Question

Abuse Report - Is my server being used in a botnet?

  • Posted February 25, 2014

I gotten the following report from Digital Ocean in an abuse report. I got on before and did the following:

  1. Changed my passwords.
  2. Disabled several websites (wordpress!)
  3. Scanned my box with clamav - found some stuff in wordpress site (it has been removed).

I’m not sure where to go from here but it looks like my box is still being abused. Any help?

Hi, We have detected a network attack from an IP ( 192.241.xxx.xxx ) from your network, a computer connected to it is probably infected and being part of a botnet. Please check it and fix it up as soon as possible. Thank you.

The IP 192.241.xxx.xxx has just been banned by Fail2Ban after 4 attempts against apache-attack.

Domain: dondevasconesoshierros.com (195.78.231.40)

Here are more information about 192.241.xxx.xxx: Lines containing IP:192.241.xxx.xxx in /furanet/sites/*/web/htdocs/logs/access

/furanet/sites/dondevasconesoshierros.com/web/htdocs/logs/access:192.241.xxx.xxx - - [24/Feb/2014:03:54:06 +0100] “POST /wp-login.php HTTP/1.0” 200 1946 “-” “-” “-” /furanet/sites/dondevasconesoshierros.com/web/htdocs/logs/access:192.241.xxx.xxx - - [24/Feb/2014:03:54:07 +0100] “POST /wp-login.php HTTP/1.0” 200 1946 “-” “-” “-” /furanet/sites/dondevasconesoshierros.com/web/htdocs/logs/access:192.241.xxx.xxx - - [24/Feb/2014:03:54:07 +0100] “POST /wp-login.php HTTP/1.0” 200 1946 “-” “-” “-” /furanet/sites/dondevasconesoshierros.com/web/htdocs/logs/access:192.241.xxx.xxx - - [24/Feb/2014:03:54:07 +0100] “POST /wp-login.php HTTP/1.0” 200 1946 “-” “-” “-” /furanet/sites/dondevasconesoshierros.com/web/htdocs/logs/access:192.241.xxx.xxx - - [24/Feb/2014:03:54:08 +0100] “POST /wp-login.php HTTP/1.0” 200 1946 “-” “-” “-”

Subscribe
Share

Submit an answer
You can type!ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

I was having this kind of attack in my server logs also. Then I’ve gone through all the Firefox and Chrome headers sent on WordPress login. I’ve made some rules. After about a year or so there were 50 attack vectors known to me. I use this WAF to report malicious traffic to Fail2ban which in turn activates the Linux firewall. Later on I’ve developed Miniban for people without a firewall. And “leanmail” to filter out Fail2ban notifications. https://github.com/szepeviktor/wordpress-fail2ban

Got a similar abuse complaint, also from / about /furanet/sites/*

Any pointer!?

Very often, servers are compromised by simple brute force attacks that attempt to connect to the root account over ssh guessing passwords. If you haven’t done so yet, there are some basic precautions you can take. I’d argue that disabling password authentication in favor of just using the key is the first thing you should do when you create a new server. This tutorial will run you through some basic security measures: <br> <br>https://www.digitalocean.com/community/articles/initial-server-setup-with-ubuntu-12-04

Interesting I got similar email. <br> <br>I am running maldet scan on my server right now. <br> <br>Funny thing is that it seems to come from same network: 195.78.231.227 <br> <br>

Same issue!!! No idea how they got in!