AWS Abuse Report : has been implicated in activity which resembles attempts to access remote hosts

Question

I was notified that AWS detected a DOS attack from your network. The below domain is not mine but AWS support informed me that the attack came from my server to that address.

I am not sure how to find the source of this attack on my server and need some assistance in trying to locate the source so I can deal with it. I don't see anything in this log that provides that.

Below the logs.

54.214.137.99 - - [01/May/2023:05:15:27 +0200] "POST /wp-login.php HTTP/1.0" 301 - "https://lucacalzature.it/wp-login.php" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0" 54.214.137.99 - - [01/May/2023:05:15:27 +0200] "POST /wp-login.php HTTP/1.0" 301 - "HTTPS://LUCACALZATURE.IT/wp-login.php" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0" 54.214.137.99 - - [01/May/2023:05:15:32 +0200] "POST /lc1945 HTTP/1.0" 301 244 "HTTPS://LUCACALZATURE.IT/wp-login.php" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0" 54.214.137.99 - - [01/May/2023:05:15:32 +0200] "POST /lc1945 HTTP/1.0" 301 244 "https://lucacalzature.it/wp-login.php" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0" 54.214.137.99 - - [01/May/2023:05:15:32 +0200] "POST /lc1945/ HTTP/1.0" 301 - "HTTPS://LUCACALZATURE.IT/wp-login.php" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0" 54.214.137.99 - - [01/May/2023:05:15:32 +0200] "POST /lc1945/ HTTP/1.0" 301 - "https://lucacalzature.it/wp-login.php" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0" 54.214.137.99 - - [01/May/2023:05:15:33 +0200] "POST /lc1945 HTTP/1.0" 301 244 "https://lucacalzature.it/wp-login.php" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0" 54.214.137.99 - - [01/May/2023:05:15:33 +0200] "POST /lc1945 HTTP/1.0" 301 244 "HTTPS://LUCACALZATURE.IT/wp-login.php" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0" 54.214.137.99 - - [01/May/2023:05:15:33 +0200] "POST /lc1945/ HTTP/1.0" 301 - "https://lucacalzature.it/wp-login.php" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0" 54.214.137.99 - - [01/May/2023:05:15:33 +0200] "POST /lc1945/ HTTP/1.0" 301 - "HTTPS://LUCACALZATURE.IT/wp-login.php" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0" 54.214.137.99 - - [01/May/2023:05:15:34 +0200] "POST /lc1945 HTTP/1.0" 301 244 "HTTPS://LUCACALZATURE.IT/wp-login.php" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0" 54.214.137.99 - - [01/May/2023:05:15:34 +0200] "POST /lc1945 HTTP/1.0" 301 244 "https://lucacalzature.it/wp-login.php" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:1 ...[Logs Truncated]

Comments: <<<

Answer

I believe you are reading the message wrong. I believe you are being informed that your host was used to attack the site listed as part of a DDoS attack. As I read the log, I suspect that your host is 54.214.137.99 and it appears that you have SSH (tcp/22) open to public addresses on the internet as I can connect to this host via SSH from my internet connection. You should check logs on your host for unauthorized access, inspect for malware and secure the Security Group on your instance to only allow SSH from trusted IPs. In addition, I would suggest that you contact AWS support for additional information.

Hope this helps.

Answer

You're server was not secured and is now compromised. You need to delete it, start over and secure it by limiting your inbound security groups on sensitive ports. If you haven't done this yet then AWS will isolate it.

Also this is not a DDoS attack as this resembles your machine attempting to access sensitive pages on someone's word press login page.

AWS Abuse Report : has been implicated in activity which resembles attempts to access remote hosts

Relevant content