Softinite.com under attack Part II

Short time after cleaning up the infection, the attacks renewed, bringing down the website on periodical basis.

After some digging, it looked like some Chinese based IPs were hitting xmlrpc.php on port 80 and brute forcing ssh on 22.

This information was revealed using ‘tcptrack -i eth0’ and ‘grep sshd /var/log/*’.

‘http://www.ipvoid.com’ has also been useful in investigating various IPs.

It seemed critical to start ufw, but how does one do that over ssh and make sure not to lock him/her-self out?

‘ufw status’ will not be of much use when disabled.

‘ufw show added’ saved the day – helping to make sure port 22 will remain open when activating the firewall.