First of all, thank you for reading this.
Today I receive an email from aws saying one of my fresh EC2 is being used for brute force attacks along with some details so I could fix the issue.
Unfortunately, with the available details, I was not able to locate the file neither origin of attack.
Im writing this so I can get direction on how to deal with this. Im fairly new at this but Im also comfortable with command line. I have already made an snapshot of the machine.
Server details:
- Amazon EC2 T3.nano
- Ubuntu 20.04 LTS (GNU/Linux 5.4.0-1009-aws x86_64)
- Web Server info: nginx/1.20.2
- PHP version: 8.1.4
Below is the detail that I received. (I use forge to manage server)
any direction would be much appreciated. If you have gone through this issue in the past, it would be very helpful if you tell me how you manage to sort this out.
Hello,
We've received a report(s) that your AWS resource(s)
[server ip address here]
has been implicated in activity which resembles attempts to access remote hosts on the internet without authorization. Activity of this nature is forbidden in the AWS Acceptable Use Policy (https://aws.amazon.com/aup/). We've included the original report below for your review.
Please take action to stop the reported activity and reply directly to this email with details of the corrective actions you have taken. If you do not consider the activity described in these reports to be abusive, please reply to this email with details of your use case.
Detailed abuse report information is included below.
========================================================================
[server ip address here]
---------------------------------------------
Logs:
---------------------------------------------
Lines containing failures of ec2 ip
Apr 20 05:54:48 xxxxxxxx wordpress(website that got attacked)[8611]: Authentication failure for admin from ec2 ip
Apr 20 06:22:01 xxxxxxxx wordpress(website that got attacked)[11469]: Authentication failure for slavi from ec2 ip
Apr 20 08:12:30 xxxxxxxx wordpress(website that got attacked)[29323]: Authentication failure for janna from ec2 ip
Apr 20 09:39:37 xxxxxxxx wordpress(website that got attacked)[9780]: Authentication failure for admin from ec2 ip
Apr 20 13:27:30 xxxxxxxx wordpress(website that got attacked)[11935]: Authentication failure for pgadmin from ec2 ip
Apr 20 18:14:49 xxxxxxxx wordpress(website that got attacked)[28987]: Authentication failure for admin from ec2 ip
Apr 20 20:40:10 xxxxxxxx wordpress(website that got attacked)[19685]: Authentication failure for dbfmadmin from ec2 ip
Apr 20 23:10:03 xxxxxxxx wordpress(website that got attacked)[11592]: Authentication failure for mbadmin from ec2 ip
Apr 21 22:18:23 xxxxxxxx wordpress(website that got attacked)[10401]: Authentication failure for admin from ec2 ip
Apr 22 05:27:28 xxxxxxxx wordpress(website that got attacked)[26557]: Authentication failure for admin from ec2 ip
Apr 22 08:38:49 xxxxxxxx wordpress(website that got attacked)[23738]: Authentication failure for pgadmin from ec2 ip
Apr 23 09:05:08 xxxxxxxx wordpress(website that got attacked)[12526]: Authentication failure for mbauthor from ec2 ip
Apr 23 10:02:30 xxxxxxxx wordpress(website that got attacked)[19471]: Authentication failure for mbauthor from ec2 ip
Apr 23 13:26:15 xxxxxxxx wordpress(website that got attacked)[18698]: Authentication failure for janna from ec2 ip
Apr 24 01:09:02 xxxxxxxx wordpress(website that got attacked)[5018]: Authentication attempt for unknown user admin from
---------------------------------------------
Comments:
---------------------------------------------
Hello Abuse-Team,
your Server/Customer with the IP: *ip* has attacked one of our servers/partners.
The attackers used the method/service: *bruteforcelogin* on: *Sun, 24 Apr 2022 01:09:02 +0100*.
The time listed is from the server-time of the Blocklist-user who submitted the report.
The attack was reported to the Blocklist.de-System on: *Sun, 24 Apr 2022 02:09:06 +0200*
!!! Do not answer to this Mail! Use support@ or contact-form for Questions (no resolve-messages, no updates....) !!!
The IP has been automatically blocked for a period of time. For an IP to be blocked, it needs
to have made several failed logins (ssh, imap....), tried to log in for an "invalid user", or have
triggered several 5xx-Error-Codes (eg. Blacklist on email...), all during a short period of time.
The Server-Owner configures the number of failed attempts, and the time period they have
to occur in, in order to trigger a ban and report. Blocklist has no control over these settings.
What means "bruteforcelogin"?
The IP has called many Logins on Wordpress, Webmin, Plesk or other CMS/Controllpanels.
http://support.hostgator.com/articles/specialized-help/technical/wordpress/wordpress-login-brute-force-attack
The Script use in the most cases Firefox40, BingBot and GoogleBot as UserAgent (grep for like this in the first line of file:
"$qdtoewomza=substr($bstzohlitn,(59324-49211),(81-69)); $qdtoewomza($gidldupbhh, $xeipowxwpd, NULL);.*=.*; ?><?php"
and replace the Variables to Wildcard * in the Webspace) and often the name was "mod_system.php"
Alle files which has inside "?><?php", please look in the first line of file!
---------------------------------------------
Logs:
---------------------------------------------
2022-04-24 00:31:09 GMT
Url: [xx###xx.com/wp-login.php]
Remote connection: [ip:52578]
Headers: [array (
'Host' => 'xx###xx.com',
'User-Agent' => 'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36',
'Content-Length' => '101',
'Content-Type' => 'application/x-www-form-urlencoded',
'Cookie' => 'wordpress_test_cookie=WP+Cookie+check',
'Accept-Encoding' => 'gzip',
'Connection' => 'close',
'BN-Frontend' => 'captcha-https',
'X-Forwarded-Port' => '443',
'X-Forwarded-Proto' => 'https',
'BN-Client-Port' => '47528',
'X-Forwarded-For' => 'ip',
)]
Post data: [Array
(
[log] => 0l5sktko
[pwd] => *****
[wp-submit] => Log In
[redirect_to] => https://xxxxxx.com/wp-admin/
[testcookie] => 1
)
]
