linux find outgoing bruteforce login


To detect potential WP bruteforce, for example hacked-joomla/brobot:
iptables -I OUTPUT 1 -p tcp -m tcp --dport 80 -m string --string "wp-login.php" --algo kmp --to 1024 -j LOG --log-prefix "WP Attack detected" --log-level 1 --log-uid

Joomla:
iptables -I OUTPUT 1 -p tcp -m tcp --dport 80 -m string --string "com_jce" --algo kmp --to 1024 -j LOG --log-prefix "Joomla Attack detected" --log-level 1 --log-uid

Output:

Dec 29 23:52:12 srv3 kernel: [22412308.314039] Potential WP Attack detectedIN= OUT=eth0 SRC=xx.xx.xx.xx DST=198.252.100.85 LEN=188 TOS=0x00 PREC=0x00 TTL=64 ID=37222 DF PROTO=TCP SPT=46450 DPT=80 WINDOW=115 RES=0x00 ACK PSH URGP=0 UID=715 GID=713
Dec 29 23:52:12 srv3 kernel: [22412308.328190] Potential WP Attack detectedIN= OUT=eth0 SRC=xx.xx.xx.xx DST=104.131.217.204 LEN=190 TOS=0x00 PREC=0x00 TTL=64 ID=13301 DF PROTO=TCP SPT=42115 DPT=80 WINDOW=115 RES=0x00 ACK PSH URGP=0 UID=715 GID=713
Dec 29 23:52:12 srv3 kernel: [22412308.329115] Potential WP Attack detectedIN= OUT=eth0 SRC=xx.xx.xx.xx DST=212.193.244.153 LEN=196 TOS=0x00 PREC=0x00 TTL=64 ID=38575 DF PROTO=TCP SPT=47104 DPT=80 WINDOW=115 RES=0x00 ACK PSH URGP=0 UID=715 GID=713
Dec 29 23:52:12 srv3 kernel: [22412308.356597] Potential WP Attack detectedIN= OUT=eth0 SRC=xx.xx.xx.xx 1 DST=64.14.68.57 LEN=206 TOS=0x00 PREC=0x00 TTL=64 ID=26797 DF PROTO=TCP SPT=35146 DPT=80 WINDOW=115 RES=0x00 ACK PSH URGP=0 UID=715 GID=713
Dec 29 23:52:12 srv3 kernel: [22412308.363773] Potential WP Attack detectedIN= OUT=eth0 SRC=xx.xx.xx.xx DST=67.208.74.94 LEN=201 TOS=0x00 PREC=0x00 TTL=64 ID=6945 DF PROTO=TCP SPT=54748 DPT=80 WINDOW=115 RES=0x00 ACK PSH URGP=0 UID=715 GID=713

Leave a Reply

Your email address will not be published. Required fields are marked *