C
C
C0vax2016-01-10 00:18:54
Debian
C0vax, 2016-01-10 00:18:54

How to find a script in debian that was running at a certain time?

There is a dedicated server for hosting a limited range of sites. There are no third party clients. Access via SSH only with a key for the server administrator. Installed fail2ban, which monitors and bans for a day all attempts to brute ftp, mail, ssh, etc. But a month ago, a complaint came from the hoster about suspicious activity from our IP.
Immediately checked all the logs for the specified time - nothing. We ran maldet, clamv - everything is clean.
Of the sites, they are mainly based on their own closed engine, Bitrix and webasyst couple. Everything was checked - nothing extra was found. They unsubscribed to the hoster that they checked everything, and on that the complaint was closed.
And today there is another complaint. They complain from the same address as the first time, but in the logs they give another site with a different ip:

[Fri Jan 08 18:41:52 2016 [client 89.108.105.30] [hostname "www.unemed.com"] [uri "/wp-login.php"]
[Fri Jan 08 18:41:53 2016 [client 89.108 .105.30] [hostname "www.unemed.com"] [uri "/wp-login.php"]
[Fri Jan 08 18:41:54 2016 [client 89.108.105.30] [hostname "www.unemed.com"] [uri "/wp-login.php"]
[Fri Jan 08 18:41:55 2016 [client 89.108.105.30] [hostname "www.unemed.com"] [uri "/wp-login.php"]
[Fri Jan 08 18:41:56 2016 [client 89.108.105.30] [hostname "www.unemed.com"] [uri "/wp-login.php"]
[Fri Jan 08 18:41:57 2016 [client 89.108.105.30 ] [hostname "www.unemed.com"] [uri "/wp-login.php"]
[Fri Jan 08 18:41:58 2016 [client 89.108.105.30] [hostname "www.unemed.com"] [uri "/wp-login.php"]
[Fri Jan 08 18:41:59 2016 [client 89.108.105.30] [hostname "www.unemed.com"] [uri "/wp-login.php"]

Again they started a check - again everything is clean. Googled - basically advised to watch the current processes. But in our case, it turns out that there are attempts of outgoing connections with some periodicity. And on some specific hosting provider, at a specific address (wp-login.php). And about 8 attempts at a time every month. How can this be tracked?

Answer the question

In order to leave comments, you need to log in

1 answer(s)
V
Vlad Zhivotnev, 2016-01-10
@inkvizitor68sl

https://debian.pro/1142

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question