En utilisant AWS re:Post, vous acceptez les AWS re:Post Conditions d’utilisation
AWS re:Postre:Post

Intrusion Attempts

0

Hi All,

I am getting abuse from aws , So how can solve the below issue.

Url: [WWW.HISTORYOFGAMING.ORG.UK/wp-login.php] Remote connection: [(My Webserver Server IP):52520] Headers: [array ( 'Host' => 'WWW.HISTORYOFGAMING.ORG.UK', 'Referer' => 'httpS://WWW.HISTORYOFGAMING.ORG.UK/wp-login.php', 'Accept-Language' => 'en-US,en;q=0.5', 'Accept-Encoding' => 'gzip, deflate', 'Accept' => 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8', 'User-Agent' => 'Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0', 'Cookie' => 'wordpress_test_cookie=WP Cookie check;', 'Content-Length' => '140', 'Content-Type' => 'application/x-www-form-urlencoded', 'BN-Frontend' => 'captcha-https', 'X-Forwarded-Port' => '443', 'X-Forwarded-Proto' => 'https', 'BN-Client-Port' => '56054', 'X-Forwarded-For' => 'X.X.X.X(My Webserver Server IP)', )] Post data: [Array ( [pwd] => historyofgaming2016 [wp-submit] => Log In [testcookie] => 1 [log] => historyofgaming [redirect_to] => httpS://WWW.HISTORYOFGAMING.ORG.UK/wp-admin/ ) ]

Comments:

BitNinja presents a CAPTCHA to the visitor, if it is resolved correctly (either automatically via our Browser Integrity Check, or manually), the IP address will be removed from the greylist, if ignored, it will generate a security incident, and the connection will be terminated.

Sujets
Sécurité, identité et conformitéRéseaux et diffusion de contenu
Balises
Pare-feu réseau AWSGestionnaire de pare-feu AWSGroupe de sécuritéSécurité du réseau
Langue
English
Shopperlocal
demandé il y a un an453 vues
1 réponse
1

Hello,

The situation appears to be missing some details, but it looks like you have a resource that is attempting to access this website's sensitive webpages. The port 52520 is rarely used. My best guess is your webserver has been compromised by a bad actor and is being used without your authorization. I recommend terminating the server and remaking it while securing your ports to your own private IP address. If you have any previous snapshots from before those might be useful to utilize in this situation.

If you would like to dive deeper I would suggest moving this webserver to a secured VPC without internet traffic for further analysis. Check your CloudWatch metrics for abnormalities. As a safe precaution I recommend rotating your access keys and make sure you have Multi-factor Authentication enabled on all of your users (including root).

profile pictureAWS
EXPERT
David
répondu il y a un an
profile pictureAWS
EXPERT
kentrad
vérifié il y a un an

Vous n'êtes pas connecté. Se connecter pour publier une réponse.

Une bonne réponse répond clairement à la question, contient des commentaires constructifs et encourage le développement professionnel de la personne qui pose la question.

Instructions pour répondre aux questions

Contenus pertinents