Hello,
The problem is that we have received a report that there are outgoing tvs (wordpress and such) login attempts to other servers, what makes the matter worse, is that it is a shared hosting system with DirectAdmin with a lot of users (aprox 200+)
some of the logs that they included in the report:
/var/log/apache/BruteForceLoginAttemptDomainName.log:ServerIP - - [05/Jun/2016:08:02:28 +0200] "POST /xmlrpc.php HTTP/1.0" 503 2805 "-" "wp-iphone"
/var/log/apache/BruteForceLoginAttemptDomainName.log:ServerIP - - [05/Jun/2016:08:03:37 +0200] "POST /xmlrpc.php HTTP/1.0" 503 2691 "-" "wp-iphone"
/var/log/apache/BruteForceLoginAttemptDomainName.log:ServerIP - - [05/Jun/2016:08:03:37 +0200] "POST /xmlrpc.php HTTP/1.0" 503 2691 "-" "wp-android"
/var/log/apache/BruteForceLoginAttemptDomainName.log:ServerIP - - [05/Jun/2016:08:03:37 +0200] "POST /xmlrpc.php HTTP/1.0" 503 2691 "-" "wp-android"
/var/log/apache/BruteForceLoginAttemptDomainName.log:ServerIP - - [05/Jun/2016:08:09:57 +0200] "POST /xmlrpc.php HTTP/1.0" 503 2805 "-" "wp-android"
/var/log/apache/BruteForceLoginAttemptDomainName.log:ServerIP - - [05/Jun/2016:08:10:56 +0200] "POST /xmlrpc.php HTTP/1.0" 503 2691 "-" "wp-android"
As in we have when have they tried some of the attempts, from which server were the attempts from and to what domain name.
The server only has one ip address, so all the clients are under the same ip, I've searched logs for something that looks out of the ordinary, system/user crons, user files for malicious code or atleast parts of it e.g.
eval(base64_decode
"?><?php"
"$qdtoewomza=substr($bstzohlitn,(59324-49211),(81-69)); $qdtoewomza($gidldupbhh, $xeipowxwpd, NULL);.*=.*; ?><?php"
The last two strings were included in the report mail, that most of the times the malicious code has something similar.
I've made myself a mini curl script to imitate a wp login from that server and left it in screen for about 24hours, however it seems that bruteforce is on demand:
screen -dm bash -c 'tcpdump -A -n -vvvvv -i eth0 -w /root/log.cap "dst port 80" and not dst host ServerIPAddress; exec sh'
and in that time period tcpdump did not catch any bruteforce attemts, however it also would not help me find the culprit, in the worst case scenario i could just drop outgoing traffic from that server 80 and 8080 port, but some users have crons that would stop working...
It's pretty common with directadmin, all user home root directoriess are /home/Username/domains/Domain/public_html and they have individual users, but apache executes as httpd process for all of them.
The problem is that we have received a report that there are outgoing tvs (wordpress and such) login attempts to other servers, what makes the matter worse, is that it is a shared hosting system with DirectAdmin with a lot of users (aprox 200+)
some of the logs that they included in the report:
/var/log/apache/BruteForceLoginAttemptDomainName.log:ServerIP - - [05/Jun/2016:08:02:28 +0200] "POST /xmlrpc.php HTTP/1.0" 503 2805 "-" "wp-iphone"
/var/log/apache/BruteForceLoginAttemptDomainName.log:ServerIP - - [05/Jun/2016:08:03:37 +0200] "POST /xmlrpc.php HTTP/1.0" 503 2691 "-" "wp-iphone"
/var/log/apache/BruteForceLoginAttemptDomainName.log:ServerIP - - [05/Jun/2016:08:03:37 +0200] "POST /xmlrpc.php HTTP/1.0" 503 2691 "-" "wp-android"
/var/log/apache/BruteForceLoginAttemptDomainName.log:ServerIP - - [05/Jun/2016:08:03:37 +0200] "POST /xmlrpc.php HTTP/1.0" 503 2691 "-" "wp-android"
/var/log/apache/BruteForceLoginAttemptDomainName.log:ServerIP - - [05/Jun/2016:08:09:57 +0200] "POST /xmlrpc.php HTTP/1.0" 503 2805 "-" "wp-android"
/var/log/apache/BruteForceLoginAttemptDomainName.log:ServerIP - - [05/Jun/2016:08:10:56 +0200] "POST /xmlrpc.php HTTP/1.0" 503 2691 "-" "wp-android"
As in we have when have they tried some of the attempts, from which server were the attempts from and to what domain name.
The server only has one ip address, so all the clients are under the same ip, I've searched logs for something that looks out of the ordinary, system/user crons, user files for malicious code or atleast parts of it e.g.
eval(base64_decode
"?><?php"
"$qdtoewomza=substr($bstzohlitn,(59324-49211),(81-69)); $qdtoewomza($gidldupbhh, $xeipowxwpd, NULL);.*=.*; ?><?php"
The last two strings were included in the report mail, that most of the times the malicious code has something similar.
I've made myself a mini curl script to imitate a wp login from that server and left it in screen for about 24hours, however it seems that bruteforce is on demand:
screen -dm bash -c 'tcpdump -A -n -vvvvv -i eth0 -w /root/log.cap "dst port 80" and not dst host ServerIPAddress; exec sh'
and in that time period tcpdump did not catch any bruteforce attemts, however it also would not help me find the culprit, in the worst case scenario i could just drop outgoing traffic from that server 80 and 8080 port, but some users have crons that would stop working...
It's pretty common with directadmin, all user home root directoriess are /home/Username/domains/Domain/public_html and they have individual users, but apache executes as httpd process for all of them.
