Attack from my Linode to other domains - ToS Violation - Malicious Activity
Hi there
Recently I've been notified about a ToS Violation from my Linode against other domains.
Attacker IP address: [MyLinode]
Attacker Source Port: 52502
My Server IP: 173.255.242.227 [The attacked server by me]
My domains: wp-demo.bid13.com, bababrinkman.com [The domains attacked by me]
Logs
[MyLinode]:52502 - - [15/Mar/2024:08:17:30 +0000] "GET /wp-login.php HTTP/1.1" 200 7609 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" "-"
[MyLinode]:52510 - - [15/Mar/2024:08:17:30 +0000] "POST /wp-login.php HTTP/1.1" 200 8027 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" "-"
[MyLinode]:52520 - - [15/Mar/2024:08:17:30 +0000] "POST /xmlrpc.php HTTP/1.1" 403 170 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" "-"
[MyLinode]:55732 - - [11/Mar/2024:23:09:17 +0000] "POST /wp-login.php HTTP/1.1" 200 8671 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" "-"
173.230.135.161:55746 - - [11/Mar/2024:23:09:17 +0000] "POST /xmlrpc.php HTTP/1.1" 403 170 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" "-"
[MyLinode]:55728 - - [11/Mar/2024:23:09:16 +0000] "GET /wp-login.php HTTP/1.1" 200 8402 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" "-"
As you see, it seems to be a kind of rootkit take control and attack other wordpress sites.
It's so frustrating, because and don't have any ideas to start checking.
Any ideas?
Thanks!
2 Replies
Without knowing your exact setup, it's difficult to give specific advice, so here's some general suggestions…
If you're just using the server to host WordPress sites, make sure you've got a viable backup, including an export (WP admin > Tools > Export) and a download (e.g. using FTP) of the files under /wp-content/uploads. In theory, that's all you'd need to redeploy the site(s) onto a new server using the WP admin > Tools > Import option.
If you haven't got any security software on your server at the moment, you could try installing the free WordFence plugin and let it scan your site(s): https://en-gb.wordpress.org/plugins/wordfence/
If you don't know how your site/server was compromised (dodgy/insecure WP plugin, not applying WP updates in a timely manner, lack of a firewall, not running a WP specific WAF, comprised WP account, etc) then the best option is to start afresh on a new server using the backup. There are lots of guides out there for hardening/securing a WP installation and it's definitely worth installing a security plugin (such as WordFence) if you've not been using one.
tlambert
Linode Staff
There are a couple resources that could be helpful. This one titled I've noticed some suspicious activity on my Linode, what do I do? gives suggestions for what to do when believe your system has been compromised.
This post, titled Using RKHunter on your Linode to scan for malicious software has instructions for installing and using RKHunter to scan your system for malicious root kits.