Spamhaus detects contact to malware C&C server - Can´t find anything in the logs -
-
Today trying to write mails Spamhaus responds with:
Diagnostic-Code: smtp;550 IP 128.0.XX.XX (my server´s IP) is blacklisted (xbl.spamhaus.org). Help at/Hilfe unter www.mfaq.info
More Details from Spamhaus say this:
A machine using 128.0.xx.xx is infected with malware associated with the avalanche/andromeda family.
128.0.xx.xx initiated contact with a nymaim command and control server, using contents unique to nymaim C&C command protocols.
Technical details of the nymaim detection
128.0.XX.XX initiated a tcp connection from 128.0.XX.XX using source port 35658, to the sinkhole IP address 216.218.185.162 on destination port 80.The most recent detection was on: July 18 2023, 16:37:35 UTC.
What I have done already?
- Updated all applications
- double-checked two WP-instances and temporarily turned them off.
- Checked box logs and all app logs for connections to said 216.218.185.162 IP address. Nothing.
- Used net-tools to check for active connections to 216.218.185.162. Still nothing.
Do you recommend to scan with something like ClamAV?
-
In the meantime I was able to delist from Spamhaus. I generally hope for a false negative but can´t rely solely on hope. So the question still holds up. How to detect potential bot-contacting malware on a Cloudron server?
-
In the meantime I was able to delist from Spamhaus. I generally hope for a false negative but can´t rely solely on hope. So the question still holds up. How to detect potential bot-contacting malware on a Cloudron server?
@whitespace you can try running a clamav scan. So far, it has never detected anything for me, so I have no idea how effective it is. Basically,
apt-get install clamavand then laterclamscan --infected --detect-pua=yes --recursive <somepath>. It takes forever but let's see if it detects something in yours.You will see summary like so:
----------- SCAN SUMMARY ----------- Known viruses: 8686492 Engine version: 0.103.8 Scanned directories: 161 Scanned files: 91 Infected files: 0 Data scanned: 9.51 MB Data read: 3.70 MB (ratio 2.57:1) Time: 28.475 sec (0 m 28 s) Start Date: 2023:07:20 07:01:11 End Date: 2023:07:20 07:01:40 -
@girish Nope. Just a clean Ubuntu and a cloudron install on top. Nothing else. The only installations are cloudron applications. Nextcloud, Uptime Kuma, a few LAMP stacks, three WP instances, a FreshRSS instance, an unused Mastodon instance, Joplin. No custom docker repo or anything alike.
-
-
What software is running in the LAMP stacks?
@necrevistonnezr None other than what the stack comes with. I use the LAMP stacks solely for static site delivery by populating the public directory.
-
News.
My server provider got an email from Bitninja Security. They have more than hundred logs.
Here some examples:
Deleted code for privacy reasons and since issue is solved.Is there any concrete indication of anything?
-
At least
<string>wp.getUsersBlogs</string>in both logs points to Wordpress, I think.
-
I have the impression that 99% of all suspicious activity are because of wordpress... just wondering
-
Did you changed the default admin/changeme after install?
Advise: always install Wordfence (the free version had enough)I understand the log entry as what the infected server does to other servers as part of a bot net. In this case it looks for Wordpress instances? In fact it seems to try and populate the sites with what seems to be pretty generic login data. I am not sure this is an indication that it has to do with WP. Right now all WP instances are turned off.
value><string>lotadmin</string></value><value><string>12345</string> -
I found it. The log entries listed by Bitninja Security are found on the log of a WordPress instance that has been left with default values. Wasn´t me.
I am ditching the WP instance.
Jesus Christ.
-
General Rule in Life: it‘s always efffin‘ Wordpress
Not because it’s a bad product per se, but one of the most used on the web. Attracts all the assh*les in the world. -
G girish marked this topic as a question on
-
G girish has marked this topic as solved on
Hello! It looks like you're interested in this conversation, but you don't have an account yet.
Getting fed up of having to scroll through the same posts each visit? When you register for an account, you'll always come back to exactly where you were before, and choose to be notified of new replies (either via email, or push notification). You'll also be able to save bookmarks and upvote posts to show your appreciation to other community members.
With your input, this post could be even better 💗
Register Login