Block magento rss bruteforce attacks

Lately I’ve noticed increased scan activity for the /rss/ directory, access logs show something like this : - Birdie [17/Jun/2016:02:16:01 -0500] "GET /rss/catalog/review/ HTTP/1.1" 403 135 "-" "-" - senthil [17/Jun/2016:02:21:52 -0500] "GET /rss/catalog/notifystock/ HTTP/1.1" 403 135 "-" "-"

To block I’ve added to nginx configuration the following:

location ~* /rss/catalog/notifystock {
return 403;
location ~* /rss/catalog/review {
return 403;
location ~* /rss/order/new {
return 403;

The Bruteforce will persist even if the rss module is disabled from Magento.

Few resources:

View average Round trip time in Wireshark

Get site headers

Enable cPanel CSF email bruteforce protection

If you have CSF installed then check these two options:

# Distributed Account Attack. This option will keep track of login failures
# from distributed IP addresses to a specific application account. If the
# number of failures matches the trigger value above, ALL of the IP addresses
# involved in the attack will be blocked according to the temp/perm rules above
LF_DISTATTACK = Default: 0 [0-1]

# Set the following to the minimum number of unique IP addresses that trigger
LF_DISTATTACK_UNIQ = Default: 2 [2-20]

Openssl commands

General OpenSSL commands

The following commands allow you to generate CSRs, Certificates, Private Keys and other tasks.

Generate a new private key and matching certificate signing request (Unix) 

Generate a new private key and matching certificate signing request (Windows)

Generate a certificate signing request for an existing private key

Generate a certificate signing request based on an existing x509 certificate

Decrypt private key

Remove a passphrase from a private key

Checking commands

Use the following commands to check the information within a Certificate, CSR or Private Key. You can also check CSRs and certificates using our online tools.

Check a certificate signing request

Check a private key

Check a certificate

Check a PKCS#12 keystore

Debugging commands

If you are receiving certificate errors, try one of the following commands to debug a SSL connection. Use our Site Check as well to check the certificate.

Check the MD5 hash of the public key

Check an SSL connection. All certificates (also intermediates) should be shown

Converting commands

Use the following commands to convert certificates and keys to different formats to make them compatible with specific types of servers or software. For example, convert a normal PEM file that would work with Apache to a PFX (PKCS#12) file for use with Tomcat or IIS.

Convert DER (.crt .cer .der) to PEM

Convert PEM to DER

Convert PKCS#12 (.pfx .p12) to PEM containing both private key and certificates

Convert (add) a seperate key and certificate to a new keystore of type PKCS#12

Malware in database

I got a report these days about a site being flagged as forgery by Google Safebrowsing.  Usually these situations are easy to handle since most of the times there is a flaw of a php script that allow attackers to upload/modify different .php/.js/.css files. Doing a find or restoring the files fixes the problem.

This time I did not find any modified file..but still the sites were being reported to contain malware. Then I’ve checked in the database and seems there were some iframe entries to redirect  to some malware sites. Truncating and reimporting the affected tables solved the issue.

Question remains : is there any malware scanner for databases? What if instead of a iframe some hardcoded strings are set..most likely I would have missed those.

WARNING: mismatch_cnt is not 0

I got an email regarding this issue saying something like :


WARNING: mismatch_cnt is not 0 on /dev/md1

The /dev/mdX can vary depending on how many raid partitions you have. This mismatch_cnt value is the value of the blocks,

that are not synchronized between RAID-1 (mirrored) drives.  On my server it looked something like :

To fix :

And after the repair is completed:

Then check to see what this returns:

Plesk down after upgrade localhost.localdomain

After upgrade to 10.3.1 when accessing https://host:8443/ you get redirected to :

To fix:

/usr/local/psa/bin/sso -g

/usr/share/plesk-billing/update-hostname –new-hostname=
/usr/share/plesk-billing/repair-integration –command=repair-all –idp-url=https://:8443

planetbackup has a uid 0 account

cPanel bugs me with this message every day on several servers. Seems its from the tool uses to handle backups.

Though I don’t understand why does it need uid 0 and why the “OwN3D” word. This does not look too professional.

Anyway to get passed this you can run :


sed -i ‘s/$user ne “planetbackup”/$user ne “toor” && $user ne “admin”/g’ /scripts/hackcheck; echo “/scripts/hackcheck” >> /etc/cpanelsync.exclude

This is the full email warning:


IMPORTANT: Do not ignore this email.
This message is to inform you that the account planetbackup has user id 0 (root privs).
This could mean that your system was compromised (OwN3D). To be safe you should
verify that your system has not been compromised.