Spamhaus detects contact to malware C&C server - Can´t find anything in the logs -
-
@girish Nope. Just a clean Ubuntu and a cloudron install on top. Nothing else. The only installations are cloudron applications. Nextcloud, Uptime Kuma, a few LAMP stacks, three WP instances, a FreshRSS instance, an unused Mastodon instance, Joplin. No custom docker repo or anything alike.
-
-
What software is running in the LAMP stacks?
@necrevistonnezr None other than what the stack comes with. I use the LAMP stacks solely for static site delivery by populating the public directory.
-
News.
My server provider got an email from Bitninja Security. They have more than hundred logs.
Here some examples:
Deleted code for privacy reasons and since issue is solved.Is there any concrete indication of anything?
-
At least
<string>wp.getUsersBlogs</string>in both logs points to Wordpress, I think.
-
I have the impression that 99% of all suspicious activity are because of wordpress... just wondering
-
Did you changed the default admin/changeme after install?
Advise: always install Wordfence (the free version had enough)I understand the log entry as what the infected server does to other servers as part of a bot net. In this case it looks for Wordpress instances? In fact it seems to try and populate the sites with what seems to be pretty generic login data. I am not sure this is an indication that it has to do with WP. Right now all WP instances are turned off.
value><string>lotadmin</string></value><value><string>12345</string> -
I found it. The log entries listed by Bitninja Security are found on the log of a WordPress instance that has been left with default values. Wasn´t me.
I am ditching the WP instance.
Jesus Christ.
-
General Rule in Life: it‘s always efffin‘ Wordpress
Not because it’s a bad product per se, but one of the most used on the web. Attracts all the assh*les in the world. -
G girish marked this topic as a question on
-
G girish has marked this topic as solved on
