We are happy to announce that Vesta is back under active development as of 25 February 2024. We are working on v1 candidate and expect to engage more with the community over the coming months. We are committed to open source, and we encourage contributors to help us build the future of Vesta.
How to prevent outgoing spam (3 steps)
How to prevent outgoing spam (3 steps)
Hi everybody,
I have a VestaCP installation with around 20 users, the server got hacked with various upload scripts and base64 injectons on daily basis. I have a support subscription and the guys at VestaCP have been doing a great job helping me point out some weaknesses on my server.
This is how I did to prevent spam and the overall server load:
1. First of all, install Malware Detect and run a full scan to remove scripts with bad code.
Don't forget to enable ClamAV in Malware Detects configuration since it's embedded with
VestaCP
https://www.rfxn.com/projects/linux-malware-detect/
2. To prevent base64 injection and file uploads you'll need some kind of web filtering firewall. I use the latest Wordpress with the latest plugins but still got hacked, I then found this plugin:
https://wordpress.org/plugins/ninjafirewall/
NinjaFirewall is awesome, it block all eval, base64 and file upload attempts. Now I don't have to worry about any Wordpress websites being hacked.
3. Last step, use CloudFlares free account and get the following features:
-Masked IP
-Mask all email addresses on your site
-Block hack attempts
-Offload your server
-If your server goes down your sites will still be part functional
Thats all, I hope this help someone!
My server graphs went from crazy to allmost nothing in 6 hours after I applied the above 3 steps to all my accounts/domains
I have a VestaCP installation with around 20 users, the server got hacked with various upload scripts and base64 injectons on daily basis. I have a support subscription and the guys at VestaCP have been doing a great job helping me point out some weaknesses on my server.
This is how I did to prevent spam and the overall server load:
1. First of all, install Malware Detect and run a full scan to remove scripts with bad code.
Don't forget to enable ClamAV in Malware Detects configuration since it's embedded with
VestaCP
https://www.rfxn.com/projects/linux-malware-detect/
2. To prevent base64 injection and file uploads you'll need some kind of web filtering firewall. I use the latest Wordpress with the latest plugins but still got hacked, I then found this plugin:
https://wordpress.org/plugins/ninjafirewall/
NinjaFirewall is awesome, it block all eval, base64 and file upload attempts. Now I don't have to worry about any Wordpress websites being hacked.
3. Last step, use CloudFlares free account and get the following features:
-Masked IP
-Mask all email addresses on your site
-Block hack attempts
-Offload your server
-If your server goes down your sites will still be part functional
Thats all, I hope this help someone!
My server graphs went from crazy to allmost nothing in 6 hours after I applied the above 3 steps to all my accounts/domains
-
- Posts: 13
- Joined: Thu Jul 03, 2014 9:15 pm
Re: How to prevent outgoing spam (3 steps)
Hi
Thanks for pointing out LMD, just one question i know it sets a cron job but as default it will fail to scan as i see the paths in the cron file do not match those of vestacp layout. Did you modify this file to take into account the file structure or do you run manually
Thanks for pointing out LMD, just one question i know it sets a cron job but as default it will fail to scan as i see the paths in the cron file do not match those of vestacp layout. Did you modify this file to take into account the file structure or do you run manually
Re: How to prevent outgoing spam (3 steps)
It? Malware Detects? You can add script from installation in cron.daily and forget about it.thering1975 wrote:Thanks for pointing out LMD, just one question i know it sets a cron job but as default it will fail to scan as i see the paths in the cron file do not match those of vestacp layout. Did you modify this file to take into account the file structure or do you run manually
-
- Posts: 13
- Joined: Thu Jul 03, 2014 9:15 pm
Re: How to prevent outgoing spam (3 steps)
Yes but my question was did the OP ammend the cron job installed to match the correct variables for the home folder. LMD sets up a cron job but fails as the various described paths to the folder do not match the setup Vesta uses.skurudo wrote:It? Malware Detects? You can add script from installation in cron.daily and forget about it.thering1975 wrote:Thanks for pointing out LMD, just one question i know it sets a cron job but as default it will fail to scan as i see the paths in the cron file do not match those of vestacp layout. Did you modify this file to take into account the file structure or do you run manually
If an ammendment was made it would be great to share the code otherwise i will just create a new cron job and delete the autoinstalled cron
Re: How to prevent outgoing spam (3 steps)
Hi,
I did use cronjobs to run scans because LMD monitor didn't work, now it's working so I use this monitor CLI.
maldet -m users
If you are on Ubuntu and have trouble with the inotify process, please review the following.
1. Install dependencies (the following on x64 UBUNTU)
apt-get install inotify-tools libinotifytools0
2. Change inotifywatch path in internals.conf
sed -i -e"s/\$inspath/inotify/inotifywait//usr/bin/inotifywait/" /usr/local/maldetect/internals.conf
Could also be done manually:
/usr/local/maldetect/internals.conf
change:
inotify=$inspath/inotify/inotifywait
to:
inotify=/usr/bin/inotifywait
http://stackoverflow.com/questions/2927 ... 6#29692396
http://www.coredump.id.au/linux-malware ... and-plesk/
Some results:
NinjaFirewall (wordpress)
More status information comming soon, Cloudflare have issues with their analytics platform ATM.
I did use cronjobs to run scans because LMD monitor didn't work, now it's working so I use this monitor CLI.
maldet -m users
If you are on Ubuntu and have trouble with the inotify process, please review the following.
1. Install dependencies (the following on x64 UBUNTU)
apt-get install inotify-tools libinotifytools0
2. Change inotifywatch path in internals.conf
sed -i -e"s/\$inspath/inotify/inotifywait//usr/bin/inotifywait/" /usr/local/maldetect/internals.conf
Could also be done manually:
/usr/local/maldetect/internals.conf
change:
inotify=$inspath/inotify/inotifywait
to:
inotify=/usr/bin/inotifywait
http://stackoverflow.com/questions/2927 ... 6#29692396
http://www.coredump.id.au/linux-malware ... and-plesk/
Some results:
NinjaFirewall (wordpress)
SpoilerShow
Code: Select all
07/Apr/15 18:09:30 #1703177 critical - SERVER_IP POST /wp-content/plugins/category-order.php - base64-encoded injection - [POST:ncf03de = JG41OT0iTD5uI1F+QVZ8KClfJVNkXCRIPGc3dVQzXHJtQl1VLiF0eENlfWxoRmMvR1xuRTsycDQqYnJvRD01Wk9LIDpQMTBpekB2XFxbeTYtczhKd1dSST9gWGZcImFrTmoncVx0Jk05eytZXiwiOyAkR0xPQkFMU1sndG52enUzNiddID0gJG41O...]
07/Apr/15 18:09:31 #4901921 critical - SERVER_IP POST /wp-content/plugins/flagallery-skins/music_default/settings/dump.php - base64-encoded injection - [POST:n59a097 = JG41OT0iTD5uI1F+QVZ8KClfJVNkXCRIPGc3dVQzXHJtQl1VLiF0eENlfWxoRmMvR1xuRTsycDQqYnJvRD01Wk9LIDpQMTBpekB2XFxbeTYtczhKd1dSST9gWGZcImFrTmoncVx0Jk05eytZXiwiOyAkR0xPQkFMU1sndG52enUzNiddID0gJG41O...]
07/Apr/15 18:09:31 #8987746 critical - SERVER_IP POST /wp-content/plugins/contact-form-7/modules/login.php - base64-encoded injection - [POST:n73dce7 = JG41OT0iTD5uI1F+QVZ8KClfJVNkXCRIPGc3dVQzXHJtQl1VLiF0eENlfWxoRmMvR1xuRTsycDQqYnJvRD01Wk9LIDpQMTBpekB2XFxbeTYtczhKd1dSST9gWGZcImFrTmoncVx0Jk05eytZXiwiOyAkR0xPQkFMU1sndG52enUzNiddID0gJG41O...]
07/Apr/15 19:11:31 #7070008 critical - SERVER_IP POST /wp-content/plugins/category-order.php - base64-encoded injection - [POST:ncf03de = JHo1Nz0iXHRfPyxgbSMyaFkqT0lQRjpMIWVsck4nIH5rLV1bK3A+QUt4O3dmZDxaM2F2TXNRJVdcXDR9blwiVUA1KC91XCQmQzFiQnxjU3pFPVxybylSOUhxNzhqRzA2eS50VlxuVFhKZ0RpXnsiOyAkR0xPQkFMU1sncnR5bXAxNyddID0gJHo1N...]
07/Apr/15 19:11:32 #3120902 critical - SERVER_IP POST /wp-content/plugins/flagallery-skins/music_default/settings/dump.php - base64-encoded injection - [POST:n59a097 = JHo1Nz0iXHRfPyxgbSMyaFkqT0lQRjpMIWVsck4nIH5rLV1bK3A+QUt4O3dmZDxaM2F2TXNRJVdcXDR9blwiVUA1KC91XCQmQzFiQnxjU3pFPVxybylSOUhxNzhqRzA2eS50VlxuVFhKZ0RpXnsiOyAkR0xPQkFMU1sncnR5bXAxNyddID0gJHo1N...]
07/Apr/15 19:11:33 #2555513 critical - SERVER_IP POST /wp-content/plugins/contact-form-7/modules/login.php - base64-encoded injection - [POST:n73dce7 = JHo1Nz0iXHRfPyxgbSMyaFkqT0lQRjpMIWVsck4nIH5rLV1bK3A+QUt4O3dmZDxaM2F2TXNRJVdcXDR9blwiVUA1KC91XCQmQzFiQnxjU3pFPVxybylSOUhxNzhqRzA2eS50VlxuVFhKZ0RpXnsiOyAkR0xPQkFMU1sncnR5bXAxNyddID0gJHo1N...]
07/Apr/15 20:01:19 #6985439 critical - SERVER_IP POST /wp-content/plugins/flagallery-skins/music_default/settings/dump.php - base64-encoded injection - [POST:n59a097 = JGE1PSJreVs1RiV6U3J4TFljTUFUS0gpOyxxL2w6flYzb0QrKCNcImBHbXVYIH0tSWQ/USd3Ylxye3xcbm4mX3RpXHQyVzhQLjBOYWo9cHNlXCRAKnZSMU9oIV5aNkVdQjQ3XFw5PmdDZko8VSI7ICRHTE9CQUxTWydnZGp2azI0J10gPSAkYTVbN...]
07/Apr/15 20:01:19 #8681023 critical - SERVER_IP POST /wp-content/plugins/category-order.php - base64-encoded injection - [POST:ncf03de = JGo4OD0iPTZ+X2leMD8yM1dlUFVaYDs0S0Fcbkkma2xUXHROSD56Vm11R2J9J0VGXVhPQmNwOSEsdlwicmoxeHtMTS5oSjp0XFwtbzh5IHx3ZjUrcW5Rc1xyWWE3U0BSKikjKC9bXCQlZEQ8Q2ciOyAkR0xPQkFMU1snemJ1bG8yMyddID0gJGo4O...]
07/Apr/15 20:01:19 #8032424 critical - SERVER_IP POST /wp-content/plugins/contact-form-7/modules/login.php - base64-encoded injection - [POST:n73dce7 = JHg1PSIwQ2h6S1hTWXdwXCIzKVwkPm1jbnYtLGZlV3F8Wm83eCM0UGRVXn4xL3RHaWdOT3VMVE1gKHtcXHNBYjYmK31Wams8ODpJXHRcbnJASDJseWFcciA5W0RdNSolQiFGUj1fJy5RSj87RSI7ICRHTE9CQUxTWydldXRhYjM0J10gPSAkeDVbO...]
07/Apr/15 20:48:39 #4469025 info - SERVER_IP POST /wp-login.php - Logged in user - [ (administrator)]
07/Apr/15 22:16:17 #6115834 critical - SERVER_IP POST /wp-content/plugins/contact-form-7/modules/login.php - base64-encoded injection - [POST:n73dce7 = JHI5ND0iUmYhREBHTyltTXBRVDBLWkEtXCInICtrU1x0XFxMLl87Z2kxP3Jkc1l8JUh5NDYmb3V3VnpFY2E9OjlYXVxyaipcJEM8LDh7fnE+fUo1N0YzbkkoW3ZeeFcvZVBoTmJCI3RgMlVsXG4iOyAkR0xPQkFMU1sncXdodXE3MCddID0gJHI5N...]
07/Apr/15 22:16:19 #5162563 critical - SERVER_IP POST /wp-content/plugins/flagallery-skins/music_default/settings/dump.php - base64-encoded injection - [POST:n59a097 = JHI5ND0iUmYhREBHTyltTXBRVDBLWkEtXCInICtrU1x0XFxMLl87Z2kxP3Jkc1l8JUh5NDYmb3V3VnpFY2E9OjlYXVxyaipcJEM8LDh7fnE+fUo1N0YzbkkoW3ZeeFcvZVBoTmJCI3RgMlVsXG4iOyAkR0xPQkFMU1sncXdodXE3MCddID0gJHI5N...]
07/Apr/15 22:16:20 #5809154 critical - SERVER_IP POST /wp-content/plugins/category-order.php - base64-encoded injection - [POST:ncf03de = JHI5ND0iUmYhREBHTyltTXBRVDBLWkEtXCInICtrU1x0XFxMLl87Z2kxP3Jkc1l8JUh5NDYmb3V3VnpFY2E9OjlYXVxyaipcJEM8LDh7fnE+fUo1N0YzbkkoW3ZeeFcvZVBoTmJCI3RgMlVsXG4iOyAkR0xPQkFMU1sncXdodXE3MCddID0gJHI5N...]
07/Apr/15 23:18:38 #2121229 critical - SERVER_IP POST /wp-content/plugins/flagallery-skins/music_default/settings/dump.php - base64-encoded injection - [POST:n59a097 = JG80Nj0iSkZMWS5oRV9uN2VOR3FscyNJZzh0WDxAYH0oensvJWl3ZFx0XG5UYzNcXFJLP1FVOjFrXnwhJlYtW3BPQzBEcjY9XTVNeFNcJCxCUEE5dWopZjs+MlwiV0h2Wm0rYXknKjRvIFxyYn4iOyAkR0xPQkFMU1sneXFzaWk2MCddID0gJG80N...]
07/Apr/15 23:18:39 #5450389 critical - SERVER_IP POST /wp-content/plugins/category-order.php - base64-encoded injection - [POST:ncf03de = JG80Nj0iSkZMWS5oRV9uN2VOR3FscyNJZzh0WDxAYH0oensvJWl3ZFx0XG5UYzNcXFJLP1FVOjFrXnwhJlYtW3BPQzBEcjY9XTVNeFNcJCxCUEE5dWopZjs+MlwiV0h2Wm0rYXknKjRvIFxyYn4iOyAkR0xPQkFMU1sneXFzaWk2MCddID0gJG80N...]
07/Apr/15 23:18:40 #6849432 critical - SERVER_IP POST /wp-content/plugins/contact-form-7/modules/login.php - base64-encoded injection - [POST:n73dce7 = JG80Nj0iSkZMWS5oRV9uN2VOR3FscyNJZzh0WDxAYH0oensvJWl3ZFx0XG5UYzNcXFJLP1FVOjFrXnwhJlYtW3BPQzBEcjY9XTVNeFNcJCxCUEE5dWopZjs+MlwiV0h2Wm0rYXknKjRvIFxyYn4iOyAkR0xPQkFMU1sneXFzaWk2MCddID0gJG80N...]
08/Apr/15 07:45:05 #5333297 info - SERVER_IP POST /wp-login.php - Logged in user - [ (administrator)]
08/Apr/15 08:47:03 #1991029 critical - SERVER_IP POST /wp-content/plugins/contact-form-7/modules/login.php - base64-encoded injection - [POST:n73dce7 = JGkxNT0iL0lnYkcjbFhRPERgQDpcbnsgeGUtcD9WJ0Mpblwkenl2OCpKZl5fOSFkME99XCJobz5pNXVrU1VNNHczN1I7TllqK1p8UCVBXHRxRT1ccihhdEgmfjEuS1dzXFxtWzZGYzJCXUxyVCwiOyAkR0xPQkFMU1snaGRiY2c1MCddID0gJGkxN...]
08/Apr/15 08:47:05 #1917351 critical - SERVER_IP POST /wp-content/plugins/category-order.php - base64-encoded injection - [POST:ncf03de = JGY4MT0ia0dPajkrcmBodSVLcT1FTXA3ZlF3RF5SUF1WXzwgIyx2VCkmdEA6WmcnY3t6WztJV31GbllTP3M4QXk0PnhcXG1kXHRvKk4vXG5ccmxDSGIyfjEzSi1MXCIufFhlNigwNUJVYSFpXCQiOyAkR0xPQkFMU1sndXV2bm44J10gPSAkZjgxW...]
08/Apr/15 08:47:07 #7622433 critical - SERVER_IP POST /wp-content/plugins/flagallery-skins/music_default/settings/dump.php - base64-encoded injection - [POST:n59a097 = JGU2Mj0idjpUaDYxPSZcbntjTj5cdEJ+PHVgIWczXHIwYk1vN3JMLEVaUXx3OUNGWEFtXFx5KkBTSi81cCtbemVIa0s0XnRxYVwkZEcyJT9EbC1WUlBuICguaVlmczhPV2p9KVVcIl1fO0kjeCciOyAkR0xPQkFMU1snYWpubnU5MyddID0gJGU2M...]
08/Apr/15 16:10:27 #1682022 info - SERVER_IP POST /wp-login.php - Logged in user - [ (administrator)]
08/Apr/15 17:56:18 #6913224 info - SERVER_IP POST /wp-login.php - Logged in user - [ (administrator)]
08/Apr/15 21:01:57 #5964449 info - SERVER_IP POST /wp-login.php - Logged in user - [ (administrator)]
08/Apr/15 21:07:05 #3959144 medium 314 SERVER_IP GET /index.php - Referrer spam - [SERVER:HTTP_REFERER = http://buttons-for-website.com]
08/Apr/15 21:11:20 #3906558 critical - SERVER_IP POST /wp-content/plugins/category-order.php - base64-encoded injection - [POST:ncf03de = JHE4Mz0iXzpuLnB7UDJda2p3TXFpZkhsXCRtPD4rNUFJdjFcXCF+Z28veCYqOE9yLTlVaFxyVDYlYj96M1I9dSkgXCJLWjROQDBcbnxGXHRXSltFXlhMQlk7N2UsU31WI3lEZHMnYUNHYGMoUXQiOyAkR0xPQkFMU1sndXZwenEyNSddID0gJHE4M...]
08/Apr/15 21:11:21 #6616143 critical - SERVER_IP POST /wp-content/plugins/contact-form-7/modules/login.php - base64-encoded injection - [POST:n73dce7 = JGEyMT0iKCwgUjQtZ1FPem53LypTM3BUZE1AdT5eQjtfeWg3Yk48Rn5jOmFKdFwiJlxcbHZBS1BXP0Rzam9MaXwrXTBWSVhaQ30yZUhccmZ7XHQ9WVxuOCVHbWsnW3ExOSM2KVwkIVUuYHJFeDUiOyAkR0xPQkFMU1snbWlwdnMxJ10gPSAkYTIxW...]
08/Apr/15 22:38:16 #6247237 high 1351 SERVER_IP GET /wp-admin/admin-ajax.php - Access to WP configuration file - [GET:img = ../wp-config.php]
09/Apr/15 02:38:24 #2520680 medium 531 SERVER_IP GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; NetcraftSurveyAgent/1.0; [email protected])]
09/Apr/15 05:23:11 #6936817 medium 531 SERVER_IP GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; MJ12bot/v1.4.5; http://www.majestic12.co.uk/bot.php?+)]
09/Apr/15 05:58:54 #6766042 info - SERVER_IP POST /wp-login.php - Logged in user - [ (administrator)]
09/Apr/15 09:32:25 #5743910 critical - SERVER_IP POST /wp-content/plugins/category-order.php - base64-encoded injection - [POST:ncf03de = JHE1ND0iSjxONitqUVdbQzkxIVluLjppWi80YGRTTThcXFwkdExsXCJ4XUZnXjtWR35ieyhLLXxrJ1x0MjNCN3NJb3JmSCAlNWM+QWVSPVQpQDBFXG59XHJtJnF3I2hQcFh5LHZEVXVheipfP08iOyAkR0xPQkFMU1snanZnaHk3MCddID0gJHE1N...]
09/Apr/15 09:46:12 #7410692 medium 531 SERVER_IP GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; MJ12bot/v1.4.5; http://www.majestic12.co.uk/bot.php?+)]
09/Apr/15 10:06:29 #7240191 high - SERVER_IP GET /index.php - User enumeration scan (author archives) - [author=1]
09/Apr/15 14:01:27 #4128592 medium 314 SERVER_IP GET /index.php - Referrer spam - [SERVER:HTTP_REFERER = http://buttons-for-website.com]
09/Apr/15 17:16:34 #7243643 critical - SERVER_IP POST /wp-admin/admin-ajax.php - File upload attempt - [revslider.zip, 19,182 bytes]
09/Apr/15 18:15:08 #8152408 critical - SERVER_IP POST /index.php - File upload attempt - [Handler.php, 24,998 bytes]
09/Apr/15 20:52:31 #8793116 critical - SERVER_IP POST /wp-admin/admin-ajax.php - File upload attempt - [revslider.zip, 19,193 bytes]
10/Apr/15 06:33:22 #8141156 info - SERVER_IP POST /wp-login.php - Logged in user - [ (administrator)]
10/Apr/15 07:35:06 #6275380 critical - SERVER_IP POST /wp-admin/admin-ajax.php - File upload attempt - [revslider.zip, 34,863 bytes]
10/Apr/15 07:35:47 #3623808 critical - SERVER_IP POST /index.php - File upload attempt - [NZVChYGw.php, 137,669 bytes]
10/Apr/15 07:35:48 #3096735 critical 1369 SERVER_IP POST /index.php - WordPress: Download Manager remote command execution - [POST:execute = wp_insert_user]
10/Apr/15 08:38:31 #2801451 medium 531 SERVER_IP GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; AhrefsBot/5.0; +http://ahrefs.com/robot/)]
10/Apr/15 09:00:30 #5800077 medium 531 SERVER_IP GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; AhrefsBot/5.0; +http://ahrefs.com/robot/)]
10/Apr/15 09:41:24 #5299523 medium 531 SERVER_IP GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; AhrefsBot/5.0; +http://ahrefs.com/robot/)]
10/Apr/15 09:42:59 #4072664 medium 531 SERVER_IP GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; AhrefsBot/5.0; +http://ahrefs.com/robot/)]
10/Apr/15 09:56:10 #4595928 medium 531 SERVER_IP GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; AhrefsBot/5.0; +http://ahrefs.com/robot/)]
10/Apr/15 09:56:49 #6916922 medium 531 SERVER_IP GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; AhrefsBot/5.0; +http://ahrefs.com/robot/)]
10/Apr/15 09:59:31 #1452146 medium 531 SERVER_IP GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; AhrefsBot/5.0; +http://ahrefs.com/robot/)]
10/Apr/15 10:00:54 #6069953 medium 531 SERVER_IP GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; AhrefsBot/5.0; +http://ahrefs.com/robot/)]
10/Apr/15 10:10:08 #1956931 medium 531 SERVER_IP GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; AhrefsBot/5.0; +http://ahrefs.com/robot/)]
10/Apr/15 10:11:22 #4393770 medium 531 SERVER_IP GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; AhrefsBot/5.0; +http://ahrefs.com/robot/)]
10/Apr/15 10:13:55 #2528804 medium 531 SERVER_IP GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; AhrefsBot/5.0; +http://ahrefs.com/robot/)]
10/Apr/15 10:38:51 #7369021 medium 531 SERVER_IP GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; AhrefsBot/5.0; +http://ahrefs.com/robot/)]
10/Apr/15 10:46:29 #3536249 medium 531 SERVER_IP GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; AhrefsBot/5.0; +http://ahrefs.com/robot/)]
10/Apr/15 10:47:21 #6792099 medium 531 SERVER_IP GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; AhrefsBot/5.0; +http://ahrefs.com/robot/)]
10/Apr/15 10:49:58 #8552815 medium 531 SERVER_IP GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; AhrefsBot/5.0; +http://ahrefs.com/robot/)]
10/Apr/15 10:59:20 #5412295 medium 531 SERVER_IP GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; AhrefsBot/5.0; +http://ahrefs.com/robot/)]
10/Apr/15 11:10:33 #5299055 medium 531 SERVER_IP GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; AhrefsBot/5.0; +http://ahrefs.com/robot/)]
10/Apr/15 11:10:59 #5508559 medium 531 SERVER_IP GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; AhrefsBot/5.0; +http://ahrefs.com/robot/)]
10/Apr/15 11:16:39 #5401785 medium 531 SERVER_IP GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; AhrefsBot/5.0; +http://ahrefs.com/robot/)]
10/Apr/15 11:21:14 #7841528 medium 531 SERVER_IP GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; AhrefsBot/5.0; +http://ahrefs.com/robot/)]
10/Apr/15 11:25:43 #2133285 medium 531 SERVER_IP GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; AhrefsBot/5.0; +http://ahrefs.com/robot/)]
10/Apr/15 11:35:20 #3912151 medium 531 SERVER_IP GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; AhrefsBot/5.0; +http://ahrefs.com/robot/)]
10/Apr/15 11:56:04 #8333235 medium 531 SERVER_IP GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; AhrefsBot/5.0; +http://ahrefs.com/robot/)]
10/Apr/15 11:56:14 #1687059 medium 531 SERVER_IP GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; AhrefsBot/5.0; +http://ahrefs.com/robot/)]
10/Apr/15 11:57:40 #3943600 medium 531 SERVER_IP GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; AhrefsBot/5.0; +http://ahrefs.com/robot/)]
10/Apr/15 11:57:44 #1919336 medium 531 SERVER_IP GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; AhrefsBot/5.0; +http://ahrefs.com/robot/)]
10/Apr/15 12:05:41 #3021544 medium 531 SERVER_IP GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; AhrefsBot/5.0; +http://ahrefs.com/robot/)]
10/Apr/15 12:21:55 #5831811 medium 531 SERVER_IP GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; AhrefsBot/5.0; +http://ahrefs.com/robot/)]
10/Apr/15 12:25:47 #8057169 medium 531 SERVER_IP GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; AhrefsBot/5.0; +http://ahrefs.com/robot/)]
10/Apr/15 12:26:01 #2142077 medium 531 SERVER_IP GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; AhrefsBot/5.0; +http://ahrefs.com/robot/)]
10/Apr/15 12:36:11 #8885816 medium 531 SERVER_IP GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; AhrefsBot/5.0; +http://ahrefs.com/robot/)]
10/Apr/15 12:36:19 #4429211 medium 531 SERVER_IP GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; AhrefsBot/5.0; +http://ahrefs.com/robot/)]
10/Apr/15 12:48:22 #5259850 medium 531 SERVER_IP GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; AhrefsBot/5.0; +http://ahrefs.com/robot/)]
10/Apr/15 12:50:15 #2436432 medium 531 SERVER_IP GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; AhrefsBot/5.0; +http://ahrefs.com/robot/)]
10/Apr/15 12:50:36 #2090431 medium 531 SERVER_IP GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; AhrefsBot/5.0; +http://ahrefs.com/robot/)]
10/Apr/15 13:06:01 #2011642 medium 531 SERVER_IP GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; AhrefsBot/5.0; +http://ahrefs.com/robot/)]
10/Apr/15 13:12:44 #6815445 medium 531 SERVER_IP GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; AhrefsBot/5.0; +http://ahrefs.com/robot/)]
10/Apr/15 13:16:47 #8410477 medium 531 SERVER_IP GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; AhrefsBot/5.0; +http://ahrefs.com/robot/)]
10/Apr/15 13:19:22 #5908601 medium 531 SERVER_IP GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; AhrefsBot/5.0; +http://ahrefs.com/robot/)]
10/Apr/15 18:02:41 #4845697 medium 531 SERVER_IP GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; NetSeer crawler/2.0; +http://www.netseer.com/crawler.html; [email protected])]
10/Apr/15 18:02:41 #7974454 medium 531 SERVER_IP GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; NetSeer crawler/2.0; +http://www.netseer.com/crawler.html; [email protected])]
10/Apr/15 19:15:56 #1268231 info - SERVER_IP POST /wp-login.php - Logged in user - [ (administrator)]
10/Apr/15 19:56:29 #8426144 critical - SERVER_IP POST /wp-admin/admin-ajax.php - File upload attempt - [revslider.zip, 19,193 bytes]
10/Apr/15 21:18:52 #5564458 high 1351 SERVER_IP GET /wp-admin/admin-ajax.php - Access to WP configuration file - [GET:img = ../wp-config.php]
10/Apr/15 21:18:53 #7184223 critical 1 SERVER_IP POST /index.php - Directory traversal - [POST:_mysite_download_skin = ../../../../../wp-config.php]
10/Apr/15 23:24:02 #2867628 critical 1 SERVER_IP GET /index.php - Directory traversal - [GET:file = ../../../wp-config.php]
10/Apr/15 23:24:03 #1594156 critical 1 SERVER_IP POST /index.php - Directory traversal - [POST:_mysite_download_skin = ../../../../../wp-config.php]
10/Apr/15 23:24:03 #5797669 critical 1 SERVER_IP POST /index.php - Directory traversal - [POST:_mysite_download_skin = ../../../../../wp-config.php]
10/Apr/15 23:24:05 #1069490 critical 1 SERVER_IP POST /index.php - Directory traversal - [POST:_mysite_download_skin = ../../../../../wp-config.php]
10/Apr/15 23:24:06 #8501338 critical 1 SERVER_IP POST /index.php - Directory traversal - [POST:_mysite_download_skin = ../../../../../wp-config.php]
10/Apr/15 23:24:09 #2659575 critical 1 SERVER_IP GET /index.php - Directory traversal - [GET:file = ../../../wp-config.php]
10/Apr/15 23:24:10 #4694308 critical 1 SERVER_IP GET /index.php - Directory traversal - [GET:file = ../../../../wp-config.php]
10/Apr/15 23:45:21 #0000000 info - SERVER_IP HEAD /index.php - Sanitising user input - [HTTP_USER_AGENT: 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)']
10/Apr/15 23:45:22 #0000000 info - SERVER_IP HEAD /index.php - Sanitising user input - [HTTP_USER_AGENT: 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)']
11/Apr/15 08:23:58 #7329959 medium 531 SERVER_IP GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; MJ12bot/v1.4.5; http://www.majestic12.co.uk/bot.php?+)]
12/Apr/15 10:57:29 #1569999 critical - SERVER_IP POST /index.php - File upload attempt - [searcinfo.php, 24,998 bytes]
12/Apr/15 11:52:22 #8444289 medium 531 SERVER_IP GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; AhrefsBot/5.0; +http://ahrefs.com/robot/)]
12/Apr/15 12:13:49 #6881748 medium 531 SERVER_IP GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; AhrefsBot/5.0; +http://ahrefs.com/robot/)]
12/Apr/15 12:47:42 #7834012 medium 531 SERVER_IP GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; AhrefsBot/5.0; +http://ahrefs.com/robot/)]
12/Apr/15 13:08:57 #3557835 medium 531 SERVER_IP GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; MJ12bot/v1.4.5; http://www.majestic12.co.uk/bot.php?+)]
12/Apr/15 13:08:59 #8102623 medium 531 SERVER_IP GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; MJ12bot/v1.4.5; http://www.majestic12.co.uk/bot.php?+)]
12/Apr/15 14:11:28 #4595047 critical - SERVER_IP POST /index.php - File upload attempt - [Handler.php, 24,998 bytes]
12/Apr/15 14:13:14 #7371565 medium 531 SERVER_IP GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; AhrefsBot/5.0; +http://ahrefs.com/robot/)]
12/Apr/15 15:19:58 #1924428 medium 531 SERVER_IP GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; AhrefsBot/5.0; +http://ahrefs.com/robot/)]
12/Apr/15 19:29:29 #3625498 info - SERVER_IP POST /wp-login.php - Logged in user - [ (administrator)]
13/Apr/15 04:46:50 #1591103 medium 531 SERVER_IP GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; MJ12bot/v1.4.5; http://www.majestic12.co.uk/bot.php?+)]
13/Apr/15 05:11:31 #1347443 medium 531 SERVER_IP GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; MJ12bot/v1.4.5; http://www.majestic12.co.uk/bot.php?+)]
13/Apr/15 09:40:43 #1237142 info - SERVER_IP POST /wp-login.php - Logged in user - [ (administrator)]
14/Apr/15 03:52:39 #6349262 medium 531 SERVER_IP GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; BLEXBot/1.0; +http://webmeup-crawler.com/)]
14/Apr/15 04:32:45 #2025897 medium 531 SERVER_IP GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; MJ12bot/v1.4.5; http://www.majestic12.co.uk/bot.php?+)]
14/Apr/15 05:32:19 #8729648 high - SERVER_IP GET /index.php - User enumeration scan (author archives) - [author=1]
14/Apr/15 10:32:25 #2689860 medium 531 SERVER_IP GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; MJ12bot/v1.4.5; http://www.majestic12.co.uk/bot.php?+)]
15/Apr/15 00:01:35 #8173244 medium 531 SERVER_IP GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; AhrefsBot/5.0; +http://ahrefs.com/robot/)]
15/Apr/15 01:47:49 #3619611 medium 531 SERVER_IP GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; AhrefsBot/5.0; +http://ahrefs.com/robot/)]
15/Apr/15 01:48:25 #4460874 medium 531 SERVER_IP GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; AhrefsBot/5.0; +http://ahrefs.com/robot/)]
15/Apr/15 06:03:49 #8097173 medium 531 SERVER_IP GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; MJ12bot/v1.4.5; http://www.majestic12.co.uk/bot.php?+)]
15/Apr/15 07:43:56 #4550373 critical - SERVER_IP POST /wp-admin/admin-ajax.php - File upload attempt - [revslider.zip, 18,384 bytes]
15/Apr/15 07:43:56 #3722800 high 1351 SERVER_IP GET /wp-admin/admin-ajax.php - Access to WP configuration file - [GET:img = ../wp-config.php]
15/Apr/15 07:43:57 #2469553 critical - SERVER_IP POST /index.php - File upload attempt - [yJVnsDFa.php, 31,710 bytes]
15/Apr/15 07:43:57 #5411368 critical 1369 SERVER_IP POST /index.php - WordPress: Download Manager remote command execution - [POST:execute = wp_insert_user]
15/Apr/15 13:34:38 #5732824 medium 531 SERVER_IP GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; AhrefsBot/5.0; +http://ahrefs.com/robot/)]
15/Apr/15 13:57:02 #8604914 medium 531 SERVER_IP GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; AhrefsBot/5.0; +http://ahrefs.com/robot/)]
16/Apr/15 07:30:58 #6013237 medium 531 SERVER_IP GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; AhrefsBot/5.0; +http://ahrefs.com/robot/)]
16/Apr/15 09:20:58 #4352807 medium 531 SERVER_IP GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; MJ12bot/v1.4.5; http://www.majestic12.co.uk/bot.php?+)]
17/Apr/15 00:00:45 #7500518 high - SERVER_IP GET /index.php - User enumeration scan (author archives) - [author=1]
17/Apr/15 04:03:16 #7416623 medium 531 SERVER_IP GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; spbot/4.4.2; +http://OpenLinkProfiler.org/bot )]
17/Apr/15 04:03:17 #5953059 medium 531 SERVER_IP GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; spbot/4.4.2; +http://OpenLinkProfiler.org/bot )]
17/Apr/15 07:13:06 #2854350 info - SERVER_IP POST /wp-login.php - Logged in user - [ (administrator)]