Background:
I've only ever used windows until I spun up my first VPS using ubuntu, and know almost nothing about it. I'm not terrible experienced, but I'm going to try fix this issue
Issue:
Yesterday (2/28/15) I got a notice from my hosting company about an abuse complaint, accusing my server of spamming peoples comments. After some hours doing non-related stuff, I saw and addressed the complaint. I immediately went to the only log file I know about, the general Apache log inside it where thousands upon thousands of messages like this (Obviously modified to protect information, also several different IPs were at it at the same time):
85.XX.XXX.155 - - [28/Feb/2015:08:20:20 -0700] "GET http://www.example.com/not/a/site/I-know/postComment HTTP/1.1" 200 12621 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.111 Safari/537.36"
*gulp* something went wrong. I've turned off the server for now... but I need to get it running again soon.
I have no idea what information is relevant, or how to get it, feel free to ask for info, just tell me where to find it...
My main questions:
- What is this attack, do I have a virus on my server or how is this working
- If A virus got on my server, how do I find/patch the hole
- How to I use blacklists to block IPs, all the offending ones where known spammers
- Is there anything I should know... where to look for help, what this type of attack is called, to help me conduct research on this... I've spend hours on google with no avail. assume I know nothing.
Bookmarks