Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


Skip to content
  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
  • Search
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor

  • Default (No Skin)
  • No Skin
Collapse
Brand Logo

Cloudron Forum

Apps | Demo | Docs | Install
  1. Cloudron Forum
  2. Support
  3. AWS Abuse Report

AWS Abuse Report

Scheduled Pinned Locked Moved Solved Support
awssecurity
9 Posts 3 Posters 1.4k Views 3 Watching
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M Offline
      M Offline
      macone
      wrote on last edited by girish
      #1

      Hi,
      I received Abuse Report from AWS. They demand an answer from me. Is there cause for concern? Could the system have been compromised? I am running Cloudron instance from AWS market. Thank you.

      * Log Extract:
      <<<
      Incident time (GMT +0000): 2023-08-15 19:34:26
      
      Url: [hf###ry.org/xmlrpc.php]
      Remote connection: [xxx.xxx.xxx.xxx:42668]
      Headers: [array (
      'Host' => 'hf###ry.org',
      'User-Agent' => 'Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:94.0) Gecko/20100101 Firefox/95.0',
      'Content-Length' => '479',
      'Content-Type' => 'application/x-www-form-urlencoded',
      'Accept-Encoding' => 'gzip',
      'Connection' => 'close',
      )]
      Post data: [Array
      (
      [<?xml_version] => "1.0"?><methodCall><methodName>system.multicall</methodName><params><param><value><array><data><value><struct><member><name>methodName</name><value><string>wp.getUsersBlogs</string></value></member><member><name>params</name><value><array><data><value><array><data><value><string>admin</string></value><value><string>google</string></value></data></array></value></data></array></value></member></struct></value></data></array></value></param></params></methodCall>
      )
      ]
      >>>
      
      * Comments:
      <<<
      BitNinja presents a CAPTCHA to the visitor, if it is resolved correctly (either automatically via our Browser Integrity Check, or manually), the IP address will be removed from the greylist, if ignored, it will generate a security incident, and the connection will be terminated.
      >>>
      
      1 Reply Last reply
      0
      • girishG Offline
        girishG Offline
        girish
        Staff
        wrote on last edited by
        #2

        @macone I can't quite make out frm the report what is going on. Is it saying that Cloudron made an outbound request to some location ? If so , what is the app at hf###ry.org ? Is that a WordPress developer edition ? Can you check if that app has been compromised? Usually there are suspicious things in wp-config.php or wp-include.php

        1 Reply Last reply
        1
        • M Offline
          M Offline
          macone
          wrote on last edited by
          #3

          hf###ry.org is not our app and is not hosted in our network.

          1 Reply Last reply
          0
          • nebulonN Offline
            nebulonN Offline
            nebulon
            Staff
            wrote on last edited by
            #4

            The report mentions some BitNinja, could this be generated from that if you have BitNinja installed in your WordPress instance?

            1 Reply Last reply
            0
            • M Offline
              M Offline
              macone
              wrote on last edited by
              #5

              No we don't use BitNinja, report was generated and sent by AWS

              1 Reply Last reply
              0
              • nebulonN Offline
                nebulonN Offline
                nebulon
                Staff
                wrote on last edited by
                #6

                Then I guess you have to consult them for more explanation.

                1 Reply Last reply
                0
                • M Offline
                  M Offline
                  macone
                  wrote on last edited by
                  #7

                  My opinion is that this is an xml-rpc attack on our Wordpress site from hf###ry.org. Does it make sense?

                  1 Reply Last reply
                  0
                  • nebulonN Offline
                    nebulonN Offline
                    nebulon
                    Staff
                    wrote on last edited by
                    #8

                    yes that is also how I would have read it.

                    1 Reply Last reply
                    0
                    • girishG Offline
                      girishG Offline
                      girish
                      Staff
                      wrote on last edited by
                      #9

                      I am still confused why they demand an answer from you, if your website is getting abused...

                      1 Reply Last reply
                      0
                      • girishG girish marked this topic as a question on
                      • girishG girish has marked this topic as solved on
                      Reply
                      • Reply as topic
                      Log in to reply
                      • Oldest to Newest
                      • Newest to Oldest
                      • Most Votes


                        • Login

                        • Don't have an account? Register

                        • Login or register to search.
                        • First post
                          Last post
                        0
                        • Categories
                        • Recent
                        • Tags
                        • Popular
                        • Bookmarks
                        • Search