• Plesk Uservoice will be deprecated by October. Moving forward, all product feature requests and improvement suggestions will be managed through our new platform Plesk Productboard.
    To continue sharing your ideas and feedback, please visit features.plesk.com

Issue Which log files to check for a site that is attacking other servers

nuffsaid

New Pleskian
Hello

I have an issue with my server, I have been notified by my vps provider that my server is used to abuse other servers and they sent me a list with a log file that looks like this.

serveriphere - - [14/Oct/2020:16:00:13 +0200] "GET /wp-login.php HTTP/1.1" 200 5136 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
> serveriphere - - [14/Oct/2020:16:00:14 +0200] "POST /wp-login.php HTTP/1.1" 200 5425 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
> serveriphere - - [14/Oct/2020:16:00:14 +0200] "POST /xmlrpc.php HTTP/1.1" 404 47227 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
> serveriphere - - [14/Oct/2020:16:17:53 +0200] "POST /wp-login.php HTTP/1.1" 200 5458 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"

How can I find out which account on my server is being used on my Plesk server?

Which specific log files can I look at to find this account?
 
This is a difficult and time consuming task.

Here is a post that describes a method to achieve it:
and for a general "manual" how to analyze traffic

Depending on the number of websites on your server, it could be easier to go through the sites and look for strange files in their document root.
 
Back
Top