I received a report today that a server I manage (Centos + Apache) is launching a bruteforce attack against wordpress websites:
hacked-joomla/brobot
The requests sent look like this:
x.x.x.x - - [15/Nov/2015:19:37:14 +0100] "POST wp-login.php HTTP/1.1" 200 3963 "referer-domain.tld" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0"
I tried to locate the source of the attack using tcpdump, lsof and netstat, but I was unable to locate any useful information.
I need to be able to monitor the outgoing web traffic and see not only the destination, but also the source - the file/vhost that the request was sent from.
Any suggestions or guidelines are more than welcome!
P.S. David W. thank you for the link, but it is a very general guide on compromised servers. I have a very specific problem - I need an efficient tool/method to monitor my traffic to identify the source of an outbound attack. I am not experienced in networking etc. and have not used netstat, tcpdump and lsof much, but I am looking for a similar tool or a combination of tools that can be provide me with the traffic data that I need.
