Hello, This morning, I got (2) emails from my provider about "Malicious traffic from your server": It is possible that your server is being used for online crimes / computer crimes and therefore we would like you to check the integrity of the server. Looking for any recommendation / assistance / guidance /steps how to go about troubleshooting these kind of issues? Thanks in advance. email 1 ------------------------------------------------------------------------------------------------------------ Category: abuse Report-Type: info Service: web Version: 0.2 User-Agent: X-ARF Mailer V0.0.1 @ hera.iNetWorker.at Date: Thu, 11 Jan 2024 13:06:14 +0100 Source-Type: ipv6 Source: 2600:xxxx:xxxx.xxxx.xxxx.xxxx.xxxx.xxxx Ports: 80, 443 Report-ID: [email protected] Schema-URL: https://badwall.inetworker.at/schema/abuse_info_0.1.1.json Attachment: text/plain /var/log/apache2/access_error.log:2600:xxxx:xxxx.xxxx.xxxx.xxxx.xxxx.xxxx - - [11/Jan/2024:13:06:10 +0100] "POST /wp-login.php HTTP/1.1" 503 16933 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0" STP=44594 c=443 /var/log/cronolog/www.potstill.at_ssl_2024_01_11-access.log:2600:xxxx:xxxx.xxxx.xxxx.xxxx.xxxx.xxxx - - [11/Jan/2024:13:06:10 +0100] "POST /wp-login.php HTTP/1.1" 503 16933 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0" STP=44594 c=443 email 2 ------------------------------------------------------------------------------------------------------------ Reported-From: [email protected] Category: abuse Report-Type: login-attack Service: bruteforcelogin Version: 0.2 User-Agent: Fail2BanFeedBackScript blocklist.de V0.2 Date: Thu, 11 Jan 2024 06:02:51 +0000 Source-Type: ip-address Source: 150.00.XXX.XXX Port: 80 Report-ID: [email protected] Schema-URL: http://www.xarf.org/schema/abuse_login-attack_0.1.2.json Attachment: text/plain Lines containing failures of 150.00.XXX.XXX Jan 10 18:06:48 expertgeeks wp(bristolosteopaths.com)[30749]: Authentication attempt for unknown user yanshi123 from 150.00.XXX.XXX Jan 11 01:29:18 expertgeeks wordpress(inhousequilting.co.uk)[24840]: Authentication attempt for unknown user wadminw from 150.00.XXX.XXX Jan 11 06:02:51 expertgeeks wp(michaelbennett.org.uk)[3862]: Authentication attempt for unknown user edconcept from 150.00.XXX.XXX
You can try finding malware on your host, ISPProtect for example, or similar scanning tools. https://www.ispconfig.org/add-ons/ Another approach is examine what malicious traffic is coming from your host, but my ISP just says bad traffic comes from my server but does not say what kind of traffic or how they detected it, so hard to find the reason. Is the apache access log in first e-mail from some host on the Internet that detected bad traffic coming from your server? I do not understand what is going on there, are the IP-numbers you covered your IP numbers? The second e-mail, if 150.00.XXX.XXX is your IP, seems more understandable, something on your host tried to login to three different websites. Examine if any log has info on traffic to those addresses, then try to find what send that traffic. If you suspect the malware is still on your host, you could start logging traffic on the interface facing Internet, but that is likely a lot so finding the bad traffic is laborious.
Thanks @Taleman, I'm scanning the server with ISPProtect. Yes ISP does not really provide much information what to look for. Sorry, I covered IP # for security reasons, my server ip is 150.00.XXX.XXX Hmmmm, I'm not sure how to find what sent traffic
This might help you to find the source of the emails: https://www.faqforge.com/linux/how-to-find-out-who-sent-a-email-in-postfix-mailqueue/ If you can't find the source yourself, you should consider contacting @Th0m from ISPConfig business support if he can take a look at it: https://www.ispconfig.org/get-support/?type=ispconfig
In my experience that happens when you - don't upgrade your Linux OS and it is outdated so it does not receive security upgrades anymore - don't upgrade your wordpress so it is outdated - don't upgrade your wordpress plugins If you patch your software _always_ _immediately_, that usually rarely happens. Your server getting "hacked" is almost always due to fully automated scans by malicious script-kiddies that want to use your server to send phishing mails / mine bitcoin / further scan the rest of the internet for vulnerabilities.
@wileywalker thanks for the info. All the points you specified I handle ASAP. So any other suggestions or ideas?
Run htop and look for something that doesn't look right. A process that repeats over and over. I write a script to kill that process by name (pkill -f my_pattern) and run it once a minute in a cronjob so the damage stops while I do further forensics.
You can check the outgoing webrequests on specific ports with commands like lsof and tcpdump aswell. To check outgoing connections on tcp/80 and tcp/443 you could use this for example: Code: lsof -r 1 -i TCP:80,443 An example result with a "wget" to google for example would look like this: Code: wget 1142 user 4u IPv4 28318 0t0 TCP XXXXXXXXXXX:38848->fra15s46-in-f3.1e100.net:http (ESTABLISHED With this you can identify that user that causes the requests and can narrow down users/webspaces that are casuing these requests.
