Ao usar o AWS re:Post, você concorda com os AWS re:Post Termos de uso
AWS re:Postre:Post

Intrusion Attempts

0

Hi All,

I am getting abuse from aws , So how can solve the below issue.

Url: [WWW.HISTORYOFGAMING.ORG.UK/wp-login.php] Remote connection: [(My Webserver Server IP):52520] Headers: [array ( 'Host' => 'WWW.HISTORYOFGAMING.ORG.UK', 'Referer' => 'httpS://WWW.HISTORYOFGAMING.ORG.UK/wp-login.php', 'Accept-Language' => 'en-US,en;q=0.5', 'Accept-Encoding' => 'gzip, deflate', 'Accept' => 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8', 'User-Agent' => 'Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0', 'Cookie' => 'wordpress_test_cookie=WP Cookie check;', 'Content-Length' => '140', 'Content-Type' => 'application/x-www-form-urlencoded', 'BN-Frontend' => 'captcha-https', 'X-Forwarded-Port' => '443', 'X-Forwarded-Proto' => 'https', 'BN-Client-Port' => '56054', 'X-Forwarded-For' => 'X.X.X.X(My Webserver Server IP)', )] Post data: [Array ( [pwd] => historyofgaming2016 [wp-submit] => Log In [testcookie] => 1 [log] => historyofgaming [redirect_to] => httpS://WWW.HISTORYOFGAMING.ORG.UK/wp-admin/ ) ]

Comments:

BitNinja presents a CAPTCHA to the visitor, if it is resolved correctly (either automatically via our Browser Integrity Check, or manually), the IP address will be removed from the greylist, if ignored, it will generate a security incident, and the connection will be terminated.

Tópicos
Segurança, identidade e conformidadeRede e entrega de conteúdo
Tags
Firewall de rede da AWSGerenciador de Firewall da AWSGrupo de segurançaSegurança de rede
Idioma
English
Shopperlocal
feita há um ano453 visualizações
1 Resposta
1

Hello,

The situation appears to be missing some details, but it looks like you have a resource that is attempting to access this website's sensitive webpages. The port 52520 is rarely used. My best guess is your webserver has been compromised by a bad actor and is being used without your authorization. I recommend terminating the server and remaking it while securing your ports to your own private IP address. If you have any previous snapshots from before those might be useful to utilize in this situation.

If you would like to dive deeper I would suggest moving this webserver to a secured VPC without internet traffic for further analysis. Check your CloudWatch metrics for abnormalities. As a safe precaution I recommend rotating your access keys and make sure you have Multi-factor Authentication enabled on all of your users (including root).

profile pictureAWS
ESPECIALISTA
David
respondido há um ano
profile pictureAWS
ESPECIALISTA
kentrad
avaliado há um ano

Você não está conectado. Fazer login para postar uma resposta.

Uma boa resposta responde claramente à pergunta, dá feedback construtivo e incentiva o crescimento profissional de quem perguntou.

Diretrizes para responder a perguntas

Conteúdo relevante