Server locked because of abuse from my ip - where to start?

Hi,

I just got an e-mail that my server has been ‘locked’ because a lot of abuse was coiming from it according to:

https://www.abuseipdb.com/check/94.130.237.27

I can now and go and ‘whitelist’ one IP so I can contact the server again, to “solve the problem”. I don’t have a clue as where to start. How do I find the culprit of all this?

I see
mostrly wordpress login attempts
but as well trolling for resource vulnerabilities

Scrolling throught the list, a lot does seem wordpress login attempts.

After whitelisting this IP and contacting the server via ssh again, or web, what do I do? In what log files could I find info about what is being used to attack other servers/websites?

Thanks!

OS is an old version of Ubuntu and virtualmin one of the latest (I can check all this as soon as I’vegot contact again with the server…)

AbuseIPDB is only a report, did Hetzner block your access because of it?
Their data is submitted, not collected, so could be poisoned by a bad actor?
How do they accept anonymous complaints?

Hi, thanks for your ansewer. They did send me a mail before, with a log file (at the end):

Dear Mr Lex Thoonen,

We have received an abuse report from admin@markom.hu for your IP address 94.130.237.27.

We are automatically forwarding this report on to you, for your information. You do not need to respond, but we do expect you to check it and to resolve any potential issues.

Please note that this is a notification only, you do not need to respond.

Kind regards

Abuse Team

Hetzner Online GmbH
Industriestr. 25
91710 Gunzenhausen / Germany
Tel: +49 9831 5050
Fax: +49 9831 5053
www.hetzner.com

Register Court: Registergericht Ansbach, HRB 6089
CEO: Martin Hetzner, Stephan Konvickova, Günther Müller

You have the option of making an appeal against a negative decision.
To do that, please reply directly to this ticket. If this is the Abuse
Team’s final decision, you can also make a complaint by writing to
info@hetzner.com. The European Commission also provides a
platform that you can use as a platform for online dispute resolution
(ODR) at Site relocation - Consumer Redress in the EU - European Commission. We are neither willing
nor required to participate in a dispute resolution process before a
consumer arbitration board.

For the purposes of this communication, we may save some of your
personal data. For information on our data privacy policy, please see:
www.hetzner.com/privacy-policy-notice

Dear Sir/Madam,

We have detected abuse from the IP address 94.130.237.27, which according to abusix.com is on your network. We belive there is no coincident, therefore we are follow the Three Strike Law and report those IP addresses, who try to access to our services without permission. We would appreciate if you would investigate and take action as appropriate.

Log lines are given below, but please ask if you require any further information.

(If you are not the correct person to contact about this please accept our apologies - your e-mail address was extracted from the whois record by an automated process.)

This mail was generated by Fail2Ban in a X-ARF format! You can find more information about x-arf at XARF Abuse Reporting Standard | Network Abuse Management.

The recipient address of this report was provided by the Abuse Contact DB by abusix.com. abusix.com does not maintain the content of the database. All information which we pass out, derives from the RIR databases and is processed for ease of use. If you want to change or report non working abuse contacts please contact the appropriate RIR. If you have any further question, contact abusix.com directly via email (info@abusix.com). Information about the Abuse Contact Database can be found here: Real-time Network Abuse Reporting: Efficient & Effective Solutions
abusix.com is neither responsible nor liable for the content or accuracy of this message.
logfile.log (465 Bytes)

logfile:

Note: Local timezone is +0100 (CET)

Nov 17 18:41:02 dslC3E4E2D7 wordpress(konyvelogyor.hu)[2556161]: XML-RPC authentication attempt for unknown user ridiz from 94.130.237.27
Nov 18 00:29:36 dslC3E4E2D7 wordpress(konyvelogyor.hu)[2656811]: XML-RPC authentication attempt for unknown user admin from 94.130.237.27
Nov 18 09:17:01 dslC3E4E2D7 wordpress(konyvelogyor.hu)[2963754]: XML-RPC authentication attempt for unknown user NexusLeads from 94.130.237.27

If you log into your Hetzner account, don’t you have access to some sort of terminal tool to get into your server? Some KVM/Console feature? This should by pass the ip address of your server entirely.

Your server seems to have a bad actor/app trying to brute force some WP sites on other servers. Most likely this is a compromised website/app. Find that site and shut it down.

That was the time to do something. Live and learn.

along with

keeping up-to-date with everything is one of the primary jobs of running a server along with not spreading spam and such like owning an IP must be taken seriously. they are precious, rare and need to be protected

There is a way for me to log in, by whitelisting my own ip. How do i go about finding the compromised app/website quickly?

That I can’t really tell you. I’d check with the sites that seem to have the largest current log files or other activity.

In order, this is what I’d check:

1. The Postfix mail log. This can be in a variety of locations depending on your OS, version, and configuration. /var/log/maillog, /var/log/mail.log, or journalctl -u postfix. There’s a viewer for logs in Webmin, but you’ll probably find you can work faster using command line tools like grep (or the journalctl filter options).
2. The Postfix queue. Because we should probably assume “abuse” means “someone is sending spam from my server”, if that’s true and if they’re sending via Postfix, there will be a bunch of messages (hundreds or thousands) queued because servers start blocking after a few spams come in.
3. If you don’t see evidence of a lot of mail being sent via Postfix, it could still be mail (you don’t need a mail server to send mail…email can be sent by any scripting or programming language in a few lines of code), but how you find who is sending a bunch of mail changes. If they’re sending all the time (as spammers tend to do when they exploit a server), you may be able to find them in the output of netstat -tnp|grep ':25\s'. You’re looking for processes connecting to the mail port. This is ephemeral, and it’s possible to miss connections even if they’re happening a lot. You’ll want to run it a few times, or do a cron job that logs it regularly for a time. There’s probably some better way to track this, but this is what comes to mind. Similarly, attackers often use an IRC server for orchestration of their exploited servers…if you see outgoing IRC connections, you’ve almost certainly got an attacker in your house.
4. Check top or htop for weird looking processes that are using a lot of resources. If it’s a spammer, they’re going to slam your network with outgoing mail, which may show up as a bit of unusual CPU usage.
5. Similarly, check the process list for unusual processes, especially unusual processes running in domain owner home directories. Unless the attacker has escalated to root (which you can’t rule out), the root user can see every process, including those the attacker has started.
6. Check for hidden files or directories (name starts with .) in web application directories.

Some things to be aware of:

Attackers have many ways to try to hide. They might simply modify your WordPress (or whatever) files to suit their purposes. You won’t see those changes unless you’re tracking stuff in git or something similar. You can check for recently modified files (or if you have Linux kernel audit logging enabled, you may be able to see when files were modified and by whom).

But, unless they got root, they can’t actually hide. root can see everything (unless the attacker got root and replaced system binaries that would allow root to see the exploited tools running). So, the attacker shows up in ps, they show up in logs, they show up in outgoing connections.

Virtualmin WP Workbench plugin has an integrity check feature, so you don’t need to use Git to track it.

Thanks a lot people, you really got on me on the right track!
And this was the first time I was able to use AI in a serious way too.

2 posts were split to a new topic: How to install Virtualmin WP Workbench manually

And what was that track? Did you identify the root of the problem?

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.