Someone is logging into my webserver

Question

For a week someone has been logging into my webserver. Yesterday I mentioned this to the hosting company. They tell me to use an "IP blocker".

I am doing that, but today I looked for more logins. The IP logging int is 37.201.196.78 (that's not my IP). Today I searched more info about this IP with Zenmap:

I know when anyone logs into my server, because I can see it in my cPanel (linuxuse is my username, 139.162.169.45 is my server, linuxusers.net is my domain, I log in to the server from the hosting site's portal, but it is not the IP's shown):

With this information, what can I do to frustrate more attacks?

One more thing, I think they have also to put a "thing" on my hard disk, because today I updated a page on my webserver and two minutes later, I see this in my comments moderation panel:

Can anyone explain what can I do using simple terms?

Sorry to say, but the question shows that you don't have a basic understanding of networking and security and are thus far away from dealing with the attack by yourself. You will also not be able to quickly get the necessary knowledge by asking questions here since the knowledge gap is too large. The best thing you could probably do instead is to hire a local expert and let him get to the bottom of the problem, help you to fix it and help you to harden your server so that you don't get immediately attacked again. Yes, it will cost but so does loss of business. — Steffen Ullrich, Dec 07 '19 at 15:39
don't sorry, I know my knowledge about networking and security is very slow, therefore ask here.... — biotza, Dec 07 '19 at 15:56
Are you logging in from anywhere near Essen? Could 37.201.196.78 be your home IP (or wherever you physically are) — schroeder, Dec 09 '19 at 09:01
sorry for my late answer... , i am in Berlin my IP 84.184.232.13 , with curl https://ipinfo.io/ip.... — biotza, Dec 09 '19 at 10:55

score 0 · Answer 1 · answered Dec 07 '19 at 15:28

^{(Ich habe dies zweimal aus dem Deutschen übersetzt, um sicherzustellen, dass Sie Google Translate ohne Bedeutungsverlust verwenden können)}

In simple terms, you do not have a "web server". You have an application that runs on a web server.

This application must have a so-called "access control" (or password or security feature). This is what you need to check.

An IP Blocker only prevents access from a specific IP address (or IP range), but the attacker only needs to change their IP address (there are ways to do that) and the IP Blocker is defeated ,

If you have changed the password and reinstalled the application on a clean system and the attacker still has access to the application, there may be a vulnerability in the application. It is best to contact the application developers or maintainers (not the web hosting company, since they do not know the application). It is unlikely that you can fix this yourself.

yes, I changed the password and the attacker still has access to the application... — biotza, Dec 07 '19 at 15:49

Someone is logging into my webserver

1 Answers1