Spamhaus detects contact to malware C&C server - Can´t find anything in the logs -
-
In the meantime I was able to delist from Spamhaus. I generally hope for a false negative but can´t rely solely on hope. So the question still holds up. How to detect potential bot-contacting malware on a Cloudron server?
-
In the meantime I was able to delist from Spamhaus. I generally hope for a false negative but can´t rely solely on hope. So the question still holds up. How to detect potential bot-contacting malware on a Cloudron server?
@whitespace you can try running a clamav scan. So far, it has never detected anything for me, so I have no idea how effective it is. Basically,
apt-get install clamavand then laterclamscan --infected --detect-pua=yes --recursive <somepath>. It takes forever but let's see if it detects something in yours.You will see summary like so:
----------- SCAN SUMMARY ----------- Known viruses: 8686492 Engine version: 0.103.8 Scanned directories: 161 Scanned files: 91 Infected files: 0 Data scanned: 9.51 MB Data read: 3.70 MB (ratio 2.57:1) Time: 28.475 sec (0 m 28 s) Start Date: 2023:07:20 07:01:11 End Date: 2023:07:20 07:01:40 -
@girish Nope. Just a clean Ubuntu and a cloudron install on top. Nothing else. The only installations are cloudron applications. Nextcloud, Uptime Kuma, a few LAMP stacks, three WP instances, a FreshRSS instance, an unused Mastodon instance, Joplin. No custom docker repo or anything alike.
-
-
What software is running in the LAMP stacks?
@necrevistonnezr None other than what the stack comes with. I use the LAMP stacks solely for static site delivery by populating the public directory.
-
News.
My server provider got an email from Bitninja Security. They have more than hundred logs.
Here some examples:
Deleted code for privacy reasons and since issue is solved.Is there any concrete indication of anything?
-
At least
<string>wp.getUsersBlogs</string>in both logs points to Wordpress, I think.
-
I have the impression that 99% of all suspicious activity are because of wordpress... just wondering
-
Did you changed the default admin/changeme after install?
Advise: always install Wordfence (the free version had enough)I understand the log entry as what the infected server does to other servers as part of a bot net. In this case it looks for Wordpress instances? In fact it seems to try and populate the sites with what seems to be pretty generic login data. I am not sure this is an indication that it has to do with WP. Right now all WP instances are turned off.
value><string>lotadmin</string></value><value><string>12345</string> -
I found it. The log entries listed by Bitninja Security are found on the log of a WordPress instance that has been left with default values. Wasn´t me.
I am ditching the WP instance.
Jesus Christ.
-
General Rule in Life: it‘s always efffin‘ Wordpress
Not because it’s a bad product per se, but one of the most used on the web. Attracts all the assh*les in the world. -
G girish marked this topic as a question on
-
G girish has marked this topic as solved on
Hello! It looks like you're interested in this conversation, but you don't have an account yet.
Getting fed up of having to scroll through the same posts each visit? When you register for an account, you'll always come back to exactly where you were before, and choose to be notified of new replies (either via email, or push notification). You'll also be able to save bookmarks and upvote posts to show your appreciation to other community members.
With your input, this post could be even better 💗
Register Login