how to stop server doing bruteforce xml-rpc?

[hughes]

Hello,

I just received abuse email from the data center that my server is doing xml-rpc bruteforce, I use this server for shared hosting.
please help to check which account is doing bruteforce and how to stop this bruteforce attack.

thanks

 

[geniusmojo]

Try checking outbound connection using netstat

# netstat -nputw

looking for IP destination there, there is a PID too.

can also use tcpdump when the attack is running, or check running suspicious programs.