Question

Abuse Report - Is my server being used in a botnet?

  • Posted on February 25, 2014
  • frankieAsked by frankie

I gotten the following report from Digital Ocean in an abuse report. I got on before and did the following:

  1. Changed my passwords.
  2. Disabled several websites (wordpress!)
  3. Scanned my box with clamav - found some stuff in wordpress site (it has been removed).

I’m not sure where to go from here but it looks like my box is still being abused. Any help?

Hi, We have detected a network attack from an IP ( 192.241.xxx.xxx ) from your network, a computer connected to it is probably infected and being part of a botnet. Please check it and fix it up as soon as possible. Thank you.

The IP 192.241.xxx.xxx has just been banned by Fail2Ban after 4 attempts against apache-attack.

Domain: dondevasconesoshierros.com (195.78.231.40)

Here are more information about 192.241.xxx.xxx: Lines containing IP:192.241.xxx.xxx in /furanet/sites/*/web/htdocs/logs/access

/furanet/sites/dondevasconesoshierros.com/web/htdocs/logs/access:192.241.xxx.xxx - - [24/Feb/2014:03:54:06 +0100] “POST /wp-login.php HTTP/1.0” 200 1946 “-” “-” “-” /furanet/sites/dondevasconesoshierros.com/web/htdocs/logs/access:192.241.xxx.xxx - - [24/Feb/2014:03:54:07 +0100] “POST /wp-login.php HTTP/1.0” 200 1946 “-” “-” “-” /furanet/sites/dondevasconesoshierros.com/web/htdocs/logs/access:192.241.xxx.xxx - - [24/Feb/2014:03:54:07 +0100] “POST /wp-login.php HTTP/1.0” 200 1946 “-” “-” “-” /furanet/sites/dondevasconesoshierros.com/web/htdocs/logs/access:192.241.xxx.xxx - - [24/Feb/2014:03:54:07 +0100] “POST /wp-login.php HTTP/1.0” 200 1946 “-” “-” “-” /furanet/sites/dondevasconesoshierros.com/web/htdocs/logs/access:192.241.xxx.xxx - - [24/Feb/2014:03:54:08 +0100] “POST /wp-login.php HTTP/1.0” 200 1946 “-” “-” “-”


Submit an answer

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Want to learn more? Join the DigitalOcean Community!

Join our DigitalOcean community of over a million developers for free! Get help and share knowledge in Q&A, subscribe to topics of interest, and get courses and tools that will help you grow as a developer and scale your project or business.

I was having this kind of attack in my server logs also. Then I’ve gone through all the Firefox and Chrome headers sent on WordPress login. I’ve made some rules. After about a year or so there were 50 attack vectors known to me. I use this WAF to report malicious traffic to Fail2ban which in turn activates the Linux firewall. Later on I’ve developed Miniban for people without a firewall. And “leanmail” to filter out Fail2ban notifications. https://github.com/szepeviktor/wordpress-fail2ban

Got a similar abuse complaint, also from / about /furanet/sites/*

Any pointer!?

Very often, servers are compromised by simple brute force attacks that attempt to connect to the root account over ssh guessing passwords. If you haven’t done so yet, there are some basic precautions you can take. I’d argue that disabling password authentication in favor of just using the key is the first thing you should do when you create a new server. This tutorial will run you through some basic security measures: <br> <br>https://www.digitalocean.com/community/articles/initial-server-setup-with-ubuntu-12-04