Question

Abuse Report - Is my server being used in a botnet?

Posted February 25, 2014 8.1k views
I gotten the following report from Digital Ocean in an abuse report. I got on before and did the following: 1) Changed my passwords. 2) Disabled several websites (wordpress!) 3) Scanned my box with clamav - found some stuff in wordpress site (it has been removed). I'm not sure where to go from here but it looks like my box is still being abused. Any help? Hi, We have detected a network attack from an IP ( 192.241.xxx.xxx ) from your network, a computer connected to it is probably infected and being part of a botnet. Please check it and fix it up as soon as possible. Thank you. The IP 192.241.xxx.xxx has just been banned by Fail2Ban after 4 attempts against apache-attack. Domain: dondevasconesoshierros.com (195.78.231.40) Here are more information about 192.241.xxx.xxx: Lines containing IP:192.241.xxx.xxx in /furanet/sites/*/web/htdocs/logs/access /furanet/sites/dondevasconesoshierros.com/web/htdocs/logs/access:192.241.xxx.xxx - - [24/Feb/2014:03:54:06 +0100] "POST /wp-login.php HTTP/1.0" 200 1946 "-" "-" "-" /furanet/sites/dondevasconesoshierros.com/web/htdocs/logs/access:192.241.xxx.xxx - - [24/Feb/2014:03:54:07 +0100] "POST /wp-login.php HTTP/1.0" 200 1946 "-" "-" "-" /furanet/sites/dondevasconesoshierros.com/web/htdocs/logs/access:192.241.xxx.xxx - - [24/Feb/2014:03:54:07 +0100] "POST /wp-login.php HTTP/1.0" 200 1946 "-" "-" "-" /furanet/sites/dondevasconesoshierros.com/web/htdocs/logs/access:192.241.xxx.xxx - - [24/Feb/2014:03:54:07 +0100] "POST /wp-login.php HTTP/1.0" 200 1946 "-" "-" "-" /furanet/sites/dondevasconesoshierros.com/web/htdocs/logs/access:192.241.xxx.xxx - - [24/Feb/2014:03:54:08 +0100] "POST /wp-login.php HTTP/1.0" 200 1946 "-" "-" "-"
Add a comment
frankie
By:
frankie
Add a comment

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

5 answers
jeremiah March 25, 2014
Same issue!!! No idea how they got in!
Reply Report
amer May 7, 2014
Interesting I got similar email.

I am running maldet scan on my server right now.

Funny thing is that it seems to come from same network: 195.78.231.227

Reply Report
asb May 7, 2014
Very often, servers are compromised by simple brute force attacks that attempt to connect to the root account over ssh guessing passwords. If you haven't done so yet, there are some basic precautions you can take. I'd argue that disabling password authentication in favor of just using the key is the first thing you should do when you create a new server. This tutorial will run you through some basic security measures:

https://www.digitalocean.com/community/articles/initial-server-setup-with-ubuntu-12-04
Initial Server Setup with Ubuntu 12.04
by Etel Sverdlov
This tutorial covers how to login with root, how to change the root password, how to create a new user, how to give the new user root privileges, how to change the port, and how to disable root login in. This tutorial is written for Ubuntu. When you first create your server, this tutorial explains the first steps you need to take. This tutorial is written for Ubuntu 12.04.
Reply Report
florian June 17, 2014
Got a similar abuse complaint, also from / about /furanet/sites/* Any pointer!?
Reply Report
viktor December 15, 2016

I was having this kind of attack in my server logs also.
Then I’ve gone through all the Firefox and Chrome headers sent on WordPress login. I’ve made some rules. After about a year or so there were 50 attack vectors known to me. I use this WAF to report malicious traffic to Fail2ban which in turn activates the Linux firewall. Later on I’ve developed Miniban for people without a firewall. And “leanmail” to filter out Fail2ban notifications.
https://github.com/szepeviktor/wordpress-fail2ban

Reply Report
Submit an Answer

Looking for something else?

Ask a new question Search for more help