When you get this type of message regarding “bruteforcelogin hacked-joomla/brobot “there are plenty of places to check in your server. Obvioulsy, there is no one exact way to resolving this problem, so you just have to try all recommendations. We experienced the same problem and we were terrified and worried that our host was going to shut down our dedicated server . The message is normally in this format, and comes from https://www.blocklist.de.
The IP Address XXX.XXX.XXX.XX has been scheduled to be null routed (disabled) from the network pending resolution of malicious activity.
NOTICE:: If this issue is not resolved within 24 hours from the filing of this abuse case then the IP XXX.XXX.XXX.XXX shall be null routed (disabled from network) without further notice pending resolution.
The following is from the complaint (full complaint at bottom of this message):……………………….
We went online to search for some articles to read but none seem to talk about this topic in details and how it was resolved, hence we decided to take the bull by the horn.
Our first step
We check our ConfigServer Security & Firewall watch log(Watch (tail) various system log files (listed in csf.syslogs))–var/log/lfd.log and refreshed the lastest 100 logs . We studied the log for sometime and noted that ConfigServer Security Firewall has logged some malicious activity of one account user.
May 27 11:12:07 server lfd: *Suspicious Process* PID:3841 PPID:31979 User:londonlo3 Uptime:63 secs EXE:/usr/bin/php CMD:/usr/bin/php /home/londonlo3/public_html/index.php
May 27 11:46:08 server lfd: *Suspicious Process* PID:12576 PPID:12562 User:xxxxxxxx Uptime:146527 secs EXE:/home/virtfs/xxxxxxxx/usr/bin/host CMD:/usr/bin/host
Our second step
We opened the account-wordpress and found loads of malicious codes inside that account we think was used to launch the massive brute force attacks. We removed the codes and disabled the account whilst we monitored the https://www.blocklist.de/en/view.html?ip=xxx.xxx.xxx.xxx(replace xxx.xxx.xxx.xxx with your server IP) for new attacks from our ip. We monitored it for 24hrs and there no further attacked. Which suggest that ConfigServer Security & Firewall watch log logged in the maliciuos activity of the hacker.
It appears someone placed an attack script in this directory. If it was not deactivated in the PHP configuration, this will allow the attacker to execute arbitrary PHP code it sends together with the request.The script is invoked via a simple HTTP POST request.