My server has been used to attack a site on another server at another company.
I have domain1 redirected to domain2 (at another company). One client owns both domains.
The other company now blocks me because the attack on domain2 is from my domain1/IP.
I have been looking “all over”, cannot find any evil code.
Nothing abnormal in logs, but hundreds of word-press probing.
How is the Virtualmin redirect? Redirect or proxy’ing?
and you can’t blame them - all you are doing is passing on the attacker with a redirect.
I would first of all be concerned about is “what is it about the website content that is attracting so much attention” then is it genuine are the “hundreds” probing a I high proportion of traffic to the site or is the site genuinely attracting genuine traffic? If the traffic is “normal” kiddy or bots probing may be you could block them?
AFAIK all the redirecting on Virtualmin is down to your Apache or Nginx configs so entirely at your discretion or the client’s “301” headers.
My own view would be to get the client to move completely to their new domain2 host and stop using your space/bandwidth/resource.
As I said, the mistake most people make is using all sorts of “free” plugins and templates off the internet. Many of them are chock absolutely full of malicious code.
The idea of “free” is just too much for some people to overcome. The thought that there’s a hidden price to pay for it never enters their mind.
It’s like a “free” vacation someone promises you, so long as you sit and listen to a “brief” sales pitch. Or all that “free” money a prince in Africa will give you if you send him just a little money of your own.
That’s part of why I was so skeptical of Virtualmin when I first came across it years ago. It is the very, very rare exception of something that is free that has no strings attached.
EDIT TO ADD: Here’s an article about some of the things these bogus Wordpress themes can do. This is not the only site that does this. There are hundreds of them. They modify a theme, then offer it for free, you download it and install it and it infects your entire site and can be used for phishing, sending spam mail, you name it.
There’s something going on with WP the past 12 hours or so, maybe even the past day. Some newly-discovered vulnerability is making the rounds. I can tell when WP attacks start dominating the IP addresses triggering my traps.
Usually WP attacks are maybe five percent of the total at most. When they exceed that percentage, there’s something new that’s attracting the miscreants.
I don’t do the forensics, however, so that’s all I know. I just add the offending IPs to the blocklists.
Security updates? Including all addons? Remove stuff that’s found to be problematic? I don’t know if WP does automatic updates because I just don’t have the time or inclination.