Abuse Report - Is my server being used in a botnet?

February 25, 2014 3.8k views
I gotten the following report from Digital Ocean in an abuse report. I got on before and did the following: 1) Changed my passwords. 2) Disabled several websites (wordpress!) 3) Scanned my box with clamav - found some stuff in wordpress site (it has been removed). I'm not sure where to go from here but it looks like my box is still being abused. Any help? Hi, We have detected a network attack from an IP ( ) from your network, a computer connected to it is probably infected and being part of a botnet. Please check it and fix it up as soon as possible. Thank you. The IP has just been banned by Fail2Ban after 4 attempts against apache-attack. Domain: ( Here are more information about Lines containing in /furanet/sites/*/web/htdocs/logs/access /furanet/sites/ - - [24/Feb/2014:03:54:06 +0100] "POST /wp-login.php HTTP/1.0" 200 1946 "-" "-" "-" /furanet/sites/ - - [24/Feb/2014:03:54:07 +0100] "POST /wp-login.php HTTP/1.0" 200 1946 "-" "-" "-" /furanet/sites/ - - [24/Feb/2014:03:54:07 +0100] "POST /wp-login.php HTTP/1.0" 200 1946 "-" "-" "-" /furanet/sites/ - - [24/Feb/2014:03:54:07 +0100] "POST /wp-login.php HTTP/1.0" 200 1946 "-" "-" "-" /furanet/sites/ - - [24/Feb/2014:03:54:08 +0100] "POST /wp-login.php HTTP/1.0" 200 1946 "-" "-" "-"
5 Answers
Same issue!!! No idea how they got in!
Interesting I got similar email.

I am running maldet scan on my server right now.

Funny thing is that it seems to come from same network:

Very often, servers are compromised by simple brute force attacks that attempt to connect to the root account over ssh guessing passwords. If you haven't done so yet, there are some basic precautions you can take. I'd argue that disabling password authentication in favor of just using the key is the first thing you should do when you create a new server. This tutorial will run you through some basic security measures:
by Etel Sverdlov
This tutorial covers how to login with root, how to change the root password, how to create a new user, how to give the new user root privileges, how to change the port, and how to disable root login in. This tutorial is written for Ubuntu. When you first create your server, this tutorial explains the first steps you need to take. This tutorial is written for Ubuntu 12.04.
Got a similar abuse complaint, also from / about /furanet/sites/* Any pointer!?

I was having this kind of attack in my server logs also.
Then I've gone through all the Firefox and Chrome headers sent on WordPress login. I've made some rules. After about a year or so there were 50 attack vectors known to me. I use this WAF to report malicious traffic to Fail2ban which in turn activates the Linux firewall. Later on I've developed Miniban for people without a firewall. And "leanmail" to filter out Fail2ban notifications.

Have another answer? Share your knowledge.