Vesta Control Panel - Forum

Community Forum
https://forum.vestacp.com/

How to prevent outgoing spam (3 steps)

https://forum.vestacp.com/viewtopic.php?t=7539

Page 1 of 1

How to prevent outgoing spam (3 steps)

Posted: Fri Apr 10, 2015 7:00 am
by arnada21
Hi everybody,

I have a VestaCP installation with around 20 users, the server got hacked with various upload scripts and base64 injectons on daily basis. I have a support subscription and the guys at VestaCP have been doing a great job helping me point out some weaknesses on my server.

This is how I did to prevent spam and the overall server load:

1. First of all, install Malware Detect and run a full scan to remove scripts with bad code.
Don't forget to enable ClamAV in Malware Detects configuration since it's embedded with
VestaCP

https://www.rfxn.com/projects/linux-malware-detect/

2. To prevent base64 injection and file uploads you'll need some kind of web filtering firewall. I use the latest Wordpress with the latest plugins but still got hacked, I then found this plugin:

https://wordpress.org/plugins/ninjafirewall/

NinjaFirewall is awesome, it block all eval, base64 and file upload attempts. Now I don't have to worry about any Wordpress websites being hacked.

3. Last step, use CloudFlares free account and get the following features:
-Masked IP
-Mask all email addresses on your site
-Block hack attempts
-Offload your server
-If your server goes down your sites will still be part functional

Thats all, I hope this help someone!

My server graphs went from crazy to allmost nothing in 6 hours after I applied the above 3 steps to all my accounts/domains

Re: How to prevent outgoing spam (3 steps)

Posted: Mon Apr 13, 2015 6:15 pm
by thering1975
Hi

Thanks for pointing out LMD, just one question i know it sets a cron job but as default it will fail to scan as i see the paths in the cron file do not match those of vestacp layout. Did you modify this file to take into account the file structure or do you run manually

Re: How to prevent outgoing spam (3 steps)

Posted: Mon Apr 13, 2015 9:06 pm
by skurudo
thering1975 wrote:Thanks for pointing out LMD, just one question i know it sets a cron job but as default it will fail to scan as i see the paths in the cron file do not match those of vestacp layout. Did you modify this file to take into account the file structure or do you run manually
It? Malware Detects? You can add script from installation in cron.daily and forget about it.

Re: How to prevent outgoing spam (3 steps)

Posted: Tue Apr 14, 2015 5:32 pm
by thering1975
skurudo wrote:
thering1975 wrote:Thanks for pointing out LMD, just one question i know it sets a cron job but as default it will fail to scan as i see the paths in the cron file do not match those of vestacp layout. Did you modify this file to take into account the file structure or do you run manually
It? Malware Detects? You can add script from installation in cron.daily and forget about it.
Yes but my question was did the OP ammend the cron job installed to match the correct variables for the home folder. LMD sets up a cron job but fails as the various described paths to the folder do not match the setup Vesta uses.

If an ammendment was made it would be great to share the code otherwise i will just create a new cron job and delete the autoinstalled cron

Re: How to prevent outgoing spam (3 steps)

Posted: Fri Apr 17, 2015 7:42 am
by arnada21
Hi,

I did use cronjobs to run scans because LMD monitor didn't work, now it's working so I use this monitor CLI.

maldet -m users

If you are on Ubuntu and have trouble with the inotify process, please review the following.

1. Install dependencies (the following on x64 UBUNTU)
apt-get install inotify-tools libinotifytools0

2. Change inotifywatch path in internals.conf
sed -i -e"s/\$inspath/inotify/inotifywait//usr/bin/inotifywait/" /usr/local/maldetect/internals.conf

Could also be done manually:

/usr/local/maldetect/internals.conf

change:
inotify=$inspath/inotify/inotifywait

to:
inotify=/usr/bin/inotifywait

http://stackoverflow.com/questions/2927 ... 6#29692396

http://www.coredump.id.au/linux-malware ... and-plesk/

Some results:

NinjaFirewall (wordpress)
SpoilerShow

Code: Select all

07/Apr/15 18:09:30  #1703177  critical     -  SERVER_IP    POST /wp-content/plugins/category-order.php - base64-encoded injection - [POST:ncf03de = JG41OT0iTD5uI1F+QVZ8KClfJVNkXCRIPGc3dVQzXHJtQl1VLiF0eENlfWxoRmMvR1xuRTsycDQqYnJvRD01Wk9LIDpQMTBpekB2XFxbeTYtczhKd1dSST9gWGZcImFrTmoncVx0Jk05eytZXiwiOyAkR0xPQkFMU1sndG52enUzNiddID0gJG41O...]
07/Apr/15 18:09:31  #4901921  critical     -  SERVER_IP    POST /wp-content/plugins/flagallery-skins/music_default/settings/dump.php - base64-encoded injection - [POST:n59a097 = JG41OT0iTD5uI1F+QVZ8KClfJVNkXCRIPGc3dVQzXHJtQl1VLiF0eENlfWxoRmMvR1xuRTsycDQqYnJvRD01Wk9LIDpQMTBpekB2XFxbeTYtczhKd1dSST9gWGZcImFrTmoncVx0Jk05eytZXiwiOyAkR0xPQkFMU1sndG52enUzNiddID0gJG41O...]
07/Apr/15 18:09:31  #8987746  critical     -  SERVER_IP    POST /wp-content/plugins/contact-form-7/modules/login.php - base64-encoded injection - [POST:n73dce7 = JG41OT0iTD5uI1F+QVZ8KClfJVNkXCRIPGc3dVQzXHJtQl1VLiF0eENlfWxoRmMvR1xuRTsycDQqYnJvRD01Wk9LIDpQMTBpekB2XFxbeTYtczhKd1dSST9gWGZcImFrTmoncVx0Jk05eytZXiwiOyAkR0xPQkFMU1sndG52enUzNiddID0gJG41O...]
07/Apr/15 19:11:31  #7070008  critical     -  SERVER_IP    POST /wp-content/plugins/category-order.php - base64-encoded injection - [POST:ncf03de = JHo1Nz0iXHRfPyxgbSMyaFkqT0lQRjpMIWVsck4nIH5rLV1bK3A+QUt4O3dmZDxaM2F2TXNRJVdcXDR9blwiVUA1KC91XCQmQzFiQnxjU3pFPVxybylSOUhxNzhqRzA2eS50VlxuVFhKZ0RpXnsiOyAkR0xPQkFMU1sncnR5bXAxNyddID0gJHo1N...]
07/Apr/15 19:11:32  #3120902  critical     -  SERVER_IP    POST /wp-content/plugins/flagallery-skins/music_default/settings/dump.php - base64-encoded injection - [POST:n59a097 = JHo1Nz0iXHRfPyxgbSMyaFkqT0lQRjpMIWVsck4nIH5rLV1bK3A+QUt4O3dmZDxaM2F2TXNRJVdcXDR9blwiVUA1KC91XCQmQzFiQnxjU3pFPVxybylSOUhxNzhqRzA2eS50VlxuVFhKZ0RpXnsiOyAkR0xPQkFMU1sncnR5bXAxNyddID0gJHo1N...]
07/Apr/15 19:11:33  #2555513  critical     -  SERVER_IP    POST /wp-content/plugins/contact-form-7/modules/login.php - base64-encoded injection - [POST:n73dce7 = JHo1Nz0iXHRfPyxgbSMyaFkqT0lQRjpMIWVsck4nIH5rLV1bK3A+QUt4O3dmZDxaM2F2TXNRJVdcXDR9blwiVUA1KC91XCQmQzFiQnxjU3pFPVxybylSOUhxNzhqRzA2eS50VlxuVFhKZ0RpXnsiOyAkR0xPQkFMU1sncnR5bXAxNyddID0gJHo1N...]
07/Apr/15 20:01:19  #6985439  critical     -  SERVER_IP    POST /wp-content/plugins/flagallery-skins/music_default/settings/dump.php - base64-encoded injection - [POST:n59a097 = JGE1PSJreVs1RiV6U3J4TFljTUFUS0gpOyxxL2w6flYzb0QrKCNcImBHbXVYIH0tSWQ/USd3Ylxye3xcbm4mX3RpXHQyVzhQLjBOYWo9cHNlXCRAKnZSMU9oIV5aNkVdQjQ3XFw5PmdDZko8VSI7ICRHTE9CQUxTWydnZGp2azI0J10gPSAkYTVbN...]
07/Apr/15 20:01:19  #8681023  critical     -  SERVER_IP    POST /wp-content/plugins/category-order.php - base64-encoded injection - [POST:ncf03de = JGo4OD0iPTZ+X2leMD8yM1dlUFVaYDs0S0Fcbkkma2xUXHROSD56Vm11R2J9J0VGXVhPQmNwOSEsdlwicmoxeHtMTS5oSjp0XFwtbzh5IHx3ZjUrcW5Rc1xyWWE3U0BSKikjKC9bXCQlZEQ8Q2ciOyAkR0xPQkFMU1snemJ1bG8yMyddID0gJGo4O...]
07/Apr/15 20:01:19  #8032424  critical     -  SERVER_IP    POST /wp-content/plugins/contact-form-7/modules/login.php - base64-encoded injection - [POST:n73dce7 = JHg1PSIwQ2h6S1hTWXdwXCIzKVwkPm1jbnYtLGZlV3F8Wm83eCM0UGRVXn4xL3RHaWdOT3VMVE1gKHtcXHNBYjYmK31Wams8ODpJXHRcbnJASDJseWFcciA5W0RdNSolQiFGUj1fJy5RSj87RSI7ICRHTE9CQUxTWydldXRhYjM0J10gPSAkeDVbO...]
07/Apr/15 20:48:39  #4469025  info         -  SERVER_IP    POST /wp-login.php - Logged in user - [ (administrator)]
07/Apr/15 22:16:17  #6115834  critical     -  SERVER_IP    POST /wp-content/plugins/contact-form-7/modules/login.php - base64-encoded injection - [POST:n73dce7 = JHI5ND0iUmYhREBHTyltTXBRVDBLWkEtXCInICtrU1x0XFxMLl87Z2kxP3Jkc1l8JUh5NDYmb3V3VnpFY2E9OjlYXVxyaipcJEM8LDh7fnE+fUo1N0YzbkkoW3ZeeFcvZVBoTmJCI3RgMlVsXG4iOyAkR0xPQkFMU1sncXdodXE3MCddID0gJHI5N...]
07/Apr/15 22:16:19  #5162563  critical     -  SERVER_IP    POST /wp-content/plugins/flagallery-skins/music_default/settings/dump.php - base64-encoded injection - [POST:n59a097 = JHI5ND0iUmYhREBHTyltTXBRVDBLWkEtXCInICtrU1x0XFxMLl87Z2kxP3Jkc1l8JUh5NDYmb3V3VnpFY2E9OjlYXVxyaipcJEM8LDh7fnE+fUo1N0YzbkkoW3ZeeFcvZVBoTmJCI3RgMlVsXG4iOyAkR0xPQkFMU1sncXdodXE3MCddID0gJHI5N...]
07/Apr/15 22:16:20  #5809154  critical     -  SERVER_IP    POST /wp-content/plugins/category-order.php - base64-encoded injection - [POST:ncf03de = JHI5ND0iUmYhREBHTyltTXBRVDBLWkEtXCInICtrU1x0XFxMLl87Z2kxP3Jkc1l8JUh5NDYmb3V3VnpFY2E9OjlYXVxyaipcJEM8LDh7fnE+fUo1N0YzbkkoW3ZeeFcvZVBoTmJCI3RgMlVsXG4iOyAkR0xPQkFMU1sncXdodXE3MCddID0gJHI5N...]
07/Apr/15 23:18:38  #2121229  critical     -  SERVER_IP    POST /wp-content/plugins/flagallery-skins/music_default/settings/dump.php - base64-encoded injection - [POST:n59a097 = JG80Nj0iSkZMWS5oRV9uN2VOR3FscyNJZzh0WDxAYH0oensvJWl3ZFx0XG5UYzNcXFJLP1FVOjFrXnwhJlYtW3BPQzBEcjY9XTVNeFNcJCxCUEE5dWopZjs+MlwiV0h2Wm0rYXknKjRvIFxyYn4iOyAkR0xPQkFMU1sneXFzaWk2MCddID0gJG80N...]
07/Apr/15 23:18:39  #5450389  critical     -  SERVER_IP    POST /wp-content/plugins/category-order.php - base64-encoded injection - [POST:ncf03de = JG80Nj0iSkZMWS5oRV9uN2VOR3FscyNJZzh0WDxAYH0oensvJWl3ZFx0XG5UYzNcXFJLP1FVOjFrXnwhJlYtW3BPQzBEcjY9XTVNeFNcJCxCUEE5dWopZjs+MlwiV0h2Wm0rYXknKjRvIFxyYn4iOyAkR0xPQkFMU1sneXFzaWk2MCddID0gJG80N...]
07/Apr/15 23:18:40  #6849432  critical     -  SERVER_IP    POST /wp-content/plugins/contact-form-7/modules/login.php - base64-encoded injection - [POST:n73dce7 = JG80Nj0iSkZMWS5oRV9uN2VOR3FscyNJZzh0WDxAYH0oensvJWl3ZFx0XG5UYzNcXFJLP1FVOjFrXnwhJlYtW3BPQzBEcjY9XTVNeFNcJCxCUEE5dWopZjs+MlwiV0h2Wm0rYXknKjRvIFxyYn4iOyAkR0xPQkFMU1sneXFzaWk2MCddID0gJG80N...]
08/Apr/15 07:45:05  #5333297  info         -  SERVER_IP    POST /wp-login.php - Logged in user - [ (administrator)]
08/Apr/15 08:47:03  #1991029  critical     -  SERVER_IP    POST /wp-content/plugins/contact-form-7/modules/login.php - base64-encoded injection - [POST:n73dce7 = JGkxNT0iL0lnYkcjbFhRPERgQDpcbnsgeGUtcD9WJ0Mpblwkenl2OCpKZl5fOSFkME99XCJobz5pNXVrU1VNNHczN1I7TllqK1p8UCVBXHRxRT1ccihhdEgmfjEuS1dzXFxtWzZGYzJCXUxyVCwiOyAkR0xPQkFMU1snaGRiY2c1MCddID0gJGkxN...]
08/Apr/15 08:47:05  #1917351  critical     -  SERVER_IP    POST /wp-content/plugins/category-order.php - base64-encoded injection - [POST:ncf03de = JGY4MT0ia0dPajkrcmBodSVLcT1FTXA3ZlF3RF5SUF1WXzwgIyx2VCkmdEA6WmcnY3t6WztJV31GbllTP3M4QXk0PnhcXG1kXHRvKk4vXG5ccmxDSGIyfjEzSi1MXCIufFhlNigwNUJVYSFpXCQiOyAkR0xPQkFMU1sndXV2bm44J10gPSAkZjgxW...]
08/Apr/15 08:47:07  #7622433  critical     -  SERVER_IP    POST /wp-content/plugins/flagallery-skins/music_default/settings/dump.php - base64-encoded injection - [POST:n59a097 = JGU2Mj0idjpUaDYxPSZcbntjTj5cdEJ+PHVgIWczXHIwYk1vN3JMLEVaUXx3OUNGWEFtXFx5KkBTSi81cCtbemVIa0s0XnRxYVwkZEcyJT9EbC1WUlBuICguaVlmczhPV2p9KVVcIl1fO0kjeCciOyAkR0xPQkFMU1snYWpubnU5MyddID0gJGU2M...]
08/Apr/15 16:10:27  #1682022  info         -  SERVER_IP    POST /wp-login.php - Logged in user - [ (administrator)]
08/Apr/15 17:56:18  #6913224  info         -  SERVER_IP    POST /wp-login.php - Logged in user - [ (administrator)]
08/Apr/15 21:01:57  #5964449  info         -  SERVER_IP    POST /wp-login.php - Logged in user - [ (administrator)]
08/Apr/15 21:07:05  #3959144  medium     314  SERVER_IP    GET /index.php - Referrer spam - [SERVER:HTTP_REFERER = http://buttons-for-website.com]
08/Apr/15 21:11:20  #3906558  critical     -  SERVER_IP    POST /wp-content/plugins/category-order.php - base64-encoded injection - [POST:ncf03de = JHE4Mz0iXzpuLnB7UDJda2p3TXFpZkhsXCRtPD4rNUFJdjFcXCF+Z28veCYqOE9yLTlVaFxyVDYlYj96M1I9dSkgXCJLWjROQDBcbnxGXHRXSltFXlhMQlk7N2UsU31WI3lEZHMnYUNHYGMoUXQiOyAkR0xPQkFMU1sndXZwenEyNSddID0gJHE4M...]
08/Apr/15 21:11:21  #6616143  critical     -  SERVER_IP    POST /wp-content/plugins/contact-form-7/modules/login.php - base64-encoded injection - [POST:n73dce7 = JGEyMT0iKCwgUjQtZ1FPem53LypTM3BUZE1AdT5eQjtfeWg3Yk48Rn5jOmFKdFwiJlxcbHZBS1BXP0Rzam9MaXwrXTBWSVhaQ30yZUhccmZ7XHQ9WVxuOCVHbWsnW3ExOSM2KVwkIVUuYHJFeDUiOyAkR0xPQkFMU1snbWlwdnMxJ10gPSAkYTIxW...]
08/Apr/15 22:38:16  #6247237  high      1351  SERVER_IP    GET /wp-admin/admin-ajax.php - Access to WP configuration file - [GET:img = ../wp-config.php]
09/Apr/15 02:38:24  #2520680  medium     531  SERVER_IP    GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; NetcraftSurveyAgent/1.0; [email protected])]
09/Apr/15 05:23:11  #6936817  medium     531  SERVER_IP    GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; MJ12bot/v1.4.5; http://www.majestic12.co.uk/bot.php?+)]
09/Apr/15 05:58:54  #6766042  info         -  SERVER_IP    POST /wp-login.php - Logged in user - [ (administrator)]
09/Apr/15 09:32:25  #5743910  critical     -  SERVER_IP    POST /wp-content/plugins/category-order.php - base64-encoded injection - [POST:ncf03de = JHE1ND0iSjxONitqUVdbQzkxIVluLjppWi80YGRTTThcXFwkdExsXCJ4XUZnXjtWR35ieyhLLXxrJ1x0MjNCN3NJb3JmSCAlNWM+QWVSPVQpQDBFXG59XHJtJnF3I2hQcFh5LHZEVXVheipfP08iOyAkR0xPQkFMU1snanZnaHk3MCddID0gJHE1N...]
09/Apr/15 09:46:12  #7410692  medium     531  SERVER_IP    GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; MJ12bot/v1.4.5; http://www.majestic12.co.uk/bot.php?+)]
09/Apr/15 10:06:29  #7240191  high         -  SERVER_IP    GET /index.php - User enumeration scan (author archives) - [author=1]
09/Apr/15 14:01:27  #4128592  medium     314  SERVER_IP    GET /index.php - Referrer spam - [SERVER:HTTP_REFERER = http://buttons-for-website.com]
09/Apr/15 17:16:34  #7243643  critical     -  SERVER_IP    POST /wp-admin/admin-ajax.php - File upload attempt - [revslider.zip, 19,182 bytes]
09/Apr/15 18:15:08  #8152408  critical     -  SERVER_IP    POST /index.php - File upload attempt - [Handler.php, 24,998 bytes]
09/Apr/15 20:52:31  #8793116  critical     -  SERVER_IP    POST /wp-admin/admin-ajax.php - File upload attempt - [revslider.zip, 19,193 bytes]
10/Apr/15 06:33:22  #8141156  info         -  SERVER_IP    POST /wp-login.php - Logged in user - [ (administrator)]
10/Apr/15 07:35:06  #6275380  critical     -  SERVER_IP    POST /wp-admin/admin-ajax.php - File upload attempt - [revslider.zip, 34,863 bytes]
10/Apr/15 07:35:47  #3623808  critical     -  SERVER_IP    POST /index.php - File upload attempt - [NZVChYGw.php, 137,669 bytes]
10/Apr/15 07:35:48  #3096735  critical  1369  SERVER_IP    POST /index.php - WordPress: Download Manager remote command execution - [POST:execute = wp_insert_user]
10/Apr/15 08:38:31  #2801451  medium     531  SERVER_IP    GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; AhrefsBot/5.0; +http://ahrefs.com/robot/)]
10/Apr/15 09:00:30  #5800077  medium     531  SERVER_IP    GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; AhrefsBot/5.0; +http://ahrefs.com/robot/)]
10/Apr/15 09:41:24  #5299523  medium     531  SERVER_IP    GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; AhrefsBot/5.0; +http://ahrefs.com/robot/)]
10/Apr/15 09:42:59  #4072664  medium     531  SERVER_IP    GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; AhrefsBot/5.0; +http://ahrefs.com/robot/)]
10/Apr/15 09:56:10  #4595928  medium     531  SERVER_IP    GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; AhrefsBot/5.0; +http://ahrefs.com/robot/)]
10/Apr/15 09:56:49  #6916922  medium     531  SERVER_IP    GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; AhrefsBot/5.0; +http://ahrefs.com/robot/)]
10/Apr/15 09:59:31  #1452146  medium     531  SERVER_IP    GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; AhrefsBot/5.0; +http://ahrefs.com/robot/)]
10/Apr/15 10:00:54  #6069953  medium     531  SERVER_IP    GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; AhrefsBot/5.0; +http://ahrefs.com/robot/)]
10/Apr/15 10:10:08  #1956931  medium     531  SERVER_IP    GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; AhrefsBot/5.0; +http://ahrefs.com/robot/)]
10/Apr/15 10:11:22  #4393770  medium     531  SERVER_IP    GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; AhrefsBot/5.0; +http://ahrefs.com/robot/)]
10/Apr/15 10:13:55  #2528804  medium     531  SERVER_IP    GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; AhrefsBot/5.0; +http://ahrefs.com/robot/)]
10/Apr/15 10:38:51  #7369021  medium     531  SERVER_IP    GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; AhrefsBot/5.0; +http://ahrefs.com/robot/)]
10/Apr/15 10:46:29  #3536249  medium     531  SERVER_IP    GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; AhrefsBot/5.0; +http://ahrefs.com/robot/)]
10/Apr/15 10:47:21  #6792099  medium     531  SERVER_IP    GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; AhrefsBot/5.0; +http://ahrefs.com/robot/)]
10/Apr/15 10:49:58  #8552815  medium     531  SERVER_IP    GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; AhrefsBot/5.0; +http://ahrefs.com/robot/)]
10/Apr/15 10:59:20  #5412295  medium     531  SERVER_IP    GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; AhrefsBot/5.0; +http://ahrefs.com/robot/)]
10/Apr/15 11:10:33  #5299055  medium     531  SERVER_IP    GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; AhrefsBot/5.0; +http://ahrefs.com/robot/)]
10/Apr/15 11:10:59  #5508559  medium     531  SERVER_IP    GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; AhrefsBot/5.0; +http://ahrefs.com/robot/)]
10/Apr/15 11:16:39  #5401785  medium     531  SERVER_IP    GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; AhrefsBot/5.0; +http://ahrefs.com/robot/)]
10/Apr/15 11:21:14  #7841528  medium     531  SERVER_IP    GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; AhrefsBot/5.0; +http://ahrefs.com/robot/)]
10/Apr/15 11:25:43  #2133285  medium     531  SERVER_IP    GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; AhrefsBot/5.0; +http://ahrefs.com/robot/)]
10/Apr/15 11:35:20  #3912151  medium     531  SERVER_IP    GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; AhrefsBot/5.0; +http://ahrefs.com/robot/)]
10/Apr/15 11:56:04  #8333235  medium     531  SERVER_IP    GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; AhrefsBot/5.0; +http://ahrefs.com/robot/)]
10/Apr/15 11:56:14  #1687059  medium     531  SERVER_IP    GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; AhrefsBot/5.0; +http://ahrefs.com/robot/)]
10/Apr/15 11:57:40  #3943600  medium     531  SERVER_IP    GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; AhrefsBot/5.0; +http://ahrefs.com/robot/)]
10/Apr/15 11:57:44  #1919336  medium     531  SERVER_IP    GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; AhrefsBot/5.0; +http://ahrefs.com/robot/)]
10/Apr/15 12:05:41  #3021544  medium     531  SERVER_IP    GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; AhrefsBot/5.0; +http://ahrefs.com/robot/)]
10/Apr/15 12:21:55  #5831811  medium     531  SERVER_IP    GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; AhrefsBot/5.0; +http://ahrefs.com/robot/)]
10/Apr/15 12:25:47  #8057169  medium     531  SERVER_IP    GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; AhrefsBot/5.0; +http://ahrefs.com/robot/)]
10/Apr/15 12:26:01  #2142077  medium     531  SERVER_IP    GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; AhrefsBot/5.0; +http://ahrefs.com/robot/)]
10/Apr/15 12:36:11  #8885816  medium     531  SERVER_IP    GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; AhrefsBot/5.0; +http://ahrefs.com/robot/)]
10/Apr/15 12:36:19  #4429211  medium     531  SERVER_IP    GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; AhrefsBot/5.0; +http://ahrefs.com/robot/)]
10/Apr/15 12:48:22  #5259850  medium     531  SERVER_IP    GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; AhrefsBot/5.0; +http://ahrefs.com/robot/)]
10/Apr/15 12:50:15  #2436432  medium     531  SERVER_IP    GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; AhrefsBot/5.0; +http://ahrefs.com/robot/)]
10/Apr/15 12:50:36  #2090431  medium     531  SERVER_IP    GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; AhrefsBot/5.0; +http://ahrefs.com/robot/)]
10/Apr/15 13:06:01  #2011642  medium     531  SERVER_IP    GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; AhrefsBot/5.0; +http://ahrefs.com/robot/)]
10/Apr/15 13:12:44  #6815445  medium     531  SERVER_IP    GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; AhrefsBot/5.0; +http://ahrefs.com/robot/)]
10/Apr/15 13:16:47  #8410477  medium     531  SERVER_IP    GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; AhrefsBot/5.0; +http://ahrefs.com/robot/)]
10/Apr/15 13:19:22  #5908601  medium     531  SERVER_IP    GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; AhrefsBot/5.0; +http://ahrefs.com/robot/)]
10/Apr/15 18:02:41  #4845697  medium     531  SERVER_IP    GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; NetSeer crawler/2.0; +http://www.netseer.com/crawler.html; [email protected])]
10/Apr/15 18:02:41  #7974454  medium     531  SERVER_IP    GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; NetSeer crawler/2.0; +http://www.netseer.com/crawler.html; [email protected])]
10/Apr/15 19:15:56  #1268231  info         -  SERVER_IP    POST /wp-login.php - Logged in user - [ (administrator)]
10/Apr/15 19:56:29  #8426144  critical     -  SERVER_IP    POST /wp-admin/admin-ajax.php - File upload attempt - [revslider.zip, 19,193 bytes]
10/Apr/15 21:18:52  #5564458  high      1351  SERVER_IP    GET /wp-admin/admin-ajax.php - Access to WP configuration file - [GET:img = ../wp-config.php]
10/Apr/15 21:18:53  #7184223  critical     1  SERVER_IP    POST /index.php - Directory traversal - [POST:_mysite_download_skin = ../../../../../wp-config.php]
10/Apr/15 23:24:02  #2867628  critical     1  SERVER_IP    GET /index.php - Directory traversal - [GET:file = ../../../wp-config.php]
10/Apr/15 23:24:03  #1594156  critical     1  SERVER_IP    POST /index.php - Directory traversal - [POST:_mysite_download_skin = ../../../../../wp-config.php]
10/Apr/15 23:24:03  #5797669  critical     1  SERVER_IP    POST /index.php - Directory traversal - [POST:_mysite_download_skin = ../../../../../wp-config.php]
10/Apr/15 23:24:05  #1069490  critical     1  SERVER_IP    POST /index.php - Directory traversal - [POST:_mysite_download_skin = ../../../../../wp-config.php]
10/Apr/15 23:24:06  #8501338  critical     1  SERVER_IP    POST /index.php - Directory traversal - [POST:_mysite_download_skin = ../../../../../wp-config.php]
10/Apr/15 23:24:09  #2659575  critical     1  SERVER_IP    GET /index.php - Directory traversal - [GET:file = ../../../wp-config.php]
10/Apr/15 23:24:10  #4694308  critical     1  SERVER_IP    GET /index.php - Directory traversal - [GET:file = ../../../../wp-config.php]
10/Apr/15 23:45:21  #0000000  info         -  SERVER_IP    HEAD /index.php - Sanitising user input - [HTTP_USER_AGENT: 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)']
10/Apr/15 23:45:22  #0000000  info         -  SERVER_IP    HEAD /index.php - Sanitising user input - [HTTP_USER_AGENT: 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)']
11/Apr/15 08:23:58  #7329959  medium     531  SERVER_IP    GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; MJ12bot/v1.4.5; http://www.majestic12.co.uk/bot.php?+)]
12/Apr/15 10:57:29  #1569999  critical     -  SERVER_IP    POST /index.php - File upload attempt - [searcinfo.php, 24,998 bytes]
12/Apr/15 11:52:22  #8444289  medium     531  SERVER_IP    GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; AhrefsBot/5.0; +http://ahrefs.com/robot/)]
12/Apr/15 12:13:49  #6881748  medium     531  SERVER_IP    GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; AhrefsBot/5.0; +http://ahrefs.com/robot/)]
12/Apr/15 12:47:42  #7834012  medium     531  SERVER_IP    GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; AhrefsBot/5.0; +http://ahrefs.com/robot/)]
12/Apr/15 13:08:57  #3557835  medium     531  SERVER_IP    GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; MJ12bot/v1.4.5; http://www.majestic12.co.uk/bot.php?+)]
12/Apr/15 13:08:59  #8102623  medium     531  SERVER_IP    GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; MJ12bot/v1.4.5; http://www.majestic12.co.uk/bot.php?+)]
12/Apr/15 14:11:28  #4595047  critical     -  SERVER_IP    POST /index.php - File upload attempt - [Handler.php, 24,998 bytes]
12/Apr/15 14:13:14  #7371565  medium     531  SERVER_IP    GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; AhrefsBot/5.0; +http://ahrefs.com/robot/)]
12/Apr/15 15:19:58  #1924428  medium     531  SERVER_IP    GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; AhrefsBot/5.0; +http://ahrefs.com/robot/)]
12/Apr/15 19:29:29  #3625498  info         -  SERVER_IP    POST /wp-login.php - Logged in user - [ (administrator)]
13/Apr/15 04:46:50  #1591103  medium     531  SERVER_IP    GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; MJ12bot/v1.4.5; http://www.majestic12.co.uk/bot.php?+)]
13/Apr/15 05:11:31  #1347443  medium     531  SERVER_IP    GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; MJ12bot/v1.4.5; http://www.majestic12.co.uk/bot.php?+)]
13/Apr/15 09:40:43  #1237142  info         -  SERVER_IP    POST /wp-login.php - Logged in user - [ (administrator)]
14/Apr/15 03:52:39  #6349262  medium     531  SERVER_IP    GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; BLEXBot/1.0; +http://webmeup-crawler.com/)]
14/Apr/15 04:32:45  #2025897  medium     531  SERVER_IP    GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; MJ12bot/v1.4.5; http://www.majestic12.co.uk/bot.php?+)]
14/Apr/15 05:32:19  #8729648  high         -  SERVER_IP    GET /index.php - User enumeration scan (author archives) - [author=1]
14/Apr/15 10:32:25  #2689860  medium     531  SERVER_IP    GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; MJ12bot/v1.4.5; http://www.majestic12.co.uk/bot.php?+)]
15/Apr/15 00:01:35  #8173244  medium     531  SERVER_IP    GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; AhrefsBot/5.0; +http://ahrefs.com/robot/)]
15/Apr/15 01:47:49  #3619611  medium     531  SERVER_IP    GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; AhrefsBot/5.0; +http://ahrefs.com/robot/)]
15/Apr/15 01:48:25  #4460874  medium     531  SERVER_IP    GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; AhrefsBot/5.0; +http://ahrefs.com/robot/)]
15/Apr/15 06:03:49  #8097173  medium     531  SERVER_IP    GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; MJ12bot/v1.4.5; http://www.majestic12.co.uk/bot.php?+)]
15/Apr/15 07:43:56  #4550373  critical     -  SERVER_IP    POST /wp-admin/admin-ajax.php - File upload attempt - [revslider.zip, 18,384 bytes]
15/Apr/15 07:43:56  #3722800  high      1351  SERVER_IP    GET /wp-admin/admin-ajax.php - Access to WP configuration file - [GET:img = ../wp-config.php]
15/Apr/15 07:43:57  #2469553  critical     -  SERVER_IP    POST /index.php - File upload attempt - [yJVnsDFa.php, 31,710 bytes]
15/Apr/15 07:43:57  #5411368  critical  1369  SERVER_IP    POST /index.php - WordPress: Download Manager remote command execution - [POST:execute = wp_insert_user]
15/Apr/15 13:34:38  #5732824  medium     531  SERVER_IP    GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; AhrefsBot/5.0; +http://ahrefs.com/robot/)]
15/Apr/15 13:57:02  #8604914  medium     531  SERVER_IP    GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; AhrefsBot/5.0; +http://ahrefs.com/robot/)]
16/Apr/15 07:30:58  #6013237  medium     531  SERVER_IP    GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; AhrefsBot/5.0; +http://ahrefs.com/robot/)]
16/Apr/15 09:20:58  #4352807  medium     531  SERVER_IP    GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; MJ12bot/v1.4.5; http://www.majestic12.co.uk/bot.php?+)]
17/Apr/15 00:00:45  #7500518  high         -  SERVER_IP    GET /index.php - User enumeration scan (author archives) - [author=1]
17/Apr/15 04:03:16  #7416623  medium     531  SERVER_IP    GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; spbot/4.4.2; +http://OpenLinkProfiler.org/bot )]
17/Apr/15 04:03:17  #5953059  medium     531  SERVER_IP    GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; spbot/4.4.2; +http://OpenLinkProfiler.org/bot )]
17/Apr/15 07:13:06  #2854350  info         -  SERVER_IP    POST /wp-login.php - Logged in user - [ (administrator)]
More status information comming soon, Cloudflare have issues with their analytics platform ATM.
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited