One of the servers I look after appears to be participating in brute force attacks against WordPress installations.
I've been on the receiving end of this many times, so am very familiar with steps that can be taken to prevent this. What I'm struggling with, however, is detecting outgoing attacks. The server is a typical Apache server with a number of vhosts on it – this is where the complication comes of course – if there was just one on there, it wouldn't be as difficult!
I'm currently using tcpflow to log traffic going from any port on this server to port 80 on any other machine using this command:
tcpflow -i eth0 dst port 80 and src host <my_servers_ip> and port not 22
I've found this preferable to tcpdump. Looking through its output can be somewhat brain-melting after a while 🙂 tcpflow puts each request into a separate file..
Here is some output from a file which I believe to be suspicious activity:
POST /wp-login.php HTTP/1.1 User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) Host: somedomain.com Accept: */* Cookie: wordpress_test_cookie=WP+Cookie+check Content-Length: 97 Content-Type: application/x-www-form-urlencoded log=jacklyn&pwd=london&wp-submit=Log+In&redirect_to=http://somedomain.com/wp-admin/tes1a0&testcookie=1
Please note, I've obfuscated the "Host:" above, I believe that's the host being attacked (is this correct?).
So my question really, is how do I go about detecting the vhost that is generating this malicious traffic? If I can do that, I can let my client know, and he can take steps to investigate the site and make the necessary changes to stop it..
Any solutions very gratefully received 🙂