Platforms:
- Outdated CentOS 7
- Virtualmin
Client suddenly added to 8 block lists visible on MX Toolbox.
Server’s top shows many users of the same name. Files that don’t even end in .PHP.
Tailing the access log doesn’t show any activity.
[root@vm.example.com:/home/username]> tail -f logs/access_log 91.219.239.4 - - [23/May/2025:10:45:25 +0200] "POST /wp-json/litespeed/v1/cdn_status HTTP/1.1" 200 13 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/114.3" 102.216.79.158 - - [23/May/2025:10:45:26 +0200] "POST /wp-cron.php?doing_wp_cron=1747989926.3289179801940917968750 HTTP/1.1" 200 - "-" "WordPress/6.8.1; https://whyjimny.com" 102.216.79.158 - - [23/May/2025:10:46:32 +0200] "POST /wp-cron.php?doing_wp_cron=1747989992.2199950218200683593750 HTTP/1.1" 200 - "-" "WordPress/6.8.1; https://whyjimny.com" 91.219.239.4 - - [23/May/2025:10:46:31 +0200] "POST /wp-json/litespeed/v1/cdn_status HTTP/1.1" 200 13 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/114.3" 91.219.239.4 - - [23/May/2025:10:46:36 +0200] "POST /wp-json/litespeed/v1/cdn_status HTTP/1.1" 200 13 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/114.3" 102.216.79.158 - - [23/May/2025:10:47:22 +0200] "POST /wp-cron.php?doing_wp_cron=1747990041.7414300441741943359375 HTTP/1.1" 200 - "-" "WordPress/6.8.1; https://whyjimny.com" 89.248.172.183 - - [23/May/2025:10:47:21 +0200] "POST /wp-json/litespeed/v1/cdn_status HTTP/1.1" 200 13 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/114.3" 102.216.79.158 - - [23/May/2025:10:51:41 +0200] "POST /wp-cron.php?doing_wp_cron=1747990301.3401238918304443359375 HTTP/1.1" 200 - "-" "WordPress/6.8.1; https://whyjimny.com" 91.219.239.4 - - [23/May/2025:10:51:40 +0200] "POST /wp-json/litespeed/v1/cdn_status HTTP/1.1" 200 13 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/114.3" 91.219.239.4 - - [23/May/2025:10:51:44 +0200] "POST /wp-json/litespeed/v1/cdn_status HTTP/1.1" 200 13 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/114.3"
Next, you check output connections and you see the mess:
[root@vm.example.com:/home/username]> ss -tupn | grep ESTAB | grep -v '127.0.0.1\|::1' udp ESTAB 0 0 1.2.3.4:36581 8.8.8.8:53 users:(("com_virtuemart",pid=31348,fd=14)) udp ESTAB 0 0 1.2.3.4:54259 8.8.8.8:53 users:(("com_virtuemart",pid=20536,fd=16)) udp ESTAB 0 0 1.2.3.4:43773 8.8.8.8:53 udp ESTAB 0 0 1.2.3.4:44475 8.8.8.8:53 tcp ESTAB 0 0 1.2.3.4:52596 94.100.180.31:25 users:(("com_virtuemart",pid=23028,fd=8)) tcp ESTAB 0 0 1.2.3.4:56738 217.160.0.204:443 users:(("rvsStaticWeb",pid=30079,fd=122)) tcp ESTAB 0 0 1.2.3.4:56872 172.67.165.73:443 users:(("phocagalleryu",pid=6046,fd=36)) tcp ESTAB 0 0 1.2.3.4:37094 206.87.224.50:443 users:(("affiliate_sales",pid=22734,fd=48)) tcp ESTAB 0 0 1.2.3.4:43026 104.21.83.164:443 users:(("pdf_schema",pid=21192,fd=62)) tcp ESTAB 0 357 1.2.3.4:37220 116.251.204.40:443 users:(("pdf_schema",pid=8154,fd=40)) tcp ESTAB 0 0 1.2.3.4:36302 80.242.23.70:443 users:(("mod_logged",pid=6147,fd=161)) tcp ESTAB 0 0 1.2.3.4:33318 35.192.169.210:443 users:(("lib_options_del",pid=5433,fd=158)) tcp ESTAB 0 0 1.2.3.4:34604 85.233.160.187:80 users:(("Result_SemII",pid=714,fd=31)) tcp ESTAB 0 0 1.2.3.4:38644 133.19.170.35:80 users:(("editVacancie",pid=24332,fd=92)) tcp ESTAB 0 627 1.2.3.4:41196 151.101.2.159:443 users:(("mod_logged",pid=6147,fd=184)) tcp ESTAB 0 0 1.2.3.4:51654 85.233.160.184:80 users:(("room.class",pid=15793,fd=49)) tcp ESTAB 0 0 1.2.3.4:58264 87.237.215.106:443 users:(("Result_SemII",pid=31150,fd=24)) tcp ESTAB 0 0 1.2.3.4:54116 133.242.249.152:443 users:(("editVacancie",pid=24332,fd=90)) tcp ESTAB 0 0 1.2.3.4:38332 104.21.72.42:443 users:(("com_virtuemart",pid=8640,fd=17)) tcp ESTAB 0 0 1.2.3.4:35626 37.48.70.196:443 users:(("rvsStaticWeb",pid=30079,fd=51)) tcp ESTAB 0 0 1.2.3.4:39068 34.135.149.120:443 users:(("phocagalleryf",pid=7351,fd=54))
This is just a small subset of the list, it was huge.
We disabled the bad user.