How to Identify which application is infected from an abuse report.
-
Hi,
We have cloudron installed on a dedicated server. I got this message from my ISP as a complaint of abuse:
I am XXX , Incident Analyst at BitNinja Server Security.
I'm writing to inform you that we have detected malicious requests targeting our clients servers from the IP xxx.xxx.xxx.xxx you own based on a public database.
We've been able to stop these requests and prevent future attacksby adding your IP to our greylist, but we wanted to reach out and inform you, as you might not be aware.
They could see many attempts like below. I believe it's some kind on worm that might be on one of the apps installed (inclining towards one of the Wordpress installation).
This is one of the many logs from BitNinja's portal :
Example 1 :
Stopped by: CAPTCHA - Web
Time of catch: 2024-09-30 xx:xx:xx
Incident content:
Url: bi###er.se/wp-login.php
Remote connection: xxx.xxx.xxx.xxx:41808
Headers: {
"Host": "bi###er.se",
"User-Agent": "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:94.0) Gecko/20100101 Firefox/95.0",
"Content-Length": "103",
"Content-Type": "application/x-www-form-urlencoded",
"Accept-Encoding": "gzip",
"Connection": "close",
"BN-Frontend": "captcha-https",
"X-Forwarded-Port": "443",
"X-Forwarded-Proto": "https",
"BN-Client-Port": "40074",
"X-Forwarded-For": "xxx.xxx.xxx.xxx"
}
Post data: {
"log": "wwwadmin",
"pwd": "[hidden]",
"wp-submit": "Log In",
"redirect_to": "https://bi###er.se/wp-admin/",
"testcookie": "1"
}
Example 2:
Stopped by: CAPTCHA - Web
Time of catch: 2024-09-30 01:53:39
Incident content:
Url: on###en.se/xmlrpc.php
Remote connection: XXX.XXX.XXX.XXX:39598
Headers: {
"Host": "on###en.se",
"User-Agent": "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:94.0) Gecko/20100101 Firefox/95.0",
"Content-Length": "480",
"Content-Type": "application/x-www-form-urlencoded",
"Accept-Encoding": "gzip",
"Connection": "close",
"BN-Frontend": "captcha-https",
"X-Forwarded-Port": "443",
"X-Forwarded-Proto": "https",
"BN-Client-Port": "41228",
"X-Forwarded-For": "XXX.XXX.XXX.XXX"
}
Post data: {
"<?xml_version": ""1.0"?><methodCall><methodName>system.multicall</methodName><params><param><value><array><data><value><struct><member><name>methodName</name><value><string>wp.getUsersBlogs</string></value></member><member><name>params</name><value><array><data><value><array><data><value><string>admin</string></value><value><string>blogger</string></value></data></array></value></data></array></value></member></struct></value></data></array></value></param></params></methodCall>"
}
The question is, how do we identify which application does this log correspond to?
Also, if there is a security / monitoring tool you would recommend for cloudron to prevent or detect such activities.Thank you !
-
J joseph marked this topic as a question on
-
All my searches lead to dead ends. Like https://serverfault.com/questions/643616/best-way-to-trace-outgoing-requests-from-a-server and https://www.reddit.com/r/sysadmin/comments/384q3b/my_server_was_just_suspended_because_of_a/ .
@sp121 do you have a cloud firewall ? One recommendation is to stop all outbound traffic altogether. Most apps don't need to make outbound requests anyway. Slowly start whitelisting outbound traffic. Is this an option?
-
J james has marked this topic as solved