I suspect I've been hacked

A

andrevianadf

Verified User
Joined
Jun 15, 2020
Messages
5
Hello guys,

I suspect I've been hacked. One of my website stopped working.
I went do see the logs and found lots of posts "POST /xmlrpc.php"
Then I was kicked from DirectAdmin and when I try to login again I received a message incorrect password.
So I went to the terminal and change the admin password and could login again.
But after a few minutes the same happend again. The password stopped working.
Do you have any glue what happened?
Thanks in advance.
 
andrevianadf said:
Hello guys,

I suspect I've been hacked. One of my website stopped working.
I went do see the logs and found lots of posts "POST /xmlrpc.php"
Then I was kicked from DirectAdmin and when I try to login again I received a message incorrect password.
So I went to the terminal and change the admin password and could login again.
But after a few minutes the same happend again. The password stopped working.
Do you have any glue what happened?
Thanks in advance.
Click to expand...

POST /xmlrpc.php is a wordpress related file maybe someone trying to bruteforce you via wordpress site. But if let's say that someone has gained access into wordpress website through brute forcing, that doesn't mean they can access directadmin system and change password (if you setup DA properly with the correct permission). DA already has integrated Intrusion Detection & Prevention System like LFD, mod_security, CSF etc... Also, DA has 2 step authentication login. I don't believe someone can hack DA with those features.

You can check this log for suspicious login in DA:
/var/log/directadmin/login.log
/var/log/directadmin/security.log

Do you find any weird IP (that is not you)?
 
Last edited:
So if you only suspect but can't find not knowing enough.
Maybe a good idea to ask your hoster or Directadmin or someone who does for support , while if realy so going on with a hacked box hurts you and clients on it longer and more worse.
 
Maybe you should change root password at first, after that u can set up new password for DA ...
"xmlrpc.php", it look like familiar...
I use WordPress, and get many request for that file, every day... so i block the file permission to 600 in file manager...

If u use also use WordPress, some hacker also tried to access wp-login.php (only for single user), wp-config.php, i also set permission to 600,
 
OYEA when admins are hacked, lot of times their computers/devices for access the DA BOX in use are hacked or Phised.

So check that to ofcourse.

If you have a DA License then maybe DA support likes to help you and find out to see how you box is hacked, so please try to ask DA support.
 
You must log in or register to reply here.
Back
Top