1

A Wordpress security plugin notified me about login attempts to the Wordpress login but from localhost (127.0.01). This means the requests are triggered from my root server. The attempts were trying the username "admin". I believe this indicates a compromised server.

My question is: How can I identify the process or user who conducts these requests? I am using nginx as a web server. Is there a way to find the pid or process name from which the requests originate?

user1192748
  • 283
  • 3
  • 10
  • I'm not sure what we can tell you from the log. The user agent is "Chrome 72 on Windows 10" – schroeder Feb 20 '22 at 17:56
  • We are not a log parsing service. You would need to be looking at a lot of logs to determine what is going on and where the compromise might be. – schroeder Feb 20 '22 at 17:57
  • I am sorry but I may have been to ambigious about my question: I am not asking for other to parse my logs. I wanted to know how I can identify the process / user who performs the HTTP requests from within the root server. The logs were just added to provide more details. I will update my post. – user1192748 Feb 20 '22 at 19:21
  • 1
    This is too open-ended. You are basically asking how to perform a forensic analysis on a compromised server. Finding a PID is simple, and there are OS commands to do this. But you have to catch it has it is happening. – schroeder Feb 20 '22 at 22:18

0 Answers0