0

I received a report today that a server I manage (Centos + Apache) is launching a bruteforce attack against wordpress websites:

hacked-joomla/brobot

The requests sent look like this:

x.x.x.x - - [15/Nov/2015:19:37:14 +0100] "POST wp-login.php HTTP/1.1" 200 3963 "referer-domain.tld" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0"

I tried to locate the source of the attack using tcpdump, lsof and netstat, but I was unable to locate any useful information.

I need to be able to monitor the outgoing web traffic and see not only the destination, but also the source - the file/vhost that the request was sent from.

Any suggestions or guidelines are more than welcome!

P.S. David W. thank you for the link, but it is a very general guide on compromised servers. I have a very specific problem - I need an efficient tool/method to monitor my traffic to identify the source of an outbound attack. I am not experienced in networking etc. and have not used netstat, tcpdump and lsof much, but I am looking for a similar tool or a combination of tools that can be provide me with the traffic data that I need.

Falcon Momot
  • 24,975
  • 13
  • 61
  • 92
Jason Carter
  • 9
  • 3
  • 1
    Jason - First off, welcome to Server Fault. If you stick around, you'll find that there's a huge breadth of knowledge represented here, and tons of people willing to help you out with your systems administrator questions, as long as they fall in line with what's on topic (see http://serverfault.com/help/on-topic). Unfortunately, in addition to its duplicate nature (your server is compromised, period. Best thing to do is take it down, restore from backups, and review that link), the question is off topic because of cPanel. Please see the link I've provided in this comment to what's on topic. – David W Nov 16 '15 at 16:57
  • Hey David, thanks for the welcome! I know the server is compromised, and I am working in that direction. Restore is out of question before I can identify the account causing this. I will remove the cPanel tag if it is misleading. What the topic here is how do I view the source of the outbound traffic on the server. – Jason Carter Nov 16 '15 at 17:10
  • With a typical cPanel apache mod_php setup you have absolutely zero hope of doing this. Even with a more reasonable nginx php-fpm setup, it requires considerable work configuring the audit subsystem, and you end up with very large amounts of logs you have to suffer through. Best to just scan the system with [maldet](https://www.rfxn.com/projects/linux-malware-detect/), find the compromised site(s), and deal with it. – Michael Hampton Nov 16 '15 at 18:10

0 Answers0