Spamhaus detects contact to malware C&C server - Can´t find anything in the logs -
-
In the meantime I was able to delist from Spamhaus. I generally hope for a false negative but can´t rely solely on hope. So the question still holds up. How to detect potential bot-contacting malware on a Cloudron server?
-
In the meantime I was able to delist from Spamhaus. I generally hope for a false negative but can´t rely solely on hope. So the question still holds up. How to detect potential bot-contacting malware on a Cloudron server?
@whitespace you can try running a clamav scan. So far, it has never detected anything for me, so I have no idea how effective it is. Basically,
apt-get install clamavand then laterclamscan --infected --detect-pua=yes --recursive <somepath>. It takes forever but let's see if it detects something in yours.You will see summary like so:
----------- SCAN SUMMARY ----------- Known viruses: 8686492 Engine version: 0.103.8 Scanned directories: 161 Scanned files: 91 Infected files: 0 Data scanned: 9.51 MB Data read: 3.70 MB (ratio 2.57:1) Time: 28.475 sec (0 m 28 s) Start Date: 2023:07:20 07:01:11 End Date: 2023:07:20 07:01:40 -
@girish Nope. Just a clean Ubuntu and a cloudron install on top. Nothing else. The only installations are cloudron applications. Nextcloud, Uptime Kuma, a few LAMP stacks, three WP instances, a FreshRSS instance, an unused Mastodon instance, Joplin. No custom docker repo or anything alike.
-
-
What software is running in the LAMP stacks?
@necrevistonnezr None other than what the stack comes with. I use the LAMP stacks solely for static site delivery by populating the public directory.
-
News.
My server provider got an email from Bitninja Security. They have more than hundred logs.
Here some examples:
Deleted code for privacy reasons and since issue is solved.Is there any concrete indication of anything?
-
At least
<string>wp.getUsersBlogs</string>in both logs points to Wordpress, I think.
-
I have the impression that 99% of all suspicious activity are because of wordpress... just wondering
-
Did you changed the default admin/changeme after install?
Advise: always install Wordfence (the free version had enough)I understand the log entry as what the infected server does to other servers as part of a bot net. In this case it looks for Wordpress instances? In fact it seems to try and populate the sites with what seems to be pretty generic login data. I am not sure this is an indication that it has to do with WP. Right now all WP instances are turned off.
value><string>lotadmin</string></value><value><string>12345</string> -
I found it. The log entries listed by Bitninja Security are found on the log of a WordPress instance that has been left with default values. Wasn´t me.
I am ditching the WP instance.
Jesus Christ.
-
General Rule in Life: it‘s always efffin‘ Wordpress
Not because it’s a bad product per se, but one of the most used on the web. Attracts all the assh*les in the world. -
G girish marked this topic as a question on
-
G girish has marked this topic as solved on
