Hello,
What means "bruteforcelogin"?
The IP has called many Logins on Wordpress, Webmin, Plesk or other CMS/Controllpanels.
The Script use in the most cases Firefox19, BingBot and GoogleBot as UserAgent (grep for "eval(" or "eval(base64_decode(" in the Webspace) and often the name was "mod_system.php"
How prevent/block outgoing brute-force-attack (from our server to other destination server) by csf?
Regards
How prevent/block outgoing brute-force-attack by csf?
Re: How prevent/block outgoing brute-force-attack by csf?
I'm having the same problem, lots of outgoing wp-logins. Problem is my vps doesnt seem to have the file 'mod_systems.php'...
Would love to hear how to block the outgoing brute-force attack by csf so it buys me more time to find the malicious files...
Thanks in advance!
Would love to hear how to block the outgoing brute-force attack by csf so it buys me more time to find the malicious files...
Thanks in advance!
Re: How prevent/block outgoing brute-force-attack by csf?
Hello,
Hope you are well. I am receiving similar complaints from a service provider for a hosting server with many accounts. Seems to be related to a hacked wordpress install. But I am not 100% sure.
I've tried this..
netstat -natp|grep ".*:.*:80 .*ESTABLISHED"
.. and it shows me many outgoing connections to port 80 for different hosts. Around 40 or so every 30 seconds to a minute, but only for one of the many accounts with a WordPress installs on this hosting server.
The process ID of all of the outbound connections relate back to /usr/bin/php /home/some-user/public_html/wp/index.php
I have not investigated further and was about to remove port 80 from TCP_OUT in csf.conf but I thought i'd check here first as I am worried that I will block some legitimate traffic, like ping-backs or something else unrelated to this WP brute force issue.
I am not sure if there is an easy way to do this...
Regards,
Styelz
Hope you are well. I am receiving similar complaints from a service provider for a hosting server with many accounts. Seems to be related to a hacked wordpress install. But I am not 100% sure.
I've tried this..
netstat -natp|grep ".*:.*:80 .*ESTABLISHED"
.. and it shows me many outgoing connections to port 80 for different hosts. Around 40 or so every 30 seconds to a minute, but only for one of the many accounts with a WordPress installs on this hosting server.
The process ID of all of the outbound connections relate back to /usr/bin/php /home/some-user/public_html/wp/index.php
I have not investigated further and was about to remove port 80 from TCP_OUT in csf.conf but I thought i'd check here first as I am worried that I will block some legitimate traffic, like ping-backs or something else unrelated to this WP brute force issue.
I am not sure if there is an easy way to do this...
Regards,
Styelz