Webserver bruteforcing itself in Bruteforce monitor

BodisHS

Verified User
Joined
Jan 30, 2017
Messages
11
Hello everyone,

For some reason my webserver is bruteforcing itself, originating from it's external IP (not localhost).
Sadly all i see that it's bruteforcing on /xmlrpc.php and /wp-login.php

Since we are hosting 20+ wordpress sites, I have no idea which Wordpress site is causing these bruteforces since it coming from the webserver IP.
All websites are running Wordfence and haven't found any malware/virusses or anything so I really want to know what's causing it.

Any idea how i can see which site is being bruteforced by it's host?
 

Attachments

  • DA-bf.png
    DA-bf.png
    68 KB · Views: 10

jamgames2

Verified User
Joined
Aug 16, 2019
Messages
442
see log in /var/log/httpd/domains/*.log



if you want more detail what's execute try enable php "slowlog" for all site
example add this to php_fpm user pool or add to custom template and rewrite_conf
Code:
slowlog = /var/log/httpd/$pool.log.slow
request_slowlog_timeout = 2s

when request curl to wordpress xml or login page maybe script need 2second to execute

if you don't find anything, try use "1s" to capture all php execute
this will capture who's execute or run script
 
Last edited:

BodisHS

Verified User
Joined
Jan 30, 2017
Messages
11
see log in /var/log/httpd/domains/*.log
I just check httpd access_log and httpd error_log but i'm still only seeing the files my IP is visiting.
nginx access_log is showing me other IP's but once again not which site they are accessing, only the file
 
Top