This morning I noticed my server was sluggish, website wasn't loading at all. I checked top for CPU usage and there were a million httpd processes:
This is just maybe 10% of them:
Code:
21472 apache 20 0 424m 14m 4320 S 0.7 0.1 0:00.34 httpd
21507 apache 20 0 423m 9m 2136 S 0.7 0.1 0:00.05 httpd
21513 apache 20 0 423m 9m 2136 S 0.7 0.1 0:00.05 httpd
21515 apache 20 0 423m 9m 2136 S 0.7 0.1 0:00.05 httpd
21519 apache 20 0 423m 9m 2136 S 0.7 0.1 0:00.03 httpd
21521 apache 20 0 423m 9m 2136 S 0.7 0.1 0:00.03 httpd
21525 apache 20 0 423m 9m 2136 S 0.7 0.1 0:00.03 httpd
21537 apache 20 0 423m 9m 2136 S 0.7 0.1 0:00.02 httpd
21545 apache 20 0 423m 9m 2136 S 0.7 0.1 0:00.02 httpd
21551 apache 20 0 423m 9m 2136 S 0.7 0.1 0:00.02 httpd
21573 apache 20 0 423m 9m 2136 S 0.7 0.1 0:00.02 httpd
21601 apache 20 0 423m 9m 2136 S 0.7 0.1 0:00.02 httpd
21605 apache 20 0 423m 9m 2136 S 0.7 0.1 0:00.02 httpd
21619 apache 20 0 423m 9m 2136 S 0.7 0.1 0:00.02 httpd
21627 apache 20 0 423m 9m 2136 S 0.7 0.1 0:00.02 httpd
Then I tailed the access log and this is what I saw:
Code:
174.120.137.130 - - [29/Jun/2013:13:48:14 +0200] "GET /?639154=-434098 HTTP/1.1" 403 5039 "-" "WordPress/3.5.1; http://kiokreations.com"
199.204.44.162 - - [29/Jun/2013:13:48:14 +0200] "GET /?120164=-439962 HTTP/1.1" 403 5039 "-" "WordPress/3.5.2; http://iwebhostingreviews.com"
69.163.187.119 - - [29/Jun/2013:13:48:14 +0200] "GET /?614859=293889 HTTP/1.1" 403 5039 "-" "WordPress/3.3.1; http://tourmanilaphilippines.com"
96.126.108.63 - - [29/Jun/2013:13:48:14 +0200] "GET /?-752351=247607 HTTP/1.1" 403 5039 "-" "WordPress/3.5.2; http://startupdigest.com"
64.207.178.203 - - [29/Jun/2013:13:48:14 +0200] "GET /?-678052=-525969 HTTP/1.1" 403 5039 "-" "WordPress/3.5.2; http://extend.thecartpress.com"
78.138.112.89 - - [29/Jun/2013:13:48:14 +0200] "GET /?-235263=-244953 HTTP/1.1" 403 5039 "-" "WordPress/3.5.1; http://www.omclub.de"
216.38.52.203 - - [29/Jun/2013:13:48:14 +0200] "GET /?-83239=203434 HTTP/1.1" 403 5039 "-" "WordPress/3.5; http://pursenickety.com"
54.225.15.9 - - [29/Jun/2013:13:48:14 +0200] "GET /?375163=948579 HTTP/1.1" 403 5039 "-" "WordPress/3.5.2; http://tecnoblog.net"
95.128.135.66 - - [29/Jun/2013:13:48:14 +0200] "GET /?-156227=467785 HTTP/1.1" 403 5039 "-" "WordPress/3.5.1; http://www.stateofindependents.co.uk"
173.199.142.94 - - [29/Jun/2013:13:48:14 +0200] "GET /?346730=342831 HTTP/1.1" 403 5039 "-" "WordPress/3.5.1; http://www.demotivatingposters.com"
210.224.185.85 - - [29/Jun/2013:13:48:14 +0200] "GET /?726377=220053 HTTP/1.1" 403 5039 "-" "WordPress/3.4.1; http://www.jm7rti.biz"
184.168.193.114 - - [29/Jun/2013:13:48:14 +0200] "GET /?458881=612741 HTTP/1.1" 403 5039 "-" "WordPress/3.4.2; http://all4mychild.com/blog"
69.16.251.235 - - [29/Jun/2013:13:48:14 +0200] "GET /?-174329=-706646 HTTP/1.1" 403 5039 "-" "WordPress/3.5.2; http://www.legalnomads.com"
69.72.240.34 - - [29/Jun/2013:13:48:14 +0200] "GET /?666184=207606 HTTP/1.1" 403 5039 "-" "WordPress/3.5.1; http://www.jeffwidman.com/blog"
213.251.189.208 - - [29/Jun/2013:13:48:14 +0200] "GET /?-286329=456989 HTTP/1.1" 403 5039 "-" "WordPress/3.1.1; http://toulousejug.org"
152.160.255.225 - - [29/Jun/2013:13:48:14 +0200] "GET /?339317=-285118 HTTP/1.1" 403 5039 "-" "WordPress/3.5.1; http://www.krisroadruck.com"
188.121.41.163 - - [29/Jun/2013:13:48:14 +0200] "GET /?-354554=983427 HTTP/1.1" 403 5039 "-" "WordPress/3.5.1; http://www.lifehouseireland.org"
67.192.46.14 - - [29/Jun/2013:13:48:14 +0200] "GET /?775060=961327 HTTP/1.1" 403 5039 "-" "WordPress/3.3.2; http://rmhvma.org"
69.163.164.55 - - [29/Jun/2013:13:48:14 +0200] "GET /?566680=260538 HTTP/1.1" 403 5039 "-" "WordPress/3.5.2; http://wanglixiong.com"
12.28.104.4 - - [29/Jun/2013:13:48:14 +0200] "GET /?-497871=541039 HTTP/1.1" 403 5039 "-" "WordPress/3.4.1; http://becomingmidwestern.areavoices.com"
Thousands and thousands of lines coming from I think thousands of different IP addresses, all with user agent WordPress.
So I decided to block the WordPress user agent with htaccess which I found how to do with Google:
Code:
Options +FollowSymlinks
RewriteEngine On
RewriteBase /
SetEnvIfNoCase Referer "^$" bad_user
SetEnvIfNoCase User-Agent "^WordPress" bad_user
Deny from env=bad_user
That worked like a charm, server became responsive again and the website popped back online. However the spewing in my logfiles is still going on and it makes my machine sending out a lot of traffic as you can see:
Code:
usr sys idl wai hiq siq| read writ| recv send| in out | int csw
3 0 96 1 0 0| 72k 509k| 0 0 | 67k 26k| 714 2028
2 1 97 0 0 1| 0 456k| 286k 2072k| 0 0 |4887 3117
2 1 97 0 0 1| 0 588k| 289k 2049k| 0 0 |5051 3382
2 1 96 0 0 1| 0 792k| 279k 2011k| 0 0 |4962 3921
1 1 97 0 0 1| 0 100k| 263k 1935k| 0 0 |4650 2543
1 1 97 0 0 1| 0 160k| 262k 1806k| 0 0 |4462 1506
2 1 96 0 0 0| 0 828k| 264k 1620k| 0 0 |4496 2704
1 1 98 0 0 0| 0 76k| 246k 1329k| 0 0 |3899 1089
So is there a more permanent way to block this kind of attack and preventing all this traffic from going out?
Thanks!
