I made a file list ~jwsmythe123/files.list . Quick way to find any file accessible by me. [ps94726]$ df -h Filesystem Size Used Avail Use% Mounted on /dev/sdb1 3.6T 2.9T 773G 79% / none 128M 3.6M 125M 3% /tmp System time: Mon Aug 10 13:25:33 PDT 2020 My local time: Mon Aug 10 19:25:33 EDT 2020 It looks like Apache is storing all the logs together here, since a year ago. Taking the last 250k to review. [ps94726]$ pwd /dh/apache2/logs/apache2-ps94726 [ps94726]$ tail -250000 mega.log | head -1 jonwhi5 brainwashed brainwashed.com [07/Aug/2020:22:59:00 -0700] 184.64.165.111 "GET /podcast/video.xml HTTP/1.1" 200 "Podcasts/1440.4 CFNetwork/1128.0.1 Darwin/19.6.0" "/home/brainwashed/brainwashed.com/podcast/video.xml" 1839 11:43 pacific == 14:43 Eastern. Jon said he restarted it then. Cannot load Zend OPcache - extension already loaded Cannot load Zend OPcache - extension already loaded [Mon Aug 10 10:17:01 2020] [warn] mod_fcgid: cleanup zombie process 32654 [Mon Aug 10 10:17:13 2020] [warn] mod_fcgid: cleanup zombie process 29833 Cannot load Zend OPcache - extension already loaded Cannot load Zend OPcache - extension already loaded Cannot load Zend OPcache - extension already loaded Cannot load Zend OPcache - extension already loaded Cannot load Zend OPcache - extension already loaded Cannot load Zend OPcache - extension already loaded Cannot load Zend OPcache - extension already loaded Cannot load Zend OPcache - extension already loaded [Mon Aug 10 11:43:08 2020] [warn] RSA server certificate CommonName (CN) `sni.dreamhost.com' does NOT match server name!? [Mon Aug 10 11:43:08 2020] [warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366) [Mon Aug 10 11:43:08 2020] [notice] suEXEC mechanism enabled (wrapper: /usr/local/dh/apache2/template/sbin/suexec) [Mon Aug 10 11:43:09 2020] [notice] ModSecurity for Apache/2.9.0 (http://www.modsecurity.org/) configured. [Mon Aug 10 11:43:09 2020] [notice] ModSecurity: APR compiled version="1.5.2"; loaded version="1.5.2" [Mon Aug 10 11:43:09 2020] [notice] ModSecurity: PCRE compiled version="8.31 "; loaded version="5.0 13-Sep-2004" [Mon Aug 10 11:43:09 2020] [warn] ModSecurity: Loaded PCRE do not match with compiled! [Mon Aug 10 11:43:09 2020] [notice] ModSecurity: LUA compiled version="Lua 5.1" [Mon Aug 10 11:43:09 2020] [notice] ModSecurity: YAJL compiled version="2.0.4" [Mon Aug 10 11:43:09 2020] [notice] ModSecurity: LIBXML compiled version="2.9.1" [Mon Aug 10 11:43:09 2020] [notice] ModSecurity: Status engine is currently disabled, enable it by set SecStatusEngine to On. [Mon Aug 10 11:43:09 2020] [notice] Digest: generating secret for digest authentication ... [Mon Aug 10 11:43:09 2020] [notice] Digest: done [Mon Aug 10 11:43:09 2020] [warn] RSA server certificate CommonName (CN) `sni.dreamhost.com' does NOT match server name!? [Mon Aug 10 11:43:09 2020] [warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366) [Mon Aug 10 11:43:09 2020] [notice] FastCGI: wrapper mechanism enabled (wrapper: /usr/local/dh/apache2/template/sbin/suexec) [Mon Aug 10 11:43:09 2020] [notice] FastCGI: process manager initialized (pid 8115) [Mon Aug 10 11:43:10 2020] [warn] pid file /var/run/apache2-ps94726-httpd.pid overwritten -- Unclean shutdown of previous Apache run? [Mon Aug 10 11:43:10 2020] [notice] Apache/2.2.31 (Unix) mod_ssl/2.2.31 OpenSSL/1.0.1f mod_fastcgi/2.4.6 mod_fcgid/2.3.6 configured -- resuming normal operations Cannot load Zend OPcache - extension already loaded Cannot load Zend OPcache - extension already loaded Cannot load Zend OPcache - it was already loaded # look more at this 20200810 1740 [ps94726]$ grep elizabethbenedict.com access.log.20200810 | wc -l 641 # One of the most hit remote things... 113 elizabethbenedict.com "POST /xmlrpc.php # Also ... #jonwhi5 elizabethbenedict elizabethbenedict.com [10/Aug/2020:02:30:43 -0700] 75.119.214.33 "POST /wp-cron.php?doing_wp_cron=1597051842.9340128898620605468750 HTTP/1.1" 200 "WordPress/5.4.2; https://www.elizabethbenedict.com" "/home/elizabethbenedict/brainwashed.com/elizabethbenedict/wp-cron.php" 1051232 # Top requestor 2020.08.10 for wp-login grep /wp-login.php access.log.20200810 | cut -f 3,6,7,8 -d ' ' | cut -f 2 -d ' ' | sort | uniq -c | sort -r -n -k 1 | less 5357 88.218.17.117 # Serverius, NL 12 51.75.142.24 # OVH, FR 10 62.210.185.4 # Online.net, FR 10 54.37.17.21 # OVH, FR [ps94726]$ grep xmlrpc.php access.log.20200810 | wc -l 1181 grep xmlrpc.php access.log.20200810 | cut -f 3,6,7,8 -d ' ' | cut -f 2 -d ' ' | sort | uniq -c | sort -r -n -k 1 | less 933 104.41.53.241 # MSN 12 62.210.141.218 # Online.net, FR 12 40.114.54.111 # MSN 12 213.217.0.7 # Hostway, RU # Last 4 days grep /wp-login.php access.log.* | cut -f 3,6,7,8 -d ' ' | cut -f 2 -d ' ' | sort | uniq -c | sort -r -n -k 1 | less 5357 88.218.17.117 # Serverius, NL 2979 85.204.246.240 # Parfumuri, RO 44 195.154.41.42 24 185.79.156.187 grep /xmlrpc.php access.log.* | cut -f 3,6,7,8 -d ' ' | cut -f 2 -d ' ' | sort | uniq -c | sort -r -n -k 1 | less 933 104.41.53.241 # MSN 616 85.204.246.240 # Parfumuri, RO 15 213.217.0.7 14 88.218.17.117 Watch for hits on either tail -f /dh/apache2/logs/apache2-ps94726/mega.log | egrep -i 'xmlrpc|w-login' Read logs, to see what they did /var/tmp/ ############################################################## ## 20200811 ## Look here. 64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36" "/home/dontsweattheessay/brainwashed.com/eb/essay/xmlrpc.php" 629083 jonwhi5 elizabethbenedict elizabethbenedict.com [10/Aug/2020:20:23:50 -0700] 185.246.65.41 "POST /xmlrpc.php HTTP/1.1" 200 "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" "/home/elizabethbenedict/brainwashed.com/elizabethbenedict/xmlrpc.php" 127649 ^C [ps94726]$ Broadcast message from root@ps94726 (unknown) at 8:36 ... The system is going down for reboot NOW! Control-Alt-Delete pressed ############################################################## [ps94726]$ ^C [ps94726]$ tail -f /dh/apache2/logs/apache2-ps94726/mega.log | egrep -i 'xmlrpc|wp-login' jonwhi5 dontsweattheessay dontsweattheessay.com [10/Aug/2020:19:40:22 -0700] 192.0.113.180 "POST /xmlrpc.php?for=jetpack HTTP/1.1" 200 "Jetpack by WordPress.com" "/home/dontsweattheessay/brainwashed.com/eb/essay/xmlrpc.php" 158587 jonwhi5 dontsweattheessay dontsweattheessay.com [10/Aug/2020:19:40:32 -0700] 192.0.113.208 "POST /wp-json/jetpack/v4/verify_xmlrpc_error/ HTTP/1.1" 200 "WordPress.com; https://www.dontsweattheessay.com" "/home/dontsweattheessay/brainwashed.com/eb/essay/index.php" 1036831 jonwhi5 dontsweattheessay dontsweattheessay.com [10/Aug/2020:19:40:32 -0700] 192.0.112.66 "POST /xmlrpc.php?for=jetpack&token=fKuTMTAhLCV4Uf%240B%29nApvBS6bBr5E3f%3A1%3A2×tamp=1597113631&nonce=uvo7sz6BZh&body-hash=MU%2F9QF7yeml7MuXpqX%2FplR4j4aQ%3D&signature=P%2FS2sXCz%2FtSYK6WrDnX9eD8PCus%3D HTTP/1.1" 200 "Jetpack by WordPress.com" "/home/dontsweattheessay/brainwashed.com/eb/essay/xmlrpc.php" 1867468 jonwhi5 dontsweattheessay dontsweattheessay.com [10/Aug/2020:19:40:30 -0700] 192.0.101.156 "POST /xmlrpc.php?for=jetpack HTTP/1.1" 200 "Jetpack by WordPress.com" "/home/dontsweattheessay/brainwashed.com/eb/essay/xmlrpc.php" 28620355 jonwhi5 dontsweattheessay dontsweattheessay.com [10/Aug/2020:19:41:04 -0700] 192.0.117.238 "POST /xmlrpc.php?for=jetpack&token=%40gMThz%28jZZT986Wl2Qnj%26Jti0vw%406vgE%3A1%3A0×tamp=1597113662&nonce=XfOqHV0VbN&body-hash=x918o97VOXXP9DD7Ph2eT0J7PLk%3D&signature=RuwqNilN64M0at9niOAwVeMVUNk%3D HTTP/1.1" 200 "Jetpack by WordPress.com" "/home/dontsweattheessay/brainwashed.com/eb/essay/xmlrpc.php" 1257335 jonwhi5 dontsweattheessay dontsweattheessay.com [10/Aug/2020:19:41:26 -0700] 192.0.100.233 "POST /xmlrpc.php?for=jetpack&token=fKuTMTAhLCV4Uf%240B%29nApvBS6bBr5E3f%3A1%3A2×tamp=1597113686&nonce=9upwGhTeT2&body-hash=pdst%2B%2B8gjpsEsdzTGdS19%2BYN3g4%3D&signature=JPumzUcAQuhPMftiRl0XJu8cf4s%3D HTTP/1.1" 200 "Jetpack by WordPress.com" "/home/dontsweattheessay/brainwashed.com/eb/essay/xmlrpc.php" 228800 jonwhi5 dontsweattheessay dontsweattheessay.com [10/Aug/2020:19:41:26 -0700] 192.0.101.208 "POST /xmlrpc.php?for=jetpack&token=fKuTMTAhLCV4Uf%240B%29nApvBS6bBr5E3f%3A1%3A2×tamp=1597113686&nonce=RWrgm5LWpO&body-hash=UPKSUqxlpOxdROhlRaDe%2BAAZRJw%3D&signature=8TfuCxuOKg9Prx3ZA5Sa%2FBVh5j0%3D HTTP/1.1" 200 "Jetpack by WordPress.com" "/home/dontsweattheessay/brainwashed.com/eb/essay/xmlrpc.php" 2300191 jonwhi5 dontsweattheessay dontsweattheessay.com [10/Aug/2020:19:41:26 -0700] 192.0.100.29 "POST /xmlrpc.php?for=jetpack&token=fKuTMTAhLCV4Uf%240B%29nApvBS6bBr5E3f%3A1%3A2×tamp=1597113686&nonce=9ERzH5fxoD&body-hash=z6TseBKCknDBHP72DalbhCCA2tU%3D&signature=Eye44mz3Q9NtNi6gE0V3uhSarNo%3D HTTP/1.1" 200 "Jetpack by WordPress.com" "/home/dontsweattheessay/brainwashed.com/eb/essay/xmlrpc.php" 2312526 jonwhi5 dontsweattheessay dontsweattheessay.com [10/Aug/2020:19:41:57 -0700] 192.0.86.161 "POST /xmlrpc.php?for=jetpack&token=fKuTMTAhLCV4Uf%240B%29nApvBS6bBr5E3f%3A1%3A2×tamp=1597113717&nonce=n1BhQGkSZk&body-hash=k96JvTdg84b9GPtprWjlzIK82EQ%3D&signature=Cam2vZxS%2BvAi%2FLkKnSLpiPtifvA%3D HTTP/1.1" 200 "Jetpack by WordPress.com" "/home/dontsweattheessay/brainwashed.com/eb/essay/xmlrpc.php" 10448976 jonwhi5 dontsweattheessay dontsweattheessay.com [10/Aug/2020:19:42:08 -0700] 192.0.86.161 "POST /xmlrpc.php?for=jetpack&token=fKuTMTAhLCV4Uf%240B%29nApvBS6bBr5E3f%3A1%3A2×tamp=1597113728&nonce=VNjC29B6F5&body-hash=tOpgpG6e6PurBFhSr4LNdWvuuOk%3D&signature=T3NOQXPlbWNHblUWEFNoYDsJdiQ%3D HTTP/1.1" 200 "Jetpack by WordPress.com" "/home/dontsweattheessay/brainwashed.com/eb/essay/xmlrpc.php" 20983648 jonwhi5 elizabethbenedict elizabethbenedict.com [10/Aug/2020:19:47:56 -0700] 106.13.95.248 "POST /xmlrpc.php HTTP/1.1" 200 "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" "/home/elizabethbenedict/brainwashed.com/elizabethbenedict/xmlrpc.php" 433919 jonwhi5 elizabethbenedict elizabethbenedict.com [10/Aug/2020:19:56:17 -0700] 185.62.188.4 "POST /xmlrpc.php HTTP/1.1" 200 "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" "/home/elizabethbenedict/brainwashed.com/elizabethbenedict/xmlrpc.php" 127360 jonwhi5 elizabethbenedict elizabethbenedict.com [10/Aug/2020:20:04:17 -0700] 159.65.107.126 "POST /xmlrpc.php HTTP/1.1" 200 "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" "/home/elizabethbenedict/brainwashed.com/elizabethbenedict/xmlrpc.php" 129275 jonwhi5 dontsweattheessay dontsweattheessay.com [10/Aug/2020:20:04:58 -0700] 47.196.217.248 "GET /xmlrpc.php?for=jetpack&token=fKuTMTAhLCV4Uf%240B%29nApvBS6bBr5E3f%3A1%3A2×tamp=1597113717&nonce=n1BhQGkSZk&body-hash=k96JvTdg84b9GPtprWjlzIK82EQ%3D&signature=Cam2vZxS%2BvAi%2FLkKnSLpiPtifvA%3D HTTP/1.1" 301 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36" "http://www.dontsweattheessay.com/xmlrpc.php?for=jetpack&token=fKuTMTAhLCV4Uf%240B%29nApvBS6bBr5E3f%3A1%3A2×tamp=1597113717&nonce=n1BhQGkSZk&body-hash=k96JvTdg84b9GPtprWjlzIK82EQ%3D&signature=Cam2vZxS%2BvAi%2FLkKnSLpiPtifvA%3D" 1091 jonwhi5 dontsweattheessay dontsweattheessay.com [10/Aug/2020:20:04:58 -0700] 47.196.217.248 "GET /xmlrpc.php?for=jetpack&token=fKuTMTAhLCV4Uf%240B%29nApvBS6bBr5E3f%3A1%3A2×tamp=1597113717&nonce=n1BhQGkSZk&body-hash=k96JvTdg84b9GPtprWjlzIK82EQ%3D&signature=Cam2vZxS%2BvAi%2FLkKnSLpiPtifvA%3D HTTP/1.1" 301 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36" "https://www.dontsweattheessay.com/xmlrpc.php?for=jetpack&token=fKuTMTAhLCV4Uf%25240B%2529nApvBS6bBr5E3f%253A1%253A2×tamp=1597113717&nonce=n1BhQGkSZk&body-hash=k96JvTdg84b9GPtprWjlzIK82EQ%253D&signature=Cam2vZxS%252BvAi%252FLkKnSLpiPtifvA%253D" 2855 jonwhi5 dontsweattheessay dontsweattheessay.com [10/Aug/2020:20:04:58 -0700] 47.196.217.248 "GET /xmlrpc.php?for=jetpack&token=fKuTMTAhLCV4Uf%25240B%2529nApvBS6bBr5E3f%253A1%253A2×tamp=1597113717&nonce=n1BhQGkSZk&body-hash=k96JvTdg84b9GPtprWjlzIK82EQ%253D&signature=Cam2vZxS%252BvAi%252FLkKnSLpiPtifvA%253D HTTP/1.1" 405 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36" "/home/dontsweattheessay/brainwashed.com/eb/essay/xmlrpc.php" 629083 jonwhi5 elizabethbenedict elizabethbenedict.com [10/Aug/2020:20:23:50 -0700] 185.246.65.41 "POST /xmlrpc.php HTTP/1.1" 200 "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" "/home/elizabethbenedict/brainwashed.com/elizabethbenedict/xmlrpc.php" 127649 ^C [ps94726]$ Broadcast message from root@ps94726 (unknown) at 8:36 ... The system is going down for reboot NOW! Control-Alt-Delete pressed ======================================================================================== brainwashed@ps94726:~/media.brainwashed.com/elizabethbenedict$ ^C brainwashed@ps94726:~/media.brainwashed.com/elizabethbenedict$ date Tue Aug 11 09:41:00 PDT 2020 brainwashed@ps94726:~/media.brainwashed.com/elizabethbenedict$ df -h Filesystem Size Used Avail Use% Mounted on /dev/sdb1 3.6T 2.9T 772G 79% / none 128M 760K 128M 1% /tmp brainwashed@ps94726:~/media.brainwashed.com/elizabethbenedict$