Webserver bruteforcing itself in Bruteforce monitor

[BodisHS]

Hello everyone,

For some reason my webserver is bruteforcing itself, originating from it's external IP (not localhost).
Sadly all i see that it's bruteforcing on /xmlrpc.php and /wp-login.php

Since we are hosting 20+ wordpress sites, I have no idea which Wordpress site is causing these bruteforces since it coming from the webserver IP.
All websites are running Wordfence and haven't found any malware/virusses or anything so I really want to know what's causing it.

Any idea how i can see which site is being bruteforced by it's host?

 

[jamgames2]

see log in /var/log/httpd/domains/*.log



if you want more detail what's execute try enable php "slowlog" for all site
example add this to php_fpm user pool or add to custom template and rewrite_conf

slowlog = /var/log/httpd/$pool.log.slow
request_slowlog_timeout = 2s

when request curl to wordpress xml or login page maybe script need 2second to execute

if you don't find anything, try use "1s" to capture all php execute
this will capture who's execute or run script

 

[BodisHS]

see log in /var/log/httpd/domains/*.log

I just check httpd access_log and httpd error_log but i'm still only seeing the files my IP is visiting.
nginx access_log is showing me other IP's but once again not which site they are accessing, only the file