I have a server that has been reported as an attacker since January, finally today I found some information about these attacks, however none of the logs on my server shows anything similar. As a consequence the IP is being banned in many blacklists and is causing big problem to my postfix users.
As can be seen in the attack logs, these are carried out through a browser and Windows NT, however my server is a Debian 9, here some examples, 62.X.X.X is my IP (sensitive information removed)
62.X.X.X - - [01/Mar/2021:14:25:28 +0000] 80 "GET /wp-login.php HTTP/1.1" 403 794 "-" "Mozilla/5.0(Windows NT 6.3; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0"
xmlrpc attack
WP-xmlrpc exploit
Mar 1 06:52:53 h2880623 wordpress(www.zzzzz.zz)[6547]: XML-RPC authentication attempt for unknown user [login] from 62.X.X.X
uvcm 62.X.X.X [27/Feb/2021:19:47:01 "-" "POST /wp-login.php 200 1946
62.X.X.X [28/Feb/2021:12:01:03 "-" "GET /wp-login.php 200 5753
62.X.X.X [28/Feb/2021:12:01:05 "-" "POST /wp-login.php 200 5872
62.X.X.X - - [27/Feb/2021:19:09:53 +0100] "POST /wp-login.php HTTP/1.1" 200 2661 "-" "Mozilla/5.0(Windows NT 6.3; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0"
62.X.X.X - - [27/Feb/2021:19:09:54 +0100] "POST /wp-login.php HTTP/1.1" 200 2637 "-" "Mozilla/5.0(Windows NT 6.3; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0"
62.X.X.X - - [27/Feb/2021:19:10:00 +0100] "POST /wp-login.php HTTP/1.1" 200 2636 "-" "Mozilla/5.0(Windows NT 6.3; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0"
etc.. etc..
Can someone spoof my ip to perform those attacks? Can I do something to mitigate it?
Edit: I already read long time ago this post How do I deal with a compromised server?, and followed it carefully, but even after following those recommendations my server got compromised or there is something else out of my scope going on.
