By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Intrusion Attempts

0

Hi All,

I am getting abuse from aws , So how can solve the below issue.

Url: [WWW.HISTORYOFGAMING.ORG.UK/wp-login.php] Remote connection: [(My Webserver Server IP):52520] Headers: [array ( 'Host' => 'WWW.HISTORYOFGAMING.ORG.UK', 'Referer' => 'httpS://WWW.HISTORYOFGAMING.ORG.UK/wp-login.php', 'Accept-Language' => 'en-US,en;q=0.5', 'Accept-Encoding' => 'gzip, deflate', 'Accept' => 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8', 'User-Agent' => 'Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0', 'Cookie' => 'wordpress_test_cookie=WP Cookie check;', 'Content-Length' => '140', 'Content-Type' => 'application/x-www-form-urlencoded', 'BN-Frontend' => 'captcha-https', 'X-Forwarded-Port' => '443', 'X-Forwarded-Proto' => 'https', 'BN-Client-Port' => '56054', 'X-Forwarded-For' => 'X.X.X.X(My Webserver Server IP)', )] Post data: [Array ( [pwd] => historyofgaming2016 [wp-submit] => Log In [testcookie] => 1 [log] => historyofgaming [redirect_to] => httpS://WWW.HISTORYOFGAMING.ORG.UK/wp-admin/ ) ]

Comments:

BitNinja presents a CAPTCHA to the visitor, if it is resolved correctly (either automatically via our Browser Integrity Check, or manually), the IP address will be removed from the greylist, if ignored, it will generate a security incident, and the connection will be terminated.

Topics
Security, Identity, & ComplianceNetworking & Content Delivery
Tags
AWS Network FirewallAWS Firewall ManagerSecurity GroupNetwork Security
Language
English
Shopperlocal
asked a year ago441 views
1 Answer
1

Hello,

The situation appears to be missing some details, but it looks like you have a resource that is attempting to access this website's sensitive webpages. The port 52520 is rarely used. My best guess is your webserver has been compromised by a bad actor and is being used without your authorization. I recommend terminating the server and remaking it while securing your ports to your own private IP address. If you have any previous snapshots from before those might be useful to utilize in this situation.

If you would like to dive deeper I would suggest moving this webserver to a secured VPC without internet traffic for further analysis. Check your CloudWatch metrics for abnormalities. As a safe precaution I recommend rotating your access keys and make sure you have Multi-factor Authentication enabled on all of your users (including root).

profile pictureAWS
EXPERT
David
answered a year ago
profile pictureAWS
EXPERT
kentrad
reviewed a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content