Operating system: CentOS7
OS version: CentOS Linux 7.9.2009
Morning everyone.
My provider blocked one of my servers yesterday as they suspect it has been compromised.
They gave me access this morning.
The info they gave me was that they received a report that this server has been carrying out malicious network activity, including attacks on servers elsewhere on the Internet.
They provided a log which had a lot of this (ip hidden by xx)
xx.xxx.xxx.xxx - - [02/Dec/2020:01:22:31 +0100] “GET /wp-login.php HTTP/1.1” 200 8618 “-” “Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0”
xx.xxx.xxx.xxx - - [02/Dec/2020:01:22:32 +0100] “POST /wp-login.php HTTP/1.1” 200 8907 “-” “Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0”
I have 6 wordpress sites on that server, so once I had access back this morning, I have scanned them and checked them all for issues. Wordfence flagged some on one of the sites, the rest were fine.
I have iptables configured just using the default settings (block all except ports used for virtual hosting on itnerface). Is this enough?
Is it possible to do a scan (malware) of the whole server?
Finally, what can I check for in my logs to see if it does specify a little more which virtual server is the cause?
Thanks so much!
Craig