LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Apache HTTP wordpress attack? (https://www.linuxquestions.org/questions/linux-security-4/apache-http-wordpress-attack-4175467813/)

mkools 06-29-2013 07:04 AM
Apache HTTP wordpress attack?
 
This morning I noticed my server was sluggish, website wasn't loading at all. I checked top for CPU usage and there were a million httpd processes:

This is just maybe 10% of them:

Code:
21472 apache    20  0  424m  14m 4320 S  0.7  0.1  0:00.34 httpd
21507 apache    20  0  423m  9m 2136 S  0.7  0.1  0:00.05 httpd
21513 apache    20  0  423m  9m 2136 S  0.7  0.1  0:00.05 httpd
21515 apache    20  0  423m  9m 2136 S  0.7  0.1  0:00.05 httpd
21519 apache    20  0  423m  9m 2136 S  0.7  0.1  0:00.03 httpd
21521 apache    20  0  423m  9m 2136 S  0.7  0.1  0:00.03 httpd
21525 apache    20  0  423m  9m 2136 S  0.7  0.1  0:00.03 httpd
21537 apache    20  0  423m  9m 2136 S  0.7  0.1  0:00.02 httpd
21545 apache    20  0  423m  9m 2136 S  0.7  0.1  0:00.02 httpd
21551 apache    20  0  423m  9m 2136 S  0.7  0.1  0:00.02 httpd
21573 apache    20  0  423m  9m 2136 S  0.7  0.1  0:00.02 httpd
21601 apache    20  0  423m  9m 2136 S  0.7  0.1  0:00.02 httpd
21605 apache    20  0  423m  9m 2136 S  0.7  0.1  0:00.02 httpd
21619 apache    20  0  423m  9m 2136 S  0.7  0.1  0:00.02 httpd
21627 apache    20  0  423m  9m 2136 S  0.7  0.1  0:00.02 httpd
Then I tailed the access log and this is what I saw:

Code:
174.120.137.130 - - [29/Jun/2013:13:48:14 +0200] "GET /?639154=-434098 HTTP/1.1" 403 5039 "-" "WordPress/3.5.1; http://kiokreations.com"
199.204.44.162 - - [29/Jun/2013:13:48:14 +0200] "GET /?120164=-439962 HTTP/1.1" 403 5039 "-" "WordPress/3.5.2; http://iwebhostingreviews.com"
69.163.187.119 - - [29/Jun/2013:13:48:14 +0200] "GET /?614859=293889 HTTP/1.1" 403 5039 "-" "WordPress/3.3.1; http://tourmanilaphilippines.com"
96.126.108.63 - - [29/Jun/2013:13:48:14 +0200] "GET /?-752351=247607 HTTP/1.1" 403 5039 "-" "WordPress/3.5.2; http://startupdigest.com"
64.207.178.203 - - [29/Jun/2013:13:48:14 +0200] "GET /?-678052=-525969 HTTP/1.1" 403 5039 "-" "WordPress/3.5.2; http://extend.thecartpress.com"
78.138.112.89 - - [29/Jun/2013:13:48:14 +0200] "GET /?-235263=-244953 HTTP/1.1" 403 5039 "-" "WordPress/3.5.1; http://www.omclub.de"
216.38.52.203 - - [29/Jun/2013:13:48:14 +0200] "GET /?-83239=203434 HTTP/1.1" 403 5039 "-" "WordPress/3.5; http://pursenickety.com"
54.225.15.9 - - [29/Jun/2013:13:48:14 +0200] "GET /?375163=948579 HTTP/1.1" 403 5039 "-" "WordPress/3.5.2; http://tecnoblog.net"
95.128.135.66 - - [29/Jun/2013:13:48:14 +0200] "GET /?-156227=467785 HTTP/1.1" 403 5039 "-" "WordPress/3.5.1; http://www.stateofindependents.co.uk"
173.199.142.94 - - [29/Jun/2013:13:48:14 +0200] "GET /?346730=342831 HTTP/1.1" 403 5039 "-" "WordPress/3.5.1; http://www.demotivatingposters.com"
210.224.185.85 - - [29/Jun/2013:13:48:14 +0200] "GET /?726377=220053 HTTP/1.1" 403 5039 "-" "WordPress/3.4.1; http://www.jm7rti.biz"
184.168.193.114 - - [29/Jun/2013:13:48:14 +0200] "GET /?458881=612741 HTTP/1.1" 403 5039 "-" "WordPress/3.4.2; http://all4mychild.com/blog"
69.16.251.235 - - [29/Jun/2013:13:48:14 +0200] "GET /?-174329=-706646 HTTP/1.1" 403 5039 "-" "WordPress/3.5.2; http://www.legalnomads.com"
69.72.240.34 - - [29/Jun/2013:13:48:14 +0200] "GET /?666184=207606 HTTP/1.1" 403 5039 "-" "WordPress/3.5.1; http://www.jeffwidman.com/blog"
213.251.189.208 - - [29/Jun/2013:13:48:14 +0200] "GET /?-286329=456989 HTTP/1.1" 403 5039 "-" "WordPress/3.1.1; http://toulousejug.org"
152.160.255.225 - - [29/Jun/2013:13:48:14 +0200] "GET /?339317=-285118 HTTP/1.1" 403 5039 "-" "WordPress/3.5.1; http://www.krisroadruck.com"
188.121.41.163 - - [29/Jun/2013:13:48:14 +0200] "GET /?-354554=983427 HTTP/1.1" 403 5039 "-" "WordPress/3.5.1; http://www.lifehouseireland.org"
67.192.46.14 - - [29/Jun/2013:13:48:14 +0200] "GET /?775060=961327 HTTP/1.1" 403 5039 "-" "WordPress/3.3.2; http://rmhvma.org"
69.163.164.55 - - [29/Jun/2013:13:48:14 +0200] "GET /?566680=260538 HTTP/1.1" 403 5039 "-" "WordPress/3.5.2; http://wanglixiong.com"
12.28.104.4 - - [29/Jun/2013:13:48:14 +0200] "GET /?-497871=541039 HTTP/1.1" 403 5039 "-" "WordPress/3.4.1; http://becomingmidwestern.areavoices.com"
Thousands and thousands of lines coming from I think thousands of different IP addresses, all with user agent WordPress.

So I decided to block the WordPress user agent with htaccess which I found how to do with Google:

Code:
Options +FollowSymlinks
RewriteEngine On
RewriteBase /
SetEnvIfNoCase Referer "^$" bad_user
SetEnvIfNoCase User-Agent "^WordPress" bad_user
Deny from env=bad_user
That worked like a charm, server became responsive again and the website popped back online. However the spewing in my logfiles is still going on and it makes my machine sending out a lot of traffic as you can see:

Code:
usr sys idl wai hiq siq| read  writ| recv  send|  in  out | int  csw
  3  0  96  1  0  0|  72k  509k|  0    0 |  67k  26k| 714  2028
  2  1  97  0  0  1|  0  456k| 286k 2072k|  0    0 |4887  3117
  2  1  97  0  0  1|  0  588k| 289k 2049k|  0    0 |5051  3382
  2  1  96  0  0  1|  0  792k| 279k 2011k|  0    0 |4962  3921
  1  1  97  0  0  1|  0  100k| 263k 1935k|  0    0 |4650  2543
  1  1  97  0  0  1|  0  160k| 262k 1806k|  0    0 |4462  1506
  2  1  96  0  0  0|  0  828k| 264k 1620k|  0    0 |4496  2704
  1  1  98  0  0  0|  0    76k| 246k 1329k|  0    0 |3899  1089
So is there a more permanent way to block this kind of attack and preventing all this traffic from going out?

Thanks!

GlennsPref 06-30-2013 10:42 PM
Hi, on a slightly different subject recently, I was looking for a way to block adds from my browser.

I came acros one that delt with the hosts file, and one that used the iptables rules.

iptables rules...
blocking unwanted connections.
Code:
# List of ad server hostnames for use as iptables commands
#
# For more information about this list, see: http://pgl.yoyo.org/adservers/
blocking unwanted advertisments.
hosts file, a blog with helpfull comments...
Code:
http://www.putorius.net/2012/01/block-unwanted-advertisements-on.html
In reply to your post I thought one of these methods may be of use to you.

hth, Glenn

unSpawn 07-04-2013 01:42 AM
Quote:
Originally Posted by mkools (Post 4980706)
So is there a more permanent way to block this kind of attack and preventing all this traffic from going out?
I would strongly suggest against using a generic blocklist. Use an active log parser and blocker like fail2ban (do check its white listing options) and customize the rule set it uses by dumping the blocked IP addresses into an iptables recent list (or ipset if you can) you can use on both in and outbound chains.

GlennsPref 07-04-2013 11:08 PM
Wasn't there a wordpress bug in apache that was patched last month?

unSpawn 07-05-2013 11:28 AM
There was a WP release that fixed a few things (IIRC two or three weeks ago) but that particular question probably could be answered "yes" every month ;-p

GlennsPref 07-05-2013 05:56 PM
I thought it may be an Apache mod patch.


All times are GMT -5. The time now is 07:11 AM.