I am managing a small shared hosting server. Today I received a complaint from my hosting provider that my server is sending out requests on wp-login.php pages of other websites elsewhere. I implemented the firewall rule
/sbin/iptables -I OUTPUT -p tcp --dport 80 -m string --string "wp-login.php" --algo kmp -j REJECT --reject-with tcp-reset
I tested and see from my server I can't send a request to
http://testsite.com/wp-login.php. This is great, and it works as expected.
However, I still received further complaint about this issue, so I guess a bad user is using HTTPS to attack wp-login.php of the target websites. I implemented the following rule, but it does not work
/sbin/iptables -I OUTPUT -p tcp --dport 443 -m string --string "wp-login.php" --algo kmp -j REJECT --reject-with tcp-reset
I understand, because over HTTPS URL is encrypted, so this method does not work.
I'd like to ask how should I go around with this issue to prevent/block/identify the culprit?
Thanks in advance!