Welcome to WebmasterWorld Guest from

Forum Moderators: phranque

Message Too Old, No Replies

sniffing out a hack

host identifies we are source



11:30 pm on Jan 21, 2014 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member

So we've got a well known server farm telling us they can't host sites for us because they say one of our servers is the source of malicious attacks.

Every day they say we're shut down - every day we call them and say "it isn't us" and they turn us back on.

I don't know where to start in diagnosing this.

Anyone got any hints as to where to start?

I think it is a wordpress exploit that is spoofing our IP.

The guys in the office think it has something to do with DropBox.

I want to start unplugging things to eliminate the obvious.

Where's the best place to start?

(ps - is there a better forum here on WebmasterWorld to start this discussion? Thanks in advance!)


3:53 pm on Jan 22, 2014 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member

thanks mods for moving me over!


10:12 am on Jan 23, 2014 (gmt 0)

I had this problem many years ago, when a hosted client had a computer with a virus. They were sending 20,000+ emails an hour, and had no idea.

If you're using WHM/cPanel, you can look at your Mail Relayers to see if spam is coming from your server, and from what account. This is a good way to see if you're really the source. If you are, disable the email account immediately until it can be fixed.

I assume this can be done in other systems, too, but I use WHM so that's where my experience is. If you're not using WHM, post your system, and maybe someone else will know how to do that.

You can also update the DNS records to include an SPF record for each domain. This can help prevent others from spoofing you.

Here's a wizard to create the SPF record. Make it as strict as you can get away with:


Next, check for your IP on SenderBase.org. This will tell you if the server farm is right.

Next, create an account on MXToolbox.com, and set it to alert you whenever your domain or IP is on a blacklist. This will keep you informed if you have a virus problem before you lose your server.



4:48 pm on Jan 27, 2014 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member

Turns out I was given some erroneous information.

There is no server here - the host is reporting rapid multiple login attempts from this IP to the Wordpress application and as such is shutting down any further login attempts from this IP.

I think we've got a rouge plugin.

How does one figure out which plugin has gone rogue, without the usual disablement?

Featured Threads

Hot Threads This Week

Hot Threads This Month