Welcome to WebmasterWorld Guest from 54.196.2.131

Forum Moderators: phranque

Message Too Old, No Replies

sniffing out a hack

host identifies we are source

     
11:30 pm on Jan 21, 2014 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Mar 7, 2003
posts: 1079
votes: 9


So we've got a well known server farm telling us they can't host sites for us because they say one of our servers is the source of malicious attacks.

Every day they say we're shut down - every day we call them and say "it isn't us" and they turn us back on.

I don't know where to start in diagnosing this.

Anyone got any hints as to where to start?

I think it is a wordpress exploit that is spoofing our IP.

The guys in the office think it has something to do with DropBox.

I want to start unplugging things to eliminate the obvious.

Where's the best place to start?

(ps - is there a better forum here on WebmasterWorld to start this discussion? Thanks in advance!)
3:53 pm on Jan 22, 2014 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Mar 7, 2003
posts: 1079
votes: 9


thanks mods for moving me over!
10:12 am on Jan 23, 2014 (gmt 0)

Junior Member

joined:Jan 9, 2014
posts: 150
votes: 0


I had this problem many years ago, when a hosted client had a computer with a virus. They were sending 20,000+ emails an hour, and had no idea.

If you're using WHM/cPanel, you can look at your Mail Relayers to see if spam is coming from your server, and from what account. This is a good way to see if you're really the source. If you are, disable the email account immediately until it can be fixed.

I assume this can be done in other systems, too, but I use WHM so that's where my experience is. If you're not using WHM, post your system, and maybe someone else will know how to do that.

You can also update the DNS records to include an SPF record for each domain. This can help prevent others from spoofing you.

Here's a wizard to create the SPF record. Make it as strict as you can get away with:

[microsoft.com...]

Next, check for your IP on SenderBase.org. This will tell you if the server farm is right.

Next, create an account on MXToolbox.com, and set it to alert you whenever your domain or IP is on a blacklist. This will keep you informed if you have a virus problem before you lose your server.

HTH!
4:48 pm on Jan 27, 2014 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Mar 7, 2003
posts: 1079
votes: 9


Turns out I was given some erroneous information.

There is no server here - the host is reporting rapid multiple login attempts from this IP to the Wordpress application and as such is shutting down any further login attempts from this IP.

I think we've got a rouge plugin.

How does one figure out which plugin has gone rogue, without the usual disablement?