homepage Welcome to WebmasterWorld Guest from
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Home / Forums Index / WebmasterWorld / Webmaster General
Forum Library, Charter, Moderators: phranque

Webmaster General Forum

sniffing out a hack
host identifies we are source

WebmasterWorld Senior Member 10+ Year Member

Msg#: 4639224 posted 11:30 pm on Jan 21, 2014 (gmt 0)

So we've got a well known server farm telling us they can't host sites for us because they say one of our servers is the source of malicious attacks.

Every day they say we're shut down - every day we call them and say "it isn't us" and they turn us back on.

I don't know where to start in diagnosing this.

Anyone got any hints as to where to start?

I think it is a wordpress exploit that is spoofing our IP.

The guys in the office think it has something to do with DropBox.

I want to start unplugging things to eliminate the obvious.

Where's the best place to start?

(ps - is there a better forum here on WebmasterWorld to start this discussion? Thanks in advance!)



WebmasterWorld Senior Member 10+ Year Member

Msg#: 4639224 posted 3:53 pm on Jan 22, 2014 (gmt 0)

thanks mods for moving me over!


Msg#: 4639224 posted 10:12 am on Jan 23, 2014 (gmt 0)

I had this problem many years ago, when a hosted client had a computer with a virus. They were sending 20,000+ emails an hour, and had no idea.

If you're using WHM/cPanel, you can look at your Mail Relayers to see if spam is coming from your server, and from what account. This is a good way to see if you're really the source. If you are, disable the email account immediately until it can be fixed.

I assume this can be done in other systems, too, but I use WHM so that's where my experience is. If you're not using WHM, post your system, and maybe someone else will know how to do that.

You can also update the DNS records to include an SPF record for each domain. This can help prevent others from spoofing you.

Here's a wizard to create the SPF record. Make it as strict as you can get away with:


Next, check for your IP on SenderBase.org. This will tell you if the server farm is right.

Next, create an account on MXToolbox.com, and set it to alert you whenever your domain or IP is on a blacklist. This will keep you informed if you have a virus problem before you lose your server.



WebmasterWorld Senior Member 10+ Year Member

Msg#: 4639224 posted 4:48 pm on Jan 27, 2014 (gmt 0)

Turns out I was given some erroneous information.

There is no server here - the host is reporting rapid multiple login attempts from this IP to the Wordpress application and as such is shutting down any further login attempts from this IP.

I think we've got a rouge plugin.

How does one figure out which plugin has gone rogue, without the usual disablement?

Global Options:
 top home search open messages active posts  

Home / Forums Index / WebmasterWorld / Webmaster General
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved