Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor

  • Default (No Skin)
  • No Skin
Collapse

Cloudron Forum

Apps | Demo | Docs | Install

Spamhaus detects contact to malware C&C server - Can´t find anything in the logs -

Scheduled Pinned Locked Moved Solved Support
15 Posts 5 Posters 197 Views
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • W Offline
    W Offline
    whitespace
    wrote on last edited by whitespace
    #1

    Today trying to write mails Spamhaus responds with:

    Diagnostic-Code: smtp;550 IP 128.0.XX.XX (my server´s IP) is blacklisted (xbl.spamhaus.org). Help at/Hilfe unter www.mfaq.info

    More Details from Spamhaus say this:

    A machine using 128.0.xx.xx is infected with malware associated with the avalanche/andromeda family.

    128.0.xx.xx initiated contact with a nymaim command and control server, using contents unique to nymaim C&C command protocols.

    Technical details of the nymaim detection
    128.0.XX.XX initiated a tcp connection from 128.0.XX.XX using source port 35658, to the sinkhole IP address 216.218.185.162 on destination port 80.

    The most recent detection was on: July 18 2023, 16:37:35 UTC.


    What I have done already?

    1. Updated all applications
    2. double-checked two WP-instances and temporarily turned them off.
    3. Checked box logs and all app logs for connections to said 216.218.185.162 IP address. Nothing.
    4. Used net-tools to check for active connections to 216.218.185.162. Still nothing.

    Do you recommend to scan with something like ClamAV?

    1 Reply Last reply
    0
  • W Offline
    W Offline
    whitespace
    wrote on last edited by
    #2

    In the meantime I was able to delist from Spamhaus. I generally hope for a false negative but can´t rely solely on hope. So the question still holds up. How to detect potential bot-contacting malware on a Cloudron server?

    girishG 1 Reply Last reply
    0
  • girishG Offline
    girishG Offline
    girish Staff
    replied to whitespace on last edited by
    #3

    @whitespace you can try running a clamav scan. So far, it has never detected anything for me, so I have no idea how effective it is. Basically, apt-get install clamav and then later clamscan --infected --detect-pua=yes --recursive <somepath> . It takes forever but let's see if it detects something in yours.

    You will see summary like so:

    ----------- SCAN SUMMARY -----------
    Known viruses: 8686492
    Engine version: 0.103.8
    Scanned directories: 161
    Scanned files: 91
    Infected files: 0
    Data scanned: 9.51 MB
    Data read: 3.70 MB (ratio 2.57:1)
    Time: 28.475 sec (0 m 28 s)
    Start Date: 2023:07:20 07:01:11
    End Date:   2023:07:20 07:01:40
    
    1 Reply Last reply
    0
  • girishG Offline
    girishG Offline
    girish Staff
    wrote on last edited by
    #4

    Do you run any other software other than Cloudron on the server btw?

    W 1 Reply Last reply
    0
  • W Offline
    W Offline
    whitespace
    replied to girish on last edited by
    #5

    @girish Nope. Just a clean Ubuntu and a cloudron install on top. Nothing else. The only installations are cloudron applications. Nextcloud, Uptime Kuma, a few LAMP stacks, three WP instances, a FreshRSS instance, an unused Mastodon instance, Joplin. No custom docker repo or anything alike.

    1 Reply Last reply
    0
  • necrevistonnezrN Offline
    necrevistonnezrN Offline
    necrevistonnezr
    wrote on last edited by
    #6

    What software is running in the LAMP stacks?

    W 1 Reply Last reply
    0
  • W Offline
    W Offline
    whitespace
    replied to necrevistonnezr on last edited by
    #7

    @necrevistonnezr None other than what the stack comes with. I use the LAMP stacks solely for static site delivery by populating the public directory.

    1 Reply Last reply
    0
  • W Offline
    W Offline
    whitespace
    wrote on last edited by whitespace
    #8

    News.

    My server provider got an email from Bitninja Security. They have more than hundred logs.

    Here some examples:

    Deleted code for privacy reasons and since issue is solved. 
    

    Is there any concrete indication of anything?

    1 Reply Last reply
    0
  • necrevistonnezrN Offline
    necrevistonnezrN Offline
    necrevistonnezr
    wrote on last edited by
    #9

    At least

    <string>wp.getUsersBlogs</string>
    

    in both logs points to Wordpress, I think.

    1 Reply Last reply
    0
  • KubernetesK Offline
    KubernetesK Offline
    Kubernetes App Dev
    wrote on last edited by
    #10

    I have the impression that 99% of all suspicious activity are because of wordpress... just wondering

    1 Reply Last reply
    0
  • imc67I Offline
    imc67I Offline
    imc67 translator
    wrote on last edited by
    #11

    Did you changed the default admin/changeme after install?
    Advise: always install Wordfence (the free version had enough)

    W 1 Reply Last reply
    0
  • W Offline
    W Offline
    whitespace
    replied to imc67 on last edited by whitespace
    #12

    I understand the log entry as what the infected server does to other servers as part of a bot net. In this case it looks for Wordpress instances? In fact it seems to try and populate the sites with what seems to be pretty generic login data. I am not sure this is an indication that it has to do with WP. Right now all WP instances are turned off.

    value><string>lotadmin</string></value><value><string>12345</string>
    
    1 Reply Last reply
    0
  • W Offline
    W Offline
    whitespace
    wrote on last edited by whitespace
    #13

    I found it. The log entries listed by Bitninja Security are found on the log of a WordPress instance that has been left with default values. Wasn´t me.

    I am ditching the WP instance.

    Jesus Christ.

    1 Reply Last reply
    0
  • necrevistonnezrN Offline
    necrevistonnezrN Offline
    necrevistonnezr
    wrote on last edited by necrevistonnezr
    #14

    General Rule in Life: it‘s always efffin‘ Wordpress 😉
    Not because it’s a bad product per se, but one of the most used on the web. Attracts all the assh*les in the world.

    1 Reply Last reply
    0
  • girishG Offline
    girishG Offline
    girish Staff
    wrote on last edited by girish
    #15

    I think we have to 100% move to auto-generated passwords for the initial user in apps from the next release. We will make this a priority.

    1 Reply Last reply
    4
  • girishG girish marked this topic as a question on
  • girishG girish has marked this topic as solved on

  • Login

  • Don't have an account? Register

  • Login or register to search.
  • First post
    Last post
0
  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
  • Login

  • Don't have an account? Register

  • Login or register to search.