that traffic, as that wouldn't be sent from Apache on your side.

 

[harmonypersechino5348]

I wish there were easier ways too. Although this is from several years ago, this user also had good luck with tcpdump:

Outbound wp-login.php brute force attack from my cpanel server

Hello everyone, For the past 2 days I'm getting alerts from other hosts that my host is making brute force attacks on their wordpress installations. Below is a line from the logs they've send me: myip.xx.xx.xx - - [16/Mar/2014:21:59:29 +0100] "POST wp-login.php HTTP/1.1" 200 4813 "-"...

forums.cpanel.net

I'm not aware of any logs that would track that traffic, as that wouldn't be sent from Apache on your side.

Excellent thanks I think I found the issue but tcpdump seems to show a lot of junk maybe due to the php file being encoded?

The following shows only one user appears to do this. There are over 50 of these active connections

lsof -i :80

lsphp     12950 redradaw    9u  IPv4 651827861      0t0  TCP mycpanel.server.com:52774->156.254.202.6:http (ESTABLISHED)
lsphp     13604 redradaw    9u  IPv4 651638398      0t0  TCP mycpanel.server.com:52066->a23-206-20-132.deploy.static.akamaitechnologies.com:http (ESTABLISHED)
lsphp     19505 redradaw    9u  IPv4 651612535      0t0  TCP mycpanel.server.com:59892->164.88.17.28:http (ESTABLISHED)
lsphp     24515 redradaw    9u  IPv6 651741162      0t0  TCP mycpanel.server.com:40348->g2a02-26f0-9100-0004-0000-0000-1748-f8d8.deploy.static.akamaitechnologies.com:http (ESTABLISHED)
lsphp     31670 redradaw    9u  IPv4 651670965      0t0  TCP mycpanel.server.com:52256->a23-206-20-132.deploy.static.akamaitechnologies.com:http (ESTABLISHED)

lsof -i :443

lsphp     20814 redradaw   10u  IPv4 651892578      0t0  TCP mycpanel.server.com:43330->192.0.78.131:https (ESTABLISHED)
lsphp     20814 redradaw   11u  IPv4 651891434      0t0  TCP mycpanel.server.com:45998->192.0.78.25:https (ESTABLISHED)
lsphp     20814 redradaw   12u  IPv4 651892644      0t0  TCP mycpanel.server.com:45800->192.0.78.9:https (ESTABLISHED)

lsof -p 13604

Shows this directory seems to possibly be the issue. There are some weird PHP scripts encoded but I can't seem to decode them

https://i.gyazo.com/b386b39074666cb9d938b0dc22c0fe55.png
https://i.gyazo.com/a3047f462304716bba806fcfedfc2227.png - Wordpress index.php file but modified?

I feel like this is enough to presume this is the culprit? Anything else can I check to confirm?

 

[cPRex]

That definitely looks odd. You may want to suspend that account and then contact the remote system to see if they are still experiencing that traffic.

 

[HostNoc]

first thing first ... scan whole system and change passwords and SSH port ... correct all folders and files permissions. Clamav, Maldet and imunify would help also tight little bit security using CSF. rkhunter can also be useful.