Brute Force Monitor - Wordpress attacks on which domain

Freddy

Verified User
Joined
Apr 14, 2016
Messages
137
My server is serving multiple domains. Some of these clients have Wordpress installed and therefor I have enabled the "Scan for WordPress attacks" option for all domains. This works great, no problems there.

When I check the Brute Force Monitor options in the controlpanel I can see lines like this:
Code:
94.231.107.206 - - [14/Apr/2016:09:13:54 +0200] "POST /xmlrpc.php HTTP/1.1" 200 106821 "-" "-"

These xmlrpc attacks use a high load on the server and if the client is not using xmlrpc then I would like to discuss disabling it. The only problem is, which domain is being attacked? The log doesn't report the domain name or username of the client who got attacked.
 
Hello,

Is it a feature request? Or just a question? If the latest, you can search through web-server logs in root console for a domain name.
 
And by root console you mean SSH to the server and search the logs manually? That's allot of work.
Maybe this should be a feature request. The column "User" in the Brute Force Log is always empty for wordpress attacks. It would be great if this column could be filled with the correct username, or otherwise the domain name.

Do I need to create a new topic in the feature request forum or can this topic be moved over there?
 
And by root console you mean SSH to the server and search the logs manually? That's allot of work.
No it's not, you only have to search for xlmrpc.php in the logs.
There are ways to do this easily with for example with find or grep:
Code:
grep -H xlmrpc.php /var/log/domains/* -R | cut -d: -f1
which shows you all domain logfiles containing this word. you can probably also finetune this for less results by using grep or find.

However, it's a good idea if it was possible to have the domain name mentioned in the BFM, saves work.
 
Back
Top