Did Someone Attack Me?

ockythegooner · March 16, 2021, 5:00pm

Hi,

It’s me again, I can’t login to my HestiaCP Panel, it’s said 500 Internal Server Error.

I did apt update && apt upgrade -y today, but I’m not sure if this is the cause.
So I checked the domain log and found this

[Tue Mar 16 04:42:35.301897 2021] [proxy_fcgi:error] [pid 27468:tid 140123240920832] [client 103.81.84.152:0] AH01071: Got error ‘Primary script unknown’, referer: http://mydomain/wp-login.php
[Tue Mar 16 20:32:13.201745 2021] [proxy_fcgi:error] [pid 27468:tid 140123115030272] [client 13.53.64.97:0] AH01071: Got error ‘Primary script unknown’
[Tue Mar 16 20:33:06.838635 2021] [proxy_fcgi:error] [pid 27468:tid 140123207350016] [client 91.185.186.211:0] AH01071: Got error ‘Primary script unknown’, referer: http://mydomain/wp-login.php
[Tue Mar 16 23:31:54.879961 2021] [proxy_fcgi:error] [pid 27468:tid 140123148601088] [client 37.187.135.130:0] AH01071: Got error ‘Primary script unknown’, referer: http://mydomain/wp-login.php
[Tue Mar 16 23:31:54.880904 2021] [proxy_fcgi:error] [pid 27468:tid 140123123422976] [client 37.187.135.130:0] AH01071: Got error ‘Primary script unknown’, referer: http://mydomain/wp-login.php

The weird things is, I don’t even install Wordpress, but why there is wp-login.php request?

Did someone attack me? Or it just error because of manual update via SSH?

Thank you.

ockythegooner · March 16, 2021, 5:11pm

After reboot my server, I can login again to HestiaCP.

My server is Ok, I think it’s just someone trying to brute force attack me.

Thank you.

falzo · March 16, 2021, 7:11pm

the log entries you are seeing are rather normal. welcome to the internet

in other words: there are a lot of bots running on hacked servers that are simply trying to spread or find ways into other peoples servers. for that it often is easier to just throw requests for known vulnerable frameworks or services at any available domain or IP address.

like someone would walk across a parking lot trying every cars doors to see if one of them has been left open - it’s just wild guessing.

this is most likely not a attack directly targeted at you but rather ‘ground noise’ - as you said yourself, you are not even running wordpress

for the issue with not reaching hestia: there has been an (automated) update tonight, which seems to have lead to some systems get stuck on updating/installing a specific hestia package. there sadly were more reports already of people running deb 10 and having to restart or getting stuck on the update of hestia-nginx.

we are investigating already.

ockythegooner · March 16, 2021, 7:41pm

Thank you very much for your help.

Yes I’d already follow the instructions from ScIT and everything is working well now.

Oh my, this HestiaCP is the best free panel I’ve ever seen.

system · April 15, 2021, 7:41pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.