My Server Seems To Be Compromised

wenani

Greetings,

My server IP is being reported on abuseipdb.com for Brute-Force, Hacking and Web App Attack. Some point xmlrpc.php hacking attempts, others brute-force on WordPress logins, others mod_security triggered.

I am not sure if whoever is doing this is one of the websites I have hosted or is initiating this directly from the server in a way. I have a good number of sites and I am going through one by one to see if I will find any abnormally on any site, but still I even don't know what kind of abnormally I am looking for, and it will take me long to finish all the sites.

Any ideas how I can mitigate this?

cPFence

wenani

Hello,

To assist you in investigating this issue thoroughly, please add the cPFence support key to your server. Once it’s in place, let me know, and we’ll proceed with a detailed review.

superhostingvip

Hey, i am using cpguard and crowdsec on my server. From that moment i got no issue being hacked. Attempts are alot, but none with success. And another advice, try to use hard guessing passwords,and if you have clients using your hosting solution advise them the same thing. In ordrer to be abe to remove your server from the blacklist you need to fix the problems caused by hackers, and submit a proof to abuseip . Good luck.

iotivedo

My first idea is "Wordpress".

Jokes aside, in my experience, 99% of the time it’s compromised WordPress installations rather than the server itself. What I would do is check for any “unexpected” files or plugins that shouldn’t be there, such as:

WordPresscore
Filemanager

Additionally, make sure to check for any new users with administrator permissions.
If you’re using Cloudflare, you could enable selective geographic blocking with managed verification to add an extra layer of protection.

Unfortunately, there’s no definitive guide for these situations, as each case is unique.

Do you have any security software installed, such as CPFence?
Having it in place could make things significantly easier for you.

wenani

iotivedo I have cPFence running. I have very many sites on the server as I am using it for shared hosting. Majority of them being WordPress. What I am currently doing is just update themes and plugins randomly, and also check if I can spot any suspicious files, but it is hard to tell as some clients have their own files with different data on filemanager.

My big issue is how I will be able to figure out the originator of this attacks since it is ongoing.

Rich

Enhance Guide on Malware

I personally install Wordfense on all my client sites, it's both a WAF and Anti-virus scanner. Since you're worried about advanced infection I would set the scan settings to custom and turn everything on for a more thorougher review.

Since you said you had a lot of sites, I would look at your processes and cpu utilisation and see which top 10 websites are using the most cycles and then throughly investigate them.

wav3front

@cPFence maybe it makes sense to have a dedicated security module for Wordpress?

cPFence

wav3front maybe it makes sense to have a dedicated security module for Wordpress?

cPFence is already highly optimized to secure WordPress and PHP scripts in general. You can also run a vulnerability scan on all your WordPress sites using:

cpfence --vuln-scan

Additionally, the results can be exported to a CSV report with:

cpfence --vuln-export

bgeek

cPFence BTW, are you going to do some BF deals?

webhostwizards

Since doing two simple steps, ive never been hacked since (Also do the basics like disable root etc)

VPS Harden script on a new server from https://github.com/akcryptoguy/vps-harden
cPGuard configured correctly

netzen

I use Wordfence CLI Premium to scan for malware and vulnerabilities, but even the basic version I think would be sufficient for your threat finding purposes. https://www.wordfence.com/products/wordfence-cli/

cPFence

bgeek BTW, are you going to do some BF deals?

We already offer a 50% discount on all yearly purchases. If you have special requirements or bulk orders, feel free to reach out, and we’ll be happy to assist.

mendozal

I’ve always wondered what I’d do if something like this happened.

Please, let us know if you figure out the issue and how you fix it!

felixb

Same happened with me the same time. Have CPGuard and CPFence both installed.

cPFence

felixb Same happened with me the same time. Have CPGuard and CPFence both installed.

Please contact us immediately, and we’ll be happy to help you sort this out as soon as possible. Our support team is available 24/7 to assist with any issues you might face.

It’s also recommended to run a full scan beforehand with auto-quarantine disabled, and then enable auto-quarantine afterward. Don’t forget to add your email to cPFence to stay updated with the email alerts it sends.

P.S.: Running two security products at the same time isn’t recommended, as it can cause conflicts or prevent some features from working properly.

cPFence

It turned out the issue was caused by an old, empty test WordPress site that contained several malicious files. The attacker was using it, which led to the server’s IP being flagged for malicious activities. We cleaned the site with a simple full scan, and everything is now secure.

We always recommend users conduct a full scan immediately after installing cPFence to identify any existing malicious files, as cPFence primarily focuses on scanning new or modified files.

felixb

cPFence Hi CPFence team, thanks for providing me with prompt support and taking your time with it. Thanks again!

bgeek

cPFence Ohh, I didn't noticed the discount on annual payments. Will look into this soon! Thank you!

andriy

cPFence
I don't want to seem petty, but you have been misleading.
You announce a 50% discount on all annual plans. In reality, the 50% only applies to the 50-servers license. For all other pricing plans, the discount is lower.
Previously, you mentioned a "free plan forever," and I can understand the decision to cancel it. However, the recurring confusion with the pricing plans does not inspire confidence.

wenani

Many thanks to the cPFence Support. They handled this issue with speed and passion as if it was their own server. All this for just a $5 license a month! Clearly, there is more value than what I am paying for. Thanks guys!

cPFence

wenani

You are welcome. Glad we could help. Please let us know if you need any further assistance.

cPFence

felixb

You are welcome, felixb. Don't hesitate to reach out if you need a helping hand.