Attacked - or used as a proxy to attack - word-press

SYSTEM INFORMATION
OS type and version Ubuntu Linux 22.04.1
Webmin version 2.013
Virtualmin version 7.5 Pro
Related packages SUGGESTED

My server has been used to attack a site on another server at another company.
I have domain1 redirected to domain2 (at another company). One client owns both domains.
The other company now blocks me because the attack on domain2 is from my domain1/IP.

I have been looking “all over”, cannot find any evil code.
Nothing abnormal in logs, but hundreds of word-press probing.

How is the Virtualmin redirect? Redirect or proxy’ing?

and you can’t blame them - all you are doing is passing on the attacker with a redirect.
I would first of all be concerned about is “what is it about the website content that is attracting so much attention” then is it genuine are the “hundreds” probing a I high proportion of traffic to the site or is the site genuinely attracting genuine traffic? If the traffic is “normal” kiddy or bots probing may be you could block them?

AFAIK all the redirecting on Virtualmin is down to your Apache or Nginx configs so entirely at your discretion or the client’s “301” headers.
My own view would be to get the client to move completely to their new domain2 host and stop using your space/bandwidth/resource.

Are you using a “free” template for the site? Most of those are LOADED with bogus code and have been problematic for just that reason.

If you didn’t get your website template from a reputable source, get rid of it and scan your system for bogus code.

Clients wonder why I hate wordpress? They seem to think it is install and forget.

2 Likes

You’re going to need to be more specific. What do you mean by “attack”?

It is if it’s done properly.

As I said, the mistake most people make is using all sorts of “free” plugins and templates off the internet. Many of them are chock absolutely full of malicious code.

The idea of “free” is just too much for some people to overcome. The thought that there’s a hidden price to pay for it never enters their mind.

It’s like a “free” vacation someone promises you, so long as you sit and listen to a “brief” sales pitch. Or all that “free” money a prince in Africa will give you if you send him just a little money of your own.

That’s part of why I was so skeptical of Virtualmin when I first came across it years ago. It is the very, very rare exception of something that is free that has no strings attached.

EDIT TO ADD: Here’s an article about some of the things these bogus Wordpress themes can do. This is not the only site that does this. There are hundreds of them. They modify a theme, then offer it for free, you download it and install it and it infects your entire site and can be used for phishing, sending spam mail, you name it.

4 Likes

There’s something going on with WP the past 12 hours or so, maybe even the past day. Some newly-discovered vulnerability is making the rounds. I can tell when WP attacks start dominating the IP addresses triggering my traps.

Usually WP attacks are maybe five percent of the total at most. When they exceed that percentage, there’s something new that’s attracting the miscreants.

I don’t do the forensics, however, so that’s all I know. I just add the offending IPs to the blocklists.

Richard

1 Like

Security updates? Including all addons? Remove stuff that’s found to be problematic? I don’t know if WP does automatic updates because I just don’t have the time or inclination.

neither do I

This is going off-topic. Please reel it in.

Let OP tell us what’s actually happening before starting to theorize about why it’s happening.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.