Spamhaus detects contact to malware C&C server - Can´t find anything in the logs -

necrevistonnezr

What software is running in the LAMP stacks?

whitespace

@necrevistonnezr None other than what the stack comes with. I use the LAMP stacks solely for static site delivery by populating the public directory.

whitespace

News.

My server provider got an email from Bitninja Security. They have more than hundred logs.

Here some examples:

Deleted code for privacy reasons and since issue is solved. 

Is there any concrete indication of anything?

necrevistonnezr

At least

<string>wp.getUsersBlogs</string>

in both logs points to Wordpress, I think.

Kubernetes

I have the impression that 99% of all suspicious activity are because of wordpress... just wondering

imc67

Did you changed the default admin/changeme after install?
Advise: always install Wordfence (the free version had enough)

whitespace

I understand the log entry as what the infected server does to other servers as part of a bot net. In this case it looks for Wordpress instances? In fact it seems to try and populate the sites with what seems to be pretty generic login data. I am not sure this is an indication that it has to do with WP. Right now all WP instances are turned off.

value><string>lotadmin</string></value><value><string>12345</string>

whitespace

I found it. The log entries listed by Bitninja Security are found on the log of a WordPress instance that has been left with default values. Wasn´t me.

I am ditching the WP instance.

Jesus Christ.

necrevistonnezr

General Rule in Life: it‘s always efffin‘ Wordpress
Not because it’s a bad product per se, but one of the most used on the web. Attracts all the assh*les in the world.

girish

I think we have to 100% move to auto-generated passwords for the initial user in apps from the next release. We will make this a priority.