Abuse report received
-
I have received an abuse report from Hetzner where my Cloudron instance is hosted, and I'm totally lost.
I have nothing running on this server other than Cloudron apps.
I don't recognise any activity reported.
I have only installed Audiobookshelf, IT-Tools, StirlingPDF and Ctfreak in recent days.
All of these have logins, so I don't think it's an open site which someone is using maliciously.Can anyone suggest how to diagnose where this activity might be coming from ?
The abuse report suggests email, but it seems like web attack / port scan.
My email accounts on Cloudron are lightly used (primary email is Protonmail).> > * 88.99.xxx.xxx tpc-027.mach3builders.nl 2023-07-04T17:28:33+02:00 88.99.xxx.xxx - - [04/Jul/2023:17:28:22 +0200] "GET /wp-login.php HTTP/1.1" 301 509 "-" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:94.0) Gecko/20100101 Firefox/95.0" [VirtualHost: www.aquapick.nl] > > * 88.99.xxx.xxx tpc-014.mach3builders.nl 2023-05-06T10:32:10+02:00 88.99.xxx.xxx - - [06/May/2023:10:32:00 +0200] "GET /en/wp-login.php HTTP/1.1" 404 5840 "http://omegamechanix.co.uk/wp-login.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96" [VirtualHost: www.omegamechanix.nl] > > * 88.99.xxx.xxx tpc-032.mach3builders.nl 2023-05-05T22:38:33+02:00 88.99.xxx.xxx - - [05/May/2023:22:38:26 +0200] "GET /wp-login.php HTTP/1.1" 404 405 [VirtualHost: default] > > * 88.99.xxx.xxx tpc-015.mach3builders.nl 2023-05-05T22:09:41+02:00 88.99.xxx.xxx - - [05/May/2023:22:09:30 +0200] "GET /wp-login.php HTTP/1.1" 404 331 [VirtualHost: default] > > * 88.99.xxx.xxx tpc-023.mach3builders.nl 2023-05-05T21:34:31+02:00 88.99.xxx.xxx - - [05/May/2023:21:34:18 +0200] "GET /wp-login.php HTTP/1.1" 404 331 [VirtualHost: default] > > * 88.99.xxx.xxx tpc-015.mach3builders.nl 2023-05-04T17:10:47+02:00 88.99.xxx.xxx - - [04/May/2023:17:10:32 +0200] "GET /wp-login.php HTTP/1.1" 301 513 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96" [VirtualHost: www.glazenzaal.nl] -
Just noticed that the activity complained about is OLD
1 line for today
1 line for a month ago
4 lines for TWO months ago
Doesn't have have any credibility for a serious abuse report.
Not like heavy port scanning from something (I had problems with syncthing installation).
Any suggestions for a sarcastic vitriolic reply for excessively sensitive abuse reporter ?
Yeah, I know, may not be the best approach.But interested in suggestions for a suitable reply and for how to diagnose what it might have been.
-
I suppose another way to ask about diagnosis is : how do I perform a virus and malware scan on a Cloudron server ?
Any built-in utilities or apps ?
Given that we are not supposed to side-load software, I would imagine some built-in features should be available ? -
Just noticed that the activity complained about is OLD
1 line for today
1 line for a month ago
4 lines for TWO months ago
Doesn't have have any credibility for a serious abuse report.
Not like heavy port scanning from something (I had problems with syncthing installation).
Any suggestions for a sarcastic vitriolic reply for excessively sensitive abuse reporter ?
Yeah, I know, may not be the best approach.But interested in suggestions for a suitable reply and for how to diagnose what it might have been.
@timconsidine said in Abuse report received:
Any suggestions for a sarcastic vitriolic reply for excessively sensitive abuse reporter ?
Well, this can get you into serious trouble and that would be totally understandable: If your server did at least multiple scans to login pages of some other people this doesn't happen by chance. There must be a root cause you are not aware of and anything above 2 attempts is at least 1 case too much, especially if it's a server with no/low usage. So if I were the person who reports the abuse and get such a reply the next reply wouldn't be nice in a way like just letting you know.
No clue what could have caused it in your case as I have too less experience with Cloudron. What I noticed is that sometimes I find the standard settings not secure enough (standard hardcoded passwords, apps being public accessible after installation, no hardened configurations, etc.). For example maybe someone accessed one of the applications with a standard password that Cloudron provides and it was forgotten to change it after installation.
-
So now Hetzner are saying there is evidence of a netscan :
Netscan detected from host 88.99.xxx.xxx
Tue Jul 4 15:44:19 2023 TCP 88.99.xxx.xxx 54602 => 1.2.3.4 80
Tue Jul 4 15:44:32 2023 TCP 88.99.xxx.xxx 54602 => 1.2.3.4 80
Tue Jul 4 15:43:30 2023 TCP 88.99.xxx.xxx 58742 => 6.6.6.6 80
Tue Jul 4 15:45:04 2023 TCP 88.99.xxx.xxx 60244 => 10.0.0.10 80
Tue Jul 4 15:43:29 2023 TCP 88.99.xxx.xxx 56196 => 10.0.0.23 80
Tue Jul 4 15:43:33 2023 TCP 88.99.xxx.xxx 56196 => 10.0.0.23 80
etc.I have no knowledge of what this might be.
Other than installing a couple of apps this morning from the app store, I cannot think of any change on the server.Confused.
-
I received a physical letter last week from my ISP that I might have a botnet malware running on my network. I’ve scanned my devices but didn’t find anything. I’m in the same boat and unsure how to check my home server. Honestly, I think it’s just a scammy way my ISP is pushing folks to install their security software. The best solution I can think of is to check traffic via a dedicated hardware firewall/router. I failed on my first attempt to get opnsense running but maybe looking into the firewall traffic/logs might help you with your VPS issue.
-
But the VPS is at Hetzner, not on my home network
So I can't check traffic without installing something on the Cloudron server -
T timconsidine marked this topic as a question on
-
I received a physical letter last week from my ISP that I might have a botnet malware running on my network. I’ve scanned my devices but didn’t find anything. I’m in the same boat and unsure how to check my home server. Honestly, I think it’s just a scammy way my ISP is pushing folks to install their security software. The best solution I can think of is to check traffic via a dedicated hardware firewall/router. I failed on my first attempt to get opnsense running but maybe looking into the firewall traffic/logs might help you with your VPS issue.
@humptydumpty said in Abuse report received:
Honestly, I think it’s just a scammy way my ISP is pushing folks to install their security software.
Did that ever happen somewhere? In most countries this would be a criminal offense thus very unlikely that a ISP is that stupid to do that especially if the profit is quite low compared to the risks.
-
What if you created a snapshot in your vps dashboard and created a new vps from it for diagnostics. You could then install whatever you want to run some tests without affecting your live server.
I don’t recall reading anything on this forum that would help us run a scan on a Cloudron server.
-
But the VPS is at Hetzner, not on my home network
So I can't check traffic without installing something on the Cloudron server@timconsidine said in Abuse report received:
So I can't check traffic without installing something on the Cloudron server
This is indeed pitty. I have the same issue for monitoring and security purposes. Officially it's not supported but Cloudron doesn't provide tools/apps for it either so that's pitty for the admin.
I would do the same as @humptydumpty suggested: Make a copy and host it locally as a VM. Then just do whatever you need to investigate it on the local VM.
-
@timconsidine said in Abuse report received:
Any suggestions for a sarcastic vitriolic reply for excessively sensitive abuse reporter ?
Well, this can get you into serious trouble and that would be totally understandable: If your server did at least multiple scans to login pages of some other people this doesn't happen by chance. There must be a root cause you are not aware of and anything above 2 attempts is at least 1 case too much, especially if it's a server with no/low usage. So if I were the person who reports the abuse and get such a reply the next reply wouldn't be nice in a way like just letting you know.
No clue what could have caused it in your case as I have too less experience with Cloudron. What I noticed is that sometimes I find the standard settings not secure enough (standard hardcoded passwords, apps being public accessible after installation, no hardened configurations, etc.). For example maybe someone accessed one of the applications with a standard password that Cloudron provides and it was forgotten to change it after installation.
@warg yes, I agree, I did acknowledge not the best approach.
My reaction was to 6 scans over 3 months.
Hardly an active malware instance.All recent software added have logins, some with 2FA.
Trying to check, but this could be needle-in-haystack territory without a Cloudron-installed utility : @staff ?
-
So now Hetzner are saying there is evidence of a netscan :
Netscan detected from host 88.99.xxx.xxx
Tue Jul 4 15:44:19 2023 TCP 88.99.xxx.xxx 54602 => 1.2.3.4 80
Tue Jul 4 15:44:32 2023 TCP 88.99.xxx.xxx 54602 => 1.2.3.4 80
Tue Jul 4 15:43:30 2023 TCP 88.99.xxx.xxx 58742 => 6.6.6.6 80
Tue Jul 4 15:45:04 2023 TCP 88.99.xxx.xxx 60244 => 10.0.0.10 80
Tue Jul 4 15:43:29 2023 TCP 88.99.xxx.xxx 56196 => 10.0.0.23 80
Tue Jul 4 15:43:33 2023 TCP 88.99.xxx.xxx 56196 => 10.0.0.23 80
etc.I have no knowledge of what this might be.
Other than installing a couple of apps this morning from the app store, I cannot think of any change on the server.Confused.
@timconsidine said in Abuse report received:
So now Hetzner are saying there is evidence of a netscan :
Netscan detected from host 88.99.xx.xx
Tue Jul 4 15:44:19 2023 TCP 88.99.xx.xx 54602 => 1.2.3.4 80
Tue Jul 4 15:44:32 2023 TCP 88.99.xx.xx 54602 => 1.2.3.4 80
Tue Jul 4 15:43:30 2023 TCP 88.99.xx.xx 58742 => 6.6.6.6 80
Tue Jul 4 15:45:04 2023 TCP 88.99.xx.xx 60244 => 10.0.0.10 80
Tue Jul 4 15:43:29 2023 TCP 88.99.xx.xx 56196 => 10.0.0.23 80
Tue Jul 4 15:43:33 2023 TCP 88.99.xx.xx 56196 => 10.0.0.23 80I have no knowledge of what this might be.
Other than installing a couple of apps this morning from the app store, I cannot think of any change on the server.Confused.
Just for clarification: Are the IP addresses after "=>" the ones that were the targets according to Hetzner? If so these IP addresses sound weird to me. Btw maybe you forgot to redact your IP on the left side if it's your server IP.
-
@timconsidine said in Abuse report received:
So now Hetzner are saying there is evidence of a netscan :
Netscan detected from host 88.99.xx.xx
Tue Jul 4 15:44:19 2023 TCP 88.99.xx.xx 54602 => 1.2.3.4 80
Tue Jul 4 15:44:32 2023 TCP 88.99.xx.xx 54602 => 1.2.3.4 80
Tue Jul 4 15:43:30 2023 TCP 88.99.xx.xx 58742 => 6.6.6.6 80
Tue Jul 4 15:45:04 2023 TCP 88.99.xx.xx 60244 => 10.0.0.10 80
Tue Jul 4 15:43:29 2023 TCP 88.99.xx.xx 56196 => 10.0.0.23 80
Tue Jul 4 15:43:33 2023 TCP 88.99.xx.xx 56196 => 10.0.0.23 80I have no knowledge of what this might be.
Other than installing a couple of apps this morning from the app store, I cannot think of any change on the server.Confused.
Just for clarification: Are the IP addresses after "=>" the ones that were the targets according to Hetzner? If so these IP addresses sound weird to me. Btw maybe you forgot to redact your IP on the left side if it's your server IP.
@warg yes it is the right hand ones after
=>which are the targets
and yes, I had problems copy/pasting log entries to be on separate lines, and forgot to redact my address.
Thanks for the alert.
And now done.There is one line (near beginning) in your quoted message where it is unredacted, but I can't edit your post. Can you do that? I'd be very grateful.
I think the weirdness of the target addresses is an aspect of whatever was doing a netscan. But I'm no expert on this.
-
@warg yes it is the right hand ones after
=>which are the targets
and yes, I had problems copy/pasting log entries to be on separate lines, and forgot to redact my address.
Thanks for the alert.
And now done.There is one line (near beginning) in your quoted message where it is unredacted, but I can't edit your post. Can you do that? I'd be very grateful.
I think the weirdness of the target addresses is an aspect of whatever was doing a netscan. But I'm no expert on this.
@timconsidine said in Abuse report received:
There is one line (near beginning) in your quoted message where it is unredacted, but I can't edit your post. Can you do that? I'd be very grateful.
Sorry, I didn't see that when I redacted them . . . fixed! (A bit pitty that you can see previous revisions of a post as a non-admin in this forum software, I think).
@timconsidine said in Abuse report received:
I think the weirdness of the target addresses is an aspect of whatever was doing a netscan. But I'm no expert on this.
I could imagine some docker or Cloudron voodoo does have some broken checks that check on local network IPs by accident and thus triggering it by accident? Not sure.
-
Update : Hetzner now say issue closed.
Thanks to responders for their advice and patience.
I did 2 things :
- uninstalled an instance of StirlingPDF (simply because it was the last installed)
- uninstalled an instance of Wordpress Developer which has been stopped for months, but was re-started today because a user wanted to update it to latest version before using it.
My suspicion :
- user installed something in Wordpress
- Wordpress is dodgy without tons of maintenance.
I know some people love it, but I hate Wordpress almost as much as I hate <insert favourite satan>.
Anyway, it's gone now.
Awaiting Hetzner confirmation that all cool.But @staff : should there not be something in Cloudron to be able to do effective server malware scanning ?
Or some kind of tripwire-type utility ? -
@timconsidine said in Abuse report received:
There is one line (near beginning) in your quoted message where it is unredacted, but I can't edit your post. Can you do that? I'd be very grateful.
Sorry, I didn't see that when I redacted them . . . fixed! (A bit pitty that you can see previous revisions of a post as a non-admin in this forum software, I think).
@timconsidine said in Abuse report received:
I think the weirdness of the target addresses is an aspect of whatever was doing a netscan. But I'm no expert on this.
I could imagine some docker or Cloudron voodoo does have some broken checks that check on local network IPs by accident and thus triggering it by accident? Not sure.
@warg said in Abuse report received:
(A bit pitty that you can see previous revisions of a post as a non-admin in this forum software, I think).
Yep !
@warg said in Abuse report received:
I could imagine some docker or Cloudron voodoo does have some broken checks that check on local network IPs by accident and thus triggering it by accident? Not sure.
Maybe.
Certainly interested in what platform (server) checks can be implemented to prevent this, or detect it. -
Update : Hetzner now say issue closed.
Thanks to responders for their advice and patience.
I did 2 things :
- uninstalled an instance of StirlingPDF (simply because it was the last installed)
- uninstalled an instance of Wordpress Developer which has been stopped for months, but was re-started today because a user wanted to update it to latest version before using it.
My suspicion :
- user installed something in Wordpress
- Wordpress is dodgy without tons of maintenance.
I know some people love it, but I hate Wordpress almost as much as I hate <insert favourite satan>.
Anyway, it's gone now.
Awaiting Hetzner confirmation that all cool.But @staff : should there not be something in Cloudron to be able to do effective server malware scanning ?
Or some kind of tripwire-type utility ?@timconsidine said in Abuse report received:
I know some people love it, but I hate Wordpress almost as much as I hate <insert favourite satan>.
I wouldn't be surprised if a WordPress instance caused it. WordPress is a security nightmare and if it's unmaintained, it's even more. Sadly popularity of a software doesn't requires a proper software quality . . .
I'm curious as well. If Cloudron is deciding about the whole environment it runs on, it must provide proper tools. Furthermore it also needs ways to include security or monitoring tools that are common but not supported officially. Otherwise we have in general some kind of compliance or security issue in general someday.
-
@timconsidine I'm glad the issue is resolved, or should I say, isn't a threat to the continuity of your VPS. Time for diagnosis!
@warg You're right, we do need some tools to help with situations like these. BTW, here's a copy of the letter that I received, I excluded the top portion for privacy reasons (name, address, account number, etc.). Spectrum (formerly known as Time Warner) is a huge ISP here in the US.
There are multiple posts about receiving this letter and according to the web pages I did read, none were able to find any actual proof that their devices were infected with malware.
https://duckduckgo.com/?q=reddit+spectrum+botnet+infection+letter&t=ffab&ia=web
-
@timconsidine I'm glad the issue is resolved, or should I say, isn't a threat to the continuity of your VPS. Time for diagnosis!
@warg You're right, we do need some tools to help with situations like these. BTW, here's a copy of the letter that I received, I excluded the top portion for privacy reasons (name, address, account number, etc.). Spectrum (formerly known as Time Warner) is a huge ISP here in the US.
There are multiple posts about receiving this letter and according to the web pages I did read, none were able to find any actual proof that their devices were infected with malware.
https://duckduckgo.com/?q=reddit+spectrum+botnet+infection+letter&t=ffab&ia=web
@humptydumpty sure looks like a "sales letter" for their services rather than a technical letter.
-
G girish has marked this topic as solved on
