Spamhaus detects contact to malware C&C server - Can´t find anything in the logs -
-
Today trying to write mails Spamhaus responds with:
Diagnostic-Code: smtp;550 IP 128.0.XX.XX (my server´s IP) is blacklisted (xbl.spamhaus.org). Help at/Hilfe unter www.mfaq.info
More Details from Spamhaus say this:
A machine using 128.0.xx.xx is infected with malware associated with the avalanche/andromeda family.
128.0.xx.xx initiated contact with a nymaim command and control server, using contents unique to nymaim C&C command protocols.
Technical details of the nymaim detection
128.0.XX.XX initiated a tcp connection from 128.0.XX.XX using source port 35658, to the sinkhole IP address 216.218.185.162 on destination port 80.The most recent detection was on: July 18 2023, 16:37:35 UTC.
What I have done already?
- Updated all applications
- double-checked two WP-instances and temporarily turned them off.
- Checked box logs and all app logs for connections to said 216.218.185.162 IP address. Nothing.
- Used net-tools to check for active connections to 216.218.185.162. Still nothing.
Do you recommend to scan with something like ClamAV?
-
In the meantime I was able to delist from Spamhaus. I generally hope for a false negative but can´t rely solely on hope. So the question still holds up. How to detect potential bot-contacting malware on a Cloudron server?
-
@whitespace you can try running a clamav scan. So far, it has never detected anything for me, so I have no idea how effective it is. Basically,
apt-get install clamav
and then laterclamscan --infected --detect-pua=yes --recursive <somepath>
. It takes forever but let's see if it detects something in yours.You will see summary like so:
----------- SCAN SUMMARY ----------- Known viruses: 8686492 Engine version: 0.103.8 Scanned directories: 161 Scanned files: 91 Infected files: 0 Data scanned: 9.51 MB Data read: 3.70 MB (ratio 2.57:1) Time: 28.475 sec (0 m 28 s) Start Date: 2023:07:20 07:01:11 End Date: 2023:07:20 07:01:40
-
@girish Nope. Just a clean Ubuntu and a cloudron install on top. Nothing else. The only installations are cloudron applications. Nextcloud, Uptime Kuma, a few LAMP stacks, three WP instances, a FreshRSS instance, an unused Mastodon instance, Joplin. No custom docker repo or anything alike.
-
What software is running in the LAMP stacks?
-
@necrevistonnezr None other than what the stack comes with. I use the LAMP stacks solely for static site delivery by populating the public directory.
-
News.
My server provider got an email from Bitninja Security. They have more than hundred logs.
Here some examples:
Deleted code for privacy reasons and since issue is solved.
Is there any concrete indication of anything?
-
At least
<string>wp.getUsersBlogs</string>
in both logs points to Wordpress, I think.
-
I have the impression that 99% of all suspicious activity are because of wordpress... just wondering
-
Did you changed the default admin/changeme after install?
Advise: always install Wordfence (the free version had enough) -
I understand the log entry as what the infected server does to other servers as part of a bot net. In this case it looks for Wordpress instances? In fact it seems to try and populate the sites with what seems to be pretty generic login data. I am not sure this is an indication that it has to do with WP. Right now all WP instances are turned off.
value><string>lotadmin</string></value><value><string>12345</string>
-
I found it. The log entries listed by Bitninja Security are found on the log of a WordPress instance that has been left with default values. Wasn´t me.
I am ditching the WP instance.
Jesus Christ.
-
General Rule in Life: it‘s always efffin‘ Wordpress
Not because it’s a bad product per se, but one of the most used on the web. Attracts all the assh*les in the world. -
-