Usando AWS re:Post, accetti AWS re:Post Termini di utilizzo
AWS re:Postre:Post

Intrusion Attempts

0

Hi All,

I am getting abuse from aws , So how can solve the below issue.

Url: [WWW.HISTORYOFGAMING.ORG.UK/wp-login.php] Remote connection: [(My Webserver Server IP):52520] Headers: [array ( 'Host' => 'WWW.HISTORYOFGAMING.ORG.UK', 'Referer' => 'httpS://WWW.HISTORYOFGAMING.ORG.UK/wp-login.php', 'Accept-Language' => 'en-US,en;q=0.5', 'Accept-Encoding' => 'gzip, deflate', 'Accept' => 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8', 'User-Agent' => 'Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0', 'Cookie' => 'wordpress_test_cookie=WP Cookie check;', 'Content-Length' => '140', 'Content-Type' => 'application/x-www-form-urlencoded', 'BN-Frontend' => 'captcha-https', 'X-Forwarded-Port' => '443', 'X-Forwarded-Proto' => 'https', 'BN-Client-Port' => '56054', 'X-Forwarded-For' => 'X.X.X.X(My Webserver Server IP)', )] Post data: [Array ( [pwd] => historyofgaming2016 [wp-submit] => Log In [testcookie] => 1 [log] => historyofgaming [redirect_to] => httpS://WWW.HISTORYOFGAMING.ORG.UK/wp-admin/ ) ]

Comments:

BitNinja presents a CAPTCHA to the visitor, if it is resolved correctly (either automatically via our Browser Integrity Check, or manually), the IP address will be removed from the greylist, if ignored, it will generate a security incident, and the connection will be terminated.

Argomenti
Sicurezza, identità e conformitàNetworking e distribuzione di contenuti
Tag
Firewall di rete AWSGestore di firewall AWSGruppo di sicurezzaSicurezza di rete
Lingua
English
Shopperlocal
posta un anno fa453 visualizzazioni
1 Risposta
1

Hello,

The situation appears to be missing some details, but it looks like you have a resource that is attempting to access this website's sensitive webpages. The port 52520 is rarely used. My best guess is your webserver has been compromised by a bad actor and is being used without your authorization. I recommend terminating the server and remaking it while securing your ports to your own private IP address. If you have any previous snapshots from before those might be useful to utilize in this situation.

If you would like to dive deeper I would suggest moving this webserver to a secured VPC without internet traffic for further analysis. Check your CloudWatch metrics for abnormalities. As a safe precaution I recommend rotating your access keys and make sure you have Multi-factor Authentication enabled on all of your users (including root).

profile pictureAWS
ESPERTO
David
con risposta un anno fa
profile pictureAWS
ESPERTO
kentrad
verificato un anno fa

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande

Contenuto pertinente