Malicious traffic from your server

Discussion in 'Server Operation' started by onastvar, Jan 12, 2024.

  1. onastvar

    onastvar Member

    Hello,

    This morning, I got (2) emails from my provider about "Malicious traffic from your server": It is possible that your server is being used for online crimes / computer crimes and therefore we would like you to check the integrity of the server.

    Looking for any recommendation / assistance / guidance /steps
    how to go about troubleshooting these kind of issues?

    Thanks in advance.

    email 1
    ------------------------------------------------------------------------------------------------------------
    Category: abuse
    Report-Type: info
    Service: web
    Version: 0.2
    User-Agent: X-ARF Mailer V0.0.1 @ hera.iNetWorker.at
    Date: Thu, 11 Jan 2024 13:06:14 +0100
    Source-Type: ipv6
    Source: 2600:xxxx:xxxx.xxxx.xxxx.xxxx.xxxx.xxxx
    Ports: 80, 443
    Report-ID: [email protected]
    Schema-URL: https://badwall.inetworker.at/schema/abuse_info_0.1.1.json
    Attachment: text/plain
    /var/log/apache2/access_error.log:2600:xxxx:xxxx.xxxx.xxxx.xxxx.xxxx.xxxx - - [11/Jan/2024:13:06:10 +0100] "POST /wp-login.php HTTP/1.1" 503 16933 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0" STP=44594 c=443
    /var/log/cronolog/www.potstill.at_ssl_2024_01_11-access.log:2600:xxxx:xxxx.xxxx.xxxx.xxxx.xxxx.xxxx - - [11/Jan/2024:13:06:10 +0100] "POST /wp-login.php HTTP/1.1" 503 16933 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0" STP=44594 c=443

    email 2
    ------------------------------------------------------------------------------------------------------------
    Reported-From: [email protected]
    Category: abuse
    Report-Type: login-attack
    Service: bruteforcelogin
    Version: 0.2
    User-Agent: Fail2BanFeedBackScript blocklist.de V0.2
    Date: Thu, 11 Jan 2024 06:02:51 +0000
    Source-Type: ip-address
    Source: 150.00.XXX.XXX
    Port: 80
    Report-ID: [email protected]
    Schema-URL: http://www.xarf.org/schema/abuse_login-attack_0.1.2.json
    Attachment: text/plain
    Lines containing failures of 150.00.XXX.XXX
    Jan 10 18:06:48 expertgeeks wp(bristolosteopaths.com)[30749]: Authentication attempt for unknown user yanshi123 from 150.00.XXX.XXX
    Jan 11 01:29:18 expertgeeks wordpress(inhousequilting.co.uk)[24840]: Authentication attempt for unknown user wadminw from 150.00.XXX.XXX
    Jan 11 06:02:51 expertgeeks wp(michaelbennett.org.uk)[3862]: Authentication attempt for unknown user edconcept from 150.00.XXX.XXX
     
  2. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    You can try finding malware on your host, ISPProtect for example, or similar scanning tools. https://www.ispconfig.org/add-ons/

    Another approach is examine what malicious traffic is coming from your host, but my ISP just says bad traffic comes from my server but does not say what kind of traffic or how they detected it, so hard to find the reason.
    Is the apache access log in first e-mail from some host on the Internet that detected bad traffic coming from your server? I do not understand what is going on there, are the IP-numbers you covered your IP numbers?
    The second e-mail, if 150.00.XXX.XXX is your IP, seems more understandable, something on your host tried to login to three different websites. Examine if any log has info on traffic to those addresses, then try to find what send that traffic.
    If you suspect the malware is still on your host, you could start logging traffic on the interface facing Internet, but that is likely a lot so finding the bad traffic is laborious.
     
    onastvar likes this.
  3. onastvar

    onastvar Member

    Thanks @Taleman, I'm scanning the server with ISPProtect.

    Yes ISP does not really provide much information what to look for.

    Sorry, I covered IP # for security reasons, my server ip is 150.00.XXX.XXX

    Hmmmm, I'm not sure how to find what sent traffic
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    onastvar likes this.
  5. wileywalker

    wileywalker New Member

    In my experience that happens when you
    - don't upgrade your Linux OS and it is outdated so it does not receive security upgrades anymore
    - don't upgrade your wordpress so it is outdated
    - don't upgrade your wordpress plugins

    If you patch your software _always_ _immediately_, that usually rarely happens.

    Your server getting "hacked" is almost always due to fully automated scans by malicious script-kiddies that want to use your server to send phishing mails / mine bitcoin / further scan the rest of the internet for vulnerabilities.
     
    onastvar likes this.
  6. onastvar

    onastvar Member

    @wileywalker thanks for the info. All the points you specified I handle ASAP. So any other suggestions or ideas?
     
  7. webguyz

    webguyz Active Member HowtoForge Supporter

    Run htop and look for something that doesn't look right. A process that repeats over and over. I write a script to kill that process by name (pkill -f my_pattern) and run it once a minute in a cronjob so the damage stops while I do further forensics.
     
    onastvar likes this.
  8. pyte

    pyte Well-Known Member HowtoForge Supporter

    You can check the outgoing webrequests on specific ports with commands like lsof and tcpdump aswell.
    To check outgoing connections on tcp/80 and tcp/443 you could use this for example:
    Code:
    lsof -r 1 -i TCP:80,443
    An example result with a "wget" to google for example would look like this:
    Code:
    wget    1142   user    4u  IPv4  28318      0t0  TCP XXXXXXXXXXX:38848->fra15s46-in-f3.1e100.net:http (ESTABLISHED
    With this you can identify that user that causes the requests and can narrow down users/webspaces that are casuing these requests.
     
    onastvar likes this.

Share This Page