LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 06-29-2013, 07:04 AM   #1
mkools
LQ Newbie
 
Registered: Oct 2004
Posts: 14

Rep: Reputation: 0
Apache HTTP wordpress attack?


This morning I noticed my server was sluggish, website wasn't loading at all. I checked top for CPU usage and there were a million httpd processes:

This is just maybe 10% of them:

Code:
21472 apache    20   0  424m  14m 4320 S  0.7  0.1   0:00.34 httpd
21507 apache    20   0  423m   9m 2136 S  0.7  0.1   0:00.05 httpd
21513 apache    20   0  423m   9m 2136 S  0.7  0.1   0:00.05 httpd
21515 apache    20   0  423m   9m 2136 S  0.7  0.1   0:00.05 httpd
21519 apache    20   0  423m   9m 2136 S  0.7  0.1   0:00.03 httpd
21521 apache    20   0  423m   9m 2136 S  0.7  0.1   0:00.03 httpd
21525 apache    20   0  423m   9m 2136 S  0.7  0.1   0:00.03 httpd
21537 apache    20   0  423m   9m 2136 S  0.7  0.1   0:00.02 httpd
21545 apache    20   0  423m   9m 2136 S  0.7  0.1   0:00.02 httpd
21551 apache    20   0  423m   9m 2136 S  0.7  0.1   0:00.02 httpd
21573 apache    20   0  423m   9m 2136 S  0.7  0.1   0:00.02 httpd
21601 apache    20   0  423m   9m 2136 S  0.7  0.1   0:00.02 httpd
21605 apache    20   0  423m   9m 2136 S  0.7  0.1   0:00.02 httpd
21619 apache    20   0  423m   9m 2136 S  0.7  0.1   0:00.02 httpd
21627 apache    20   0  423m   9m 2136 S  0.7  0.1   0:00.02 httpd
Then I tailed the access log and this is what I saw:

Code:
174.120.137.130 - - [29/Jun/2013:13:48:14 +0200] "GET /?639154=-434098 HTTP/1.1" 403 5039 "-" "WordPress/3.5.1; http://kiokreations.com"
199.204.44.162 - - [29/Jun/2013:13:48:14 +0200] "GET /?120164=-439962 HTTP/1.1" 403 5039 "-" "WordPress/3.5.2; http://iwebhostingreviews.com"
69.163.187.119 - - [29/Jun/2013:13:48:14 +0200] "GET /?614859=293889 HTTP/1.1" 403 5039 "-" "WordPress/3.3.1; http://tourmanilaphilippines.com"
96.126.108.63 - - [29/Jun/2013:13:48:14 +0200] "GET /?-752351=247607 HTTP/1.1" 403 5039 "-" "WordPress/3.5.2; http://startupdigest.com"
64.207.178.203 - - [29/Jun/2013:13:48:14 +0200] "GET /?-678052=-525969 HTTP/1.1" 403 5039 "-" "WordPress/3.5.2; http://extend.thecartpress.com"
78.138.112.89 - - [29/Jun/2013:13:48:14 +0200] "GET /?-235263=-244953 HTTP/1.1" 403 5039 "-" "WordPress/3.5.1; http://www.omclub.de"
216.38.52.203 - - [29/Jun/2013:13:48:14 +0200] "GET /?-83239=203434 HTTP/1.1" 403 5039 "-" "WordPress/3.5; http://pursenickety.com"
54.225.15.9 - - [29/Jun/2013:13:48:14 +0200] "GET /?375163=948579 HTTP/1.1" 403 5039 "-" "WordPress/3.5.2; http://tecnoblog.net"
95.128.135.66 - - [29/Jun/2013:13:48:14 +0200] "GET /?-156227=467785 HTTP/1.1" 403 5039 "-" "WordPress/3.5.1; http://www.stateofindependents.co.uk"
173.199.142.94 - - [29/Jun/2013:13:48:14 +0200] "GET /?346730=342831 HTTP/1.1" 403 5039 "-" "WordPress/3.5.1; http://www.demotivatingposters.com"
210.224.185.85 - - [29/Jun/2013:13:48:14 +0200] "GET /?726377=220053 HTTP/1.1" 403 5039 "-" "WordPress/3.4.1; http://www.jm7rti.biz"
184.168.193.114 - - [29/Jun/2013:13:48:14 +0200] "GET /?458881=612741 HTTP/1.1" 403 5039 "-" "WordPress/3.4.2; http://all4mychild.com/blog"
69.16.251.235 - - [29/Jun/2013:13:48:14 +0200] "GET /?-174329=-706646 HTTP/1.1" 403 5039 "-" "WordPress/3.5.2; http://www.legalnomads.com"
69.72.240.34 - - [29/Jun/2013:13:48:14 +0200] "GET /?666184=207606 HTTP/1.1" 403 5039 "-" "WordPress/3.5.1; http://www.jeffwidman.com/blog"
213.251.189.208 - - [29/Jun/2013:13:48:14 +0200] "GET /?-286329=456989 HTTP/1.1" 403 5039 "-" "WordPress/3.1.1; http://toulousejug.org"
152.160.255.225 - - [29/Jun/2013:13:48:14 +0200] "GET /?339317=-285118 HTTP/1.1" 403 5039 "-" "WordPress/3.5.1; http://www.krisroadruck.com"
188.121.41.163 - - [29/Jun/2013:13:48:14 +0200] "GET /?-354554=983427 HTTP/1.1" 403 5039 "-" "WordPress/3.5.1; http://www.lifehouseireland.org"
67.192.46.14 - - [29/Jun/2013:13:48:14 +0200] "GET /?775060=961327 HTTP/1.1" 403 5039 "-" "WordPress/3.3.2; http://rmhvma.org"
69.163.164.55 - - [29/Jun/2013:13:48:14 +0200] "GET /?566680=260538 HTTP/1.1" 403 5039 "-" "WordPress/3.5.2; http://wanglixiong.com"
12.28.104.4 - - [29/Jun/2013:13:48:14 +0200] "GET /?-497871=541039 HTTP/1.1" 403 5039 "-" "WordPress/3.4.1; http://becomingmidwestern.areavoices.com"
Thousands and thousands of lines coming from I think thousands of different IP addresses, all with user agent WordPress.

So I decided to block the WordPress user agent with htaccess which I found how to do with Google:

Code:
Options +FollowSymlinks
RewriteEngine On
RewriteBase /
SetEnvIfNoCase Referer "^$" bad_user
SetEnvIfNoCase User-Agent "^WordPress" bad_user
Deny from env=bad_user
That worked like a charm, server became responsive again and the website popped back online. However the spewing in my logfiles is still going on and it makes my machine sending out a lot of traffic as you can see:

Code:
usr sys idl wai hiq siq| read  writ| recv  send|  in   out | int   csw
  3   0  96   1   0   0|  72k  509k|   0     0 |  67k   26k| 714  2028
  2   1  97   0   0   1|   0   456k| 286k 2072k|   0     0 |4887  3117
  2   1  97   0   0   1|   0   588k| 289k 2049k|   0     0 |5051  3382
  2   1  96   0   0   1|   0   792k| 279k 2011k|   0     0 |4962  3921
  1   1  97   0   0   1|   0   100k| 263k 1935k|   0     0 |4650  2543
  1   1  97   0   0   1|   0   160k| 262k 1806k|   0     0 |4462  1506
  2   1  96   0   0   0|   0   828k| 264k 1620k|   0     0 |4496  2704
  1   1  98   0   0   0|   0    76k| 246k 1329k|   0     0 |3899  1089
So is there a more permanent way to block this kind of attack and preventing all this traffic from going out?

Thanks!
 
Old 06-30-2013, 10:42 PM   #2
GlennsPref
Senior Member
 
Registered: Apr 2004
Location: Brisbane, Australia
Distribution: Mageia Studio-13.37 Kubuntu.
Posts: 3,325
Blog Entries: 33

Rep: Reputation: 199Reputation: 199
Hi, on a slightly different subject recently, I was looking for a way to block adds from my browser.

I came acros one that delt with the hosts file, and one that used the iptables rules.

iptables rules...
blocking unwanted connections.
Code:
# List of ad server hostnames for use as iptables commands
#
# For more information about this list, see: http://pgl.yoyo.org/adservers/
blocking unwanted advertisments.
hosts file, a blog with helpfull comments...
Code:
http://www.putorius.net/2012/01/block-unwanted-advertisements-on.html
In reply to your post I thought one of these methods may be of use to you.

hth, Glenn
 
Old 07-04-2013, 01:42 AM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,155
Blog Entries: 54

Rep: Reputation: 2794Reputation: 2794Reputation: 2794Reputation: 2794Reputation: 2794Reputation: 2794Reputation: 2794Reputation: 2794Reputation: 2794Reputation: 2794Reputation: 2794
Quote:
Originally Posted by mkools View Post
So is there a more permanent way to block this kind of attack and preventing all this traffic from going out?
I would strongly suggest against using a generic blocklist. Use an active log parser and blocker like fail2ban (do check its white listing options) and customize the rule set it uses by dumping the blocked IP addresses into an iptables recent list (or ipset if you can) you can use on both in and outbound chains.
 
1 members found this post helpful.
Old 07-04-2013, 11:08 PM   #4
GlennsPref
Senior Member
 
Registered: Apr 2004
Location: Brisbane, Australia
Distribution: Mageia Studio-13.37 Kubuntu.
Posts: 3,325
Blog Entries: 33

Rep: Reputation: 199Reputation: 199
Wasn't there a wordpress bug in apache that was patched last month?
 
Old 07-05-2013, 11:28 AM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,155
Blog Entries: 54

Rep: Reputation: 2794Reputation: 2794Reputation: 2794Reputation: 2794Reputation: 2794Reputation: 2794Reputation: 2794Reputation: 2794Reputation: 2794Reputation: 2794Reputation: 2794
There was a WP release that fixed a few things (IIRC two or three weeks ago) but that particular question probably could be answered "yes" every month ;-p
 
1 members found this post helpful.
Old 07-05-2013, 05:56 PM   #6
GlennsPref
Senior Member
 
Registered: Apr 2004
Location: Brisbane, Australia
Distribution: Mageia Studio-13.37 Kubuntu.
Posts: 3,325
Blog Entries: 33

Rep: Reputation: 199Reputation: 199
I thought it may be an Apache mod patch.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Apache - HTTP Server Prone To Slow Denial Of Service Attack smithy2010 Linux - Security 2 05-30-2013 04:02 AM
Configuring WordPress to be accessible via http://ip/~user/wpdirectory/ nobuntu Linux - Software 2 12-14-2012 11:05 AM
wordpress HTTP 500 Internal error youreal Linux - Newbie 1 07-12-2012 10:39 PM
http dos attack packets Linux - Security 2 03-07-2012 07:46 AM
Attack on apache Webserver Invalid URI in request GET /./././.../etc/passwd HTTP/1.1 ajayan Linux - Newbie 3 03-22-2011 05:47 AM


All times are GMT -5. The time now is 06:35 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration