homepage Welcome to WebmasterWorld Guest from 54.198.224.121
register, free tools, login, search, subscribe, help, library, announcements, recent posts, open posts,
Pubcon Platinum Sponsor
Visit PubCon.com
Home / Forums Index / WebmasterWorld / Webmaster General
Forum Library, Charter, Moderators: phranque & physics

Webmaster General Forum

    
sniffing out a hack
host identifies we are source
chewy




msg:4639114
 11:30 pm on Jan 21, 2014 (gmt 0)

So we've got a well known server farm telling us they can't host sites for us because they say one of our servers is the source of malicious attacks.

Every day they say we're shut down - every day we call them and say "it isn't us" and they turn us back on.

I don't know where to start in diagnosing this.

Anyone got any hints as to where to start?

I think it is a wordpress exploit that is spoofing our IP.

The guys in the office think it has something to do with DropBox.

I want to start unplugging things to eliminate the obvious.

Where's the best place to start?

(ps - is there a better forum here on WebmasterWorld to start this discussion? Thanks in advance!)

 

chewy




msg:4639320
 3:53 pm on Jan 22, 2014 (gmt 0)

thanks mods for moving me over!

GoNC




msg:4639551
 10:12 am on Jan 23, 2014 (gmt 0)

I had this problem many years ago, when a hosted client had a computer with a virus. They were sending 20,000+ emails an hour, and had no idea.

If you're using WHM/cPanel, you can look at your Mail Relayers to see if spam is coming from your server, and from what account. This is a good way to see if you're really the source. If you are, disable the email account immediately until it can be fixed.

I assume this can be done in other systems, too, but I use WHM so that's where my experience is. If you're not using WHM, post your system, and maybe someone else will know how to do that.

You can also update the DNS records to include an SPF record for each domain. This can help prevent others from spoofing you.

Here's a wizard to create the SPF record. Make it as strict as you can get away with:

[microsoft.com...]

Next, check for your IP on SenderBase.org. This will tell you if the server farm is right.

Next, create an account on MXToolbox.com, and set it to alert you whenever your domain or IP is on a blacklist. This will keep you informed if you have a virus problem before you lose your server.

HTH!

chewy




msg:4640536
 4:48 pm on Jan 27, 2014 (gmt 0)

Turns out I was given some erroneous information.

There is no server here - the host is reporting rapid multiple login attempts from this IP to the Wordpress application and as such is shutting down any further login attempts from this IP.

I think we've got a rouge plugin.

How does one figure out which plugin has gone rogue, without the usual disablement?

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / WebmasterWorld / Webmaster General
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About
© Webmaster World 1996-2014 all rights reserved