Issue Which log files to check for a site that is attacking other servers

[nuffsaid]

Hello

I have an issue with my server, I have been notified by my vps provider that my server is used to abuse other servers and they sent me a list with a log file that looks like this.

serveriphere - - [14/Oct/2020:16:00:13 +0200] "GET /wp-login.php HTTP/1.1" 200 5136 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
> serveriphere - - [14/Oct/2020:16:00:14 +0200] "POST /wp-login.php HTTP/1.1" 200 5425 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
> serveriphere - - [14/Oct/2020:16:00:14 +0200] "POST /xmlrpc.php HTTP/1.1" 404 47227 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
> serveriphere - - [14/Oct/2020:16:17:53 +0200] "POST /wp-login.php HTTP/1.1" 200 5458 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"

How can I find out which account on my server is being used on my Plesk server?

Which specific log files can I look at to find this account?

 

[Bitpalast]

This is a difficult and time consuming task.

Here is a post that describes a method to achieve it:

How to inspect outgoing HTTP requests of a single application?

My application is sending HTTP requests to some server and I want to see the actual data that it is sending out. Some specifics I would like to see: Request method (GET/POST/PUT, etc.) Content-typ...

askubuntu.com

and for a general "manual" how to analyze traffic

A tcpdump Tutorial with Examples

tcpdump is the world’s premier network analysis tool—combining both power and simplicity into a single command-line interface. This guide will show

danielmiessler.com

Depending on the number of websites on your server, it could be easier to go through the sites and look for strange files in their document root.