Answer the question
In order to leave comments, you need to log in
How to find a script in debian that was running at a certain time?
There is a dedicated server for hosting a limited range of sites. There are no third party clients. Access via SSH only with a key for the server administrator. Installed fail2ban, which monitors and bans for a day all attempts to brute ftp, mail, ssh, etc. But a month ago, a complaint came from the hoster about suspicious activity from our IP.
Immediately checked all the logs for the specified time - nothing. We ran maldet, clamv - everything is clean.
Of the sites, they are mainly based on their own closed engine, Bitrix and webasyst couple. Everything was checked - nothing extra was found. They unsubscribed to the hoster that they checked everything, and on that the complaint was closed.
And today there is another complaint. They complain from the same address as the first time, but in the logs they give another site with a different ip:
[Fri Jan 08 18:41:52 2016 [client 89.108.105.30] [hostname "www.unemed.com"] [uri "/wp-login.php"]
[Fri Jan 08 18:41:53 2016 [client 89.108 .105.30] [hostname "www.unemed.com"] [uri "/wp-login.php"]
[Fri Jan 08 18:41:54 2016 [client 89.108.105.30] [hostname "www.unemed.com"] [uri "/wp-login.php"]
[Fri Jan 08 18:41:55 2016 [client 89.108.105.30] [hostname "www.unemed.com"] [uri "/wp-login.php"]
[Fri Jan 08 18:41:56 2016 [client 89.108.105.30] [hostname "www.unemed.com"] [uri "/wp-login.php"]
[Fri Jan 08 18:41:57 2016 [client 89.108.105.30 ] [hostname "www.unemed.com"] [uri "/wp-login.php"]
[Fri Jan 08 18:41:58 2016 [client 89.108.105.30] [hostname "www.unemed.com"] [uri "/wp-login.php"]
[Fri Jan 08 18:41:59 2016 [client 89.108.105.30] [hostname "www.unemed.com"] [uri "/wp-login.php"]
Answer the question
In order to leave comments, you need to log in
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question