I'm not sure what I'm supposed to do! The info given by Malwarebytes
looks to me like an attmepted attack - not evidence of malware.
Advice welcome!
Am Donnerstag, 10. März 2022, um 18:26:48 Uhr schrieb RJH:
I'm not sure what I'm supposed to do! The info given by Malwarebytes
looks to me like an attmepted attack - not evidence of malware.
Advice welcome!
Please specify what software you run on your server. Is it up-to-date?
Is the operating system itself up-to-date?
On 10 Mar 2022 at 19:53:56 GMT, "Marco Moock" <mo01@posteo.de> wrote:
Am Donnerstag, 10. März 2022, um 18:26:48 Uhr schrieb RJH:
I'm not sure what I'm supposed to do! The info given by Malwarebytes
looks to me like an attmepted attack - not evidence of malware.
Advice welcome!
Please specify what software you run on your server. Is it up-to-date?
Is the operating system itself up-to-date?
Mmm. Not sure how I check. It's 'hosted' by Heart Internet and the server is listed as Apache, and written using Rapidweaver. Sitecheck lists a number of links, use of Javascript, and no Iframes or embedded objects.
On 10 Mar 2022 at 19:53:56 GMT, "Marco Moock" <mo01@posteo.de> wrote:
Am Donnerstag, 10. März 2022, um 18:26:48 Uhr schrieb RJH:
I'm not sure what I'm supposed to do! The info given by Malwarebytes
looks to me like an attmepted attack - not evidence of malware.
Advice welcome!
Please specify what software you run on your server. Is it up-to-date?
Is the operating system itself up-to-date?
Mmm. Not sure how I check. It's 'hosted' by Heart Internet and the server is listed as Apache, and written using Rapidweaver. Sitecheck lists a number of links, use of Javascript, and no Iframes or embedded objects.
RJH <patchmoney@gmx.com> wrote:
On 10 Mar 2022 at 19:53:56 GMT, "Marco Moock" <mo01@posteo.de> wrote:
Am Donnerstag, 10. März 2022, um 18:26:48 Uhr schrieb RJH:
I'm not sure what I'm supposed to do! The info given by Malwarebytes
looks to me like an attmepted attack - not evidence of malware.
Advice welcome!
Please specify what software you run on your server. Is it up-to-date?
Is the operating system itself up-to-date?
Mmm. Not sure how I check. It's 'hosted' by Heart Internet and the server is >> listed as Apache, and written using Rapidweaver. Sitecheck lists a number of >> links, use of Javascript, and no Iframes or embedded objects.
Does it run a forum or a wordpress site? They are notorious as attack
vectors if not kept up-to-date or using vulnerable plugins.
I've received a notification from somebody looking at a site I host/develop that it contains malware. They were alerted by their Malwarebytes software, which told them the site was 'unsafe'.
I checked as best as I could (virus and malware scanned the uploaded files, https://sitecheck.sucuri.net/) and no problems found. I asked the user to ask Malwarebytes to be more specific or whitelist the site, and they replied:
--
Reporter Date Comment Categories
Anonymous 27 Feb 2022 wp-login.php Web App Attack
emha.koeln 27 Feb 2022 92.205.3.203 Brute-Force Web App Attack - Attempts to probe
for or exploit installed web applications such as a CMS like WordPress/Drupal,
e-commerce solutions,
forum software, phpMyAdmin and various other software plugins/solutions.
Whoever owns that website needs to contact their webhost and request they clean up that IP from
malware.
--
I contacted my host (Heart) and they said it's my problem, and they'd simply close down the site if they revceive a complaint.
I'm not sure what I'm supposed to do! The info given by Malwarebytes looks to me like an attmepted attack - not evidence of malware. Advice welcome!
--
Cheers, Rob
On 11/03/2022 02:06, RJH wrote:
On 10 Mar 2022 at 19:53:56 GMT, "Marco Moock" <mo01@posteo.de> wrote:
Am Donnerstag, 10. März 2022, um 18:26:48 Uhr schrieb RJH:
I'm not sure what I'm supposed to do! The info given by Malwarebytes
looks to me like an attmepted attack - not evidence of malware.
Advice welcome!
Please specify what software you run on your server. Is it up-to-date?
Is the operating system itself up-to-date?
Mmm. Not sure how I check. It's 'hosted' by Heart Internet and the server is >> listed as Apache, and written using Rapidweaver. Sitecheck lists a number of >> links, use of Javascript, and no Iframes or embedded objects.
Longshot..... check the version of apache: a recent one was subject to a
url path backtrack exploit, allowing shell invocation and thus
installation of hidden malware on the web site. I was badly bitten :-{ I found a whole pile of python stuff in the apache log area, under ".log"
or similar - it formed a proxy tcp system being controlled by someone
with a .de domain.
If you share an IP with another site (apache's virtual hosting) , the
problem may not lie with you though.
If anyone would like a look it's post16educator org uk.
the site is listed as hosted by Godaddy
I've just had a reply from Malwarebytes (1 minute after I posted!):
--
Hi, The site is clean but hosted on a malicious IP. The IP is blocked due to recent brute-force attacks.
https://www.abuseipdb.com/check/92.205.3.203
--
That's what I /thought/ their message was saying. Anyway, I assume the IP is set by the host company, Heart? I can't see any way I control it . . .
RJH wrote:
If anyone would like a look it's post16educator org uk.
Do you use wordpress? Or write the site using PHP?
The site is using an old jQuery, being loaded from your server (not from a CDN)
not clear if it's shared on the 'Heart' server or comes from your RapidWeaver?
Did the supposed report come from <https://emha.koeln> or a person called that?
They look like they might be a person who goes looking for vulnerabilities ...
RJH wrote:
the site is listed as hosted by Godaddy
yes that IP addr is on godaddy servers, maybe Heart outsource it?
Have you got a "control panel" login? if you don't use PHP, can you
turn it off?
Deleting your whole site and re-uploading sounds like a reasonable idea, provided you're sure you have a full copy ...
RJH wrote:
the site is listed as hosted by Godaddy
yes that IP addr is on godaddy servers, maybe Heart outsource it?
Have you got a "control panel" login? if you don't use PHP, can you turn it off?
Deleting your whole site and re-uploading sounds like a reasonable idea, provided you're sure you have a full copy ...
The bit I'm confused about now is the vulnerability of the IP address, and how
I change that.
The report cam from Malwarebytes - I've just posted their reply to my query - it seems the IP is the problem.
I've received a notification from somebody looking at a site I host/develop that it contains malware. They were alerted by their Malwarebytes software, which told them the site was 'unsafe'.
May be, I'm missing the point but...
It sounds like the IP you share has been used to mount an attack on a third party.
That isn't saying you have a vulnerability, it is saying you attacked someone (or someone sharing your IP attacked someone)
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 415 |
Nodes: | 16 (3 / 13) |
Uptime: | 21:01:46 |
Calls: | 8,717 |
Calls today: | 6 |
Files: | 13,273 |
Messages: | 5,954,676 |