ToS Violation - Malicious Activity ?

Webfoundry

Verified User
Joined
May 23, 2014
Messages
51
Location
Leuven, Belgium
Dear all,

If this is off-topic, please let me know, but I'm puzzled with this one.
Today I received an email from my host malicious activities from my server IP has been noticed.
All reports from Bitninja.io seem to be xmlrpc.php related.

In the DA control panel I don't spot any evidence of any malicious activity, so I don't really know where to start.

Example reports (my IP is mentioned as "Remote connection") :

Url: [###.da###ry.###.au/xmlrpc.php]
Remote connection: [here.is.my.IP:35756]
Headers: [array (
'Host' => '###.da###ry.###.au',
'Accept-Charset' => 'utf-8,ISO-8859-2;q=0.8,*;q=0.7',
'Accept-Language' => 'en-us;q=0.7,en;q=0.3',
'Accept' => 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'User-Agent' => 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36',
'Content-Length' => '344',
'Content-Type' => 'application/x-www-form-urlencoded',
)]
Post data: [Array
(
[<?xml version] => '1.0'?>
<methodCall>
<methodName>wp.getProfile</methodName>
<params>
<param><value><int>0</int></value></param>
<param><value><string>admin</string></value></param>
<param><value><string>admin1234567</string></value></param>
</params>
</methodCall>

)
]


Url: [he###ni.com/xmlrpc.php]
Remote connection: [here.is.my.IP:58394]
Headers: [array (
'Host' => 'he###ni.com',
'Accept-Charset' => 'utf-8,ISO-8859-2;q=0.8,*;q=0.7',
'Accept-Language' => 'en-us;q=0.7,en;q=0.3',
'Accept' => 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'User-Agent' => 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36',
'Content-Length' => '348',
'Content-Type' => 'application/x-www-form-urlencoded',
'BN-Frontend' => 'captcha-https',
'X-Forwarded-Port' => '443',
'X-Forwarded-Proto' => 'https',
'X-Forwarded-For' => '178.79.130.161',
)]
Post data: [Array
(
[<?xml version] => '1.0'?>
<methodCall>
<methodName>wp.getProfile</methodName>
<params>
<param><value><int>0</int></value></param>
<param><value><string>fitni12</string></value></param>
<param><value><string>fitni121234567</string></value></param>
</params>
</methodCall>

)
] v
 
In the DA control panel I don't spot any evidence of any malicious activity, so I don't really know where to start.
As this is outgoing, it might not be visible in Directadmin itself. Could be a hacked host, especially if you allow ssh for users.

Do you run a firewall like csf/lfd? If no, start there.
Next to that, have a look at the log files.
Like /var/log/httpd/access_log to see if there are odd connections which come back a very lot.
You might also want to install Maldetect:
https://malware.expert/howto/install-maldet-directadmin-server/

Also for monitoring, check this post from ZeiTeR:
https://forum.directadmin.com/showthread.php?t=57072&p=291963#post291963
 
Dear Richard,

I found the source of the problem : it's a malicious Wordpress script from one of the sites. I immediately suspended this accound, and the activity stopped. Now I need to get is solved of course :)
CSF/LFD is running, but even their logs are empty, but I'll check the access_log as you suggested.

The Maldetect and ZeiTeR's post I will check out too. This needs to get solved anyhow, also for making the server more secure against these malicious things.

Thanks for your kind help and support.
 
Got to love Wordpress </sarcasm>...... This is why I don't use it personally, I'd be endlessly updating stuff....
 
Hello Webfoundry.
Webfoundry said:
it's a malicious Wordpress script from one of the sites
If you found the cause, you know which site it is. In that case you don't need access logs anymore because you now know where too look. Unless you want to search for hacker ip's for whatever reason, you could have a look at /var/log/httpd/domains/domain.com.log (since you know the name of the domain now).

Maldetect is very good in detecting malicious stuff in Wordpress commonly. It's not a 100% solution but it takes away a lot of the work.
There might be some false positives but they can be easily whitelisted.

Peter Laws said:
Got to love Wordpress </sarcasm>......
Well, you can have some sarcasm if you want, but at this moment it's the most used script in the world, hence (like Windows) also suffers the most attacks.
Joomla is not safer and overkill for a simple site. Most people can not design websites and then Wordpress is -the- solution to create a website easily yourself.
It's not endlessly updating, but fairly often indeed. But if you want to keep up with things in a CMS, it has to be updated for making fixes, security updates etc. Most updates can even be done totally automatically.
Problem is often users do not update enough, or they use a leak script or unsafe theme and them the problems begin.

However, I can understand why you don't use it yourself.
 
Back
Top