AWS Abuse Report
-
Hi,
I received Abuse Report from AWS. They demand an answer from me. Is there cause for concern? Could the system have been compromised? I am running Cloudron instance from AWS market. Thank you.* Log Extract: <<< Incident time (GMT +0000): 2023-08-15 19:34:26 Url: [hf###ry.org/xmlrpc.php] Remote connection: [xxx.xxx.xxx.xxx:42668] Headers: [array ( 'Host' => 'hf###ry.org', 'User-Agent' => 'Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:94.0) Gecko/20100101 Firefox/95.0', 'Content-Length' => '479', 'Content-Type' => 'application/x-www-form-urlencoded', 'Accept-Encoding' => 'gzip', 'Connection' => 'close', )] Post data: [Array ( [<?xml_version] => "1.0"?><methodCall><methodName>system.multicall</methodName><params><param><value><array><data><value><struct><member><name>methodName</name><value><string>wp.getUsersBlogs</string></value></member><member><name>params</name><value><array><data><value><array><data><value><string>admin</string></value><value><string>google</string></value></data></array></value></data></array></value></member></struct></value></data></array></value></param></params></methodCall> ) ] >>> * Comments: <<< BitNinja presents a CAPTCHA to the visitor, if it is resolved correctly (either automatically via our Browser Integrity Check, or manually), the IP address will be removed from the greylist, if ignored, it will generate a security incident, and the connection will be terminated. >>> -
@macone I can't quite make out frm the report what is going on. Is it saying that Cloudron made an outbound request to some location ? If so , what is the app at
hf###ry.org? Is that a WordPress developer edition ? Can you check if that app has been compromised? Usually there are suspicious things in wp-config.php or wp-include.php -
G girish marked this topic as a question on
-
G girish has marked this topic as solved on
