LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 10-09-2015, 12:21 AM   #1
chobong
Member
 
Registered: Jan 2010
Posts: 90

Rep: Reputation: 15
Server very high load when wordpress was attacked


Hi All

My wordpress was attacked and it made my server very high load. After that users couldn't connect to all other websites in the same server. It seems wordpress took all resources of the server at that time.
I checked and found so many strange logs from an unique IP.
Quote:
wp-content/plugins/ztmxl.php?450699=1&php4=1&root=1&upl=1&wphp4=1&abdullkarem=1&wp=1&module=1&php=1&php5=1&wphp5=1
/wp-content/uploads/class.salt.php?450699=1&php4=1&root=1&upl=1&wphp4=1&abdullkarem=1&wp=1&module=1&php=1&php5=1&wphp5=1 HTTP/1.0" 404 18135 "-" "-"
/wp-includes/Text/class.salt.php?450699=1&php4=1&root=1&upl=1&wphp4=1&abdullkarem=1&wp=1&module=1&php=1&php5=1&wphp5=1 HTTP/1.0" 404 18135 "-" "-"
...
Most of request has this "450699=1&php4=1&root=1&upl=1&wphp4=1&abdullkarem=1&wp=1&module=1&php=1&php5=1&wphp5=1"

Could you please help in this issue?

Thanks a lot.
 
Old 10-09-2015, 05:23 AM   #2
angel115
Member
 
Registered: Jul 2005
Location: France / Ireland
Distribution: Debian mainly, and Ubuntu
Posts: 537

Rep: Reputation: 79
Did you try to install fail2ban?

This is what you need to ban automatically IP with bad behavior.
 
1 members found this post helpful.
Old 10-09-2015, 05:54 AM   #3
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Yawnstown, Ohio
Distribution: Mojave
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
I stuck abdullkarem into my filter.conf a while ago.
1 hit and they're toast.

Last edited by Habitual; 10-09-2015 at 05:58 AM.
 
1 members found this post helpful.
Old 10-11-2015, 10:54 PM   #4
chobong
Member
 
Registered: Jan 2010
Posts: 90

Original Poster
Rep: Reputation: 15
Thanks a lot for your help angle115 and Habitual

But this log came from an attack? What attack? Brute force or something else?

Could you please explain me more about this?

Thank you.
 
Old 10-11-2015, 11:21 PM   #5
frankbell
LQ Guru
 
Registered: Jan 2006
Location: Virginia, USA
Distribution: Slackware, Ubuntu MATE, Mageia, and whatever VMs I happen to be playing with
Posts: 15,457
Blog Entries: 25

Rep: Reputation: 4449Reputation: 4449Reputation: 4449Reputation: 4449Reputation: 4449Reputation: 4449Reputation: 4449Reputation: 4449Reputation: 4449Reputation: 4449Reputation: 4449
Random attacks and port scans are a fact of online life.

Not nice folks are constantly looking for vulnerabilities. They don't care who you are. They just want you for your vulnerabilities.

Last edited by frankbell; 10-11-2015 at 11:22 PM.
 
Old 10-12-2015, 01:58 AM   #6
chobong
Member
 
Registered: Jan 2010
Posts: 90

Original Poster
Rep: Reputation: 15
Thank you Frankbell
 
Old 10-12-2015, 04:36 PM   #7
fastdns
LQ Newbie
 
Registered: Oct 2015
Posts: 12

Rep: Reputation: Disabled
Need help please

Hi Habitual,

Quote:
Originally Posted by Habitual View Post
I stuck abdullkarem into my filter.conf a while ago.
1 hit and they're toast.
I am keen to know where this filter.conf is. I run WHM and my server is getting some very bad attacks from this "abdullkarem" scans.

Any help you can provide in blocking this scan would be really appreciated. I have lost my peace of mind because of this ongoing attacks (and my server has sky rocketed to 80 load as I type this)

Help :-(
 
Old 10-12-2015, 04:42 PM   #8
fastdns
LQ Newbie
 
Registered: Oct 2015
Posts: 12

Rep: Reputation: Disabled
Also, I do have some basic tools in place such as :
- ConfigServer Security Firewall
- ConfigServer Exploit Scanner
- Comodo's WAF Mod Security Ruleset
- wp-login protection script (that challenges wordpress's login page)

but none of them seem to help in this case.

Please help.
 
Old 10-12-2015, 05:24 PM   #9
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Yawnstown, Ohio
Distribution: Mojave
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
Quote:
Originally Posted by fastdns View Post
Hi Habitual,

I am keen to know where this filter.conf is. I run WHM and my server is getting some very bad attacks from this "abdullkarem" scans.
You'll need to install fail2ban from the repo.
WHM is CentOS-flavored, so
Code:
sudo yum install fail2ban
sudo touch  /etc/fail2ban/filter.d/myfilter.conf
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
After that, we'll proceed.
 
Old 10-12-2015, 08:21 PM   #10
Sefyir
Member
 
Registered: Mar 2015
Distribution: Linux Mint
Posts: 604

Rep: Reputation: 301Reputation: 301Reputation: 301Reputation: 301
I would also suggest some iptable rules to prevent a ip to DOS'ing you.

Something like this

Code:
iptables -A INPUT -p tcp -m hashlimit --hashlimit-name NORMAL_USAGE --hashlimit-mode srcip --hashlimit 25/minute --hashlimit-burst 120 -j ACCEPT
iptables -A INPUT -j DROP
IMO, a ip making a ton of requests (legit or not) should slow down if they want to access my server. Shouldn't affect any "human" user.
 
Old 10-12-2015, 11:39 PM   #11
fastdns
LQ Newbie
 
Registered: Oct 2015
Posts: 12

Rep: Reputation: Disabled
Quote:
Originally Posted by Habitual View Post
You'll need to install fail2ban from the repo.
WHM is CentOS-flavored, so
Code:
sudo yum install fail2ban
sudo touch  /etc/fail2ban/filter.d/myfilter.conf
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
After that, we'll proceed.
Hi Habitual,

I have successfully installed Fail2ban and copied the conf files as advised.

What should be done next ?

Thanks for your help.
 
Old 10-13-2015, 01:21 AM   #12
angel115
Member
 
Registered: Jul 2005
Location: France / Ireland
Distribution: Debian mainly, and Ubuntu
Posts: 537

Rep: Reputation: 79
To make sure that Fail2ban is working you can do 3 things
  1. ps aux |grep fail
    and you should see the process running
    Code:
    root     21374  0.1  0.3 125428  5736 ?        Sl   May25 231:27 /usr/bin/python /usr/bin/fail2ban-server -b -s /var/run/fail2ban/fail2ban.sock
  2. iptables --list
    and you should see a rule for each module that you have activated
    Code:
    Chain fail2ban-apache (1 references)
    target     prot opt source               destination
    RETURN     all  --  anywhere             anywhere
    
    Chain fail2ban-apache-multiport (1 references)
    target     prot opt source               destination
    RETURN     all  --  anywhere             anywhere
    
    Chain fail2ban-apache-noscript (1 references)
    target     prot opt source               destination
    RETURN     all  --  anywhere             anywhere
    
    Chain fail2ban-apache-overflows (1 references)
    target     prot opt source               destination
    RETURN     all  --  anywhere             anywhere
    
    Chain fail2ban-pam-generic (1 references)
    target     prot opt source               destination
    RETURN     all  --  anywhere             anywhere
    
    Chain fail2ban-ssh (1 references)
    target     prot opt source               destination
    RETURN     all  --  anywhere             anywhere
    
    Chain fail2ban-ssh-ddos (1 references)
    target     prot opt source               destination
    RETURN     all  --  anywhere             anywhere
  3. Fom on other machine you can run a vulnerability test against your machine and see if the scanning machine get banned (with the command above 'Step 2')
    For example if your machine you try to protect is running a web server you can do this with nikto
    Ex: nikto -h 10.0.0.2
 
Old 10-13-2015, 02:50 AM   #13
fastdns
LQ Newbie
 
Registered: Oct 2015
Posts: 12

Rep: Reputation: Disabled
Thanks for your input angel, but I haven't really added any rules for the wordpress "abdullkarem" attacks that are going on my server right now.

My fail2ban is working fine, but I believe I will have to add some specific rule, which habitual said he added in filter.conf ?

Please help and thank you in advance.
 
Old 10-13-2015, 08:02 AM   #14
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Yawnstown, Ohio
Distribution: Mojave
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
I forgot to ask you to create the action.conf, so
we'll do that below.

You'll need to edit /etc/fail2ban/jail.local and add
Code:
[myfilter]

enabled  = true
filter   = myfilter
port	 = http
action   = myaction[name=myfilter, port="http", protocol=tcp]
logpath  = /var/log/apache2/access.log
backend  = polling
findtime = 600 
bantime  = 31556926 ; 1 year in seconds
maxretry = 1
ignoreip = 127.0.0.1/8 <do_not_ban0>/32 <do_not_ban1>/32
You'll need to verify that your apache2 access.log is at /var/log/apache2/access.log
before this edit and adjust as necessary.

NOTES:
Spacing counts here! So use either a constant tab or spaces in the edits, but not both.
I suggest spaces. Just make certain that they all "line up" equally on the right-side of the "=" in the jail.local
and all .conf files you edit, and you should be good.

<do_not_ban0> and <do_not_ban1>
are IPs that are excluded from fail2ban, such as your home IP address and or work ip, other...
eg:
Code:
123.123.123.123/32
234.234.234.234/32
You can have more than 2 <do_not_ban>/32 IPs...
I also include the server's external internet-facing IP as good measure.


The filter and action statements:
Code:
filter   = myfilter
action   = myaction
filter points to /etc/fail2ban/filter.d/myfilter.conf
action points to /etc/fail2ban/action.d/myaction.conf

in the (should be) empty file at /etc/fail2ban/filter.d/myfilter.conf, use
Code:
[Definition]

docroot = /var/www/html
badadmin = wp-login.php|abdullkarem

failregex = ^<HOST> .*"GET \/(?:(badadmin)s).*?"
            ^<HOST> .*"POST \/(?:(badadmin)s).*?"
	    ^<HOST> .* client denied by server configuration.*?
            ^<HOST> .* "GET .*abdullkarem.*" .*$
Verify your DocumentRoot (docroot) before this edit, or after, but it must be correct before you start fail2ban.
Spacing counts here (in all .conf files for fail2ban) also.

Now the forgotten myaction.conf:
Create by edit /etc/fail2ban/action.d/myaction.conf and add:
Code:
[Definition]
actionstart = iptables -N fail2ban-<name>
              iptables -A fail2ban-<name> -j RETURN
              iptables -I <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
              /sbin/iptables-save > /root/safe.rules

actionstop = iptables -D <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
             iptables -F fail2ban-<name>
             iptables -X fail2ban-<name>
             /sbin/iptables-save > /root/safe.rules

actioncheck = iptables -n -L <chain> | grep -q fail2ban-<name>

actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
            /sbin/iptables-save > /root/safe.rules

actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP

[Init]

# Defaut name of the chain
name = default
port = http
protocol = tcp
chain = INPUT
Now we test our config manually before starting fai2ban:
Code:
fail2ban-regex /var/log/apache2/access.log /etc/fail2ban/filter.d/myfilter.conf
You should see a lot of stuff fly by on the screen.
The "tell" that it is correctly catching bad guys is this line in the Summary of the output:
Code:
Success, the total number of match is <some_number>
NOTE: Excluded IPs will show up in a manual run of the filter.

If the test is NOT successful, verify your edits and re-check manually.

More NOTES:
the reason we use
/etc/fail2ban/jail.local
/etc/fail2ban/filter.d/myfilter.conf
/etc/fail2ban/action.d/myfilter.conf
is because fail2ban 'reads' jail.conf files first then jail.local and custom actions
and custom filters are excluded during package upgrades if they are so named. jail.local
is safe from upgrades also.

I included wp-login.php above because that is usually the first thing attackers
go after, brute forcing your admin account.

IF your site allows other 'users' to login (editors and contributors of 'content'
other that the admin account), you will need to exclude their IPs, or remove
wp-login.php from badadmin in myfilter.conf

myfilter.conf and myaction.conf in those directories can be any name you choose,
and will be excluded if fail2ban is upgraded.

If the test is successful, you then start fail2ban, but...
I suggest you save your IP tables rules first, as fail2ban restarts iptables and those
are stored in memory, so I tend to use
Code:
/sbin/iptables-save > /root/safe.rules
manually first before starting fail2ban.

When fail2ban starts, stops or ban using the above myaction.conf, it will save the iptables to /root/safe.rules
as a safety measure.

Code:
bantime  = 31556926 ; 1 year in seconds
is ban the bad guys for a whole year.

I hope this helps you out.
fail2ban out of the box, starts sshd protection, but you may wish to add your home and/or work IPs
to the
Code:
[ssh]
...
ignoreip = 127.0.0.1/8 <do_not_ban0>/32 <do_not_ban1>/32
in /etc/fail2ban/jail.local
for good measure.

That should get you started.
I probably forgot something but I pray it's not a fatal omission.

Subscribed with interest...

Last edited by Habitual; 10-14-2015 at 07:24 AM.
 
2 members found this post helpful.
Old 10-13-2015, 10:26 AM   #15
fastdns
LQ Newbie
 
Registered: Oct 2015
Posts: 12

Rep: Reputation: Disabled
Hi,

Thank you so much for taking time to write this easy-to-understand steps.

In my /etc/fail2ban/jail.local, I added my apache logpath as :

Code:
logpath  = /usr/local/apache/logs/access_log
In my /etc/fail2ban/filter.d/myfilter.conf , I added my docroot as :

Code:
docroot   = /usr/local/apache/htdocs
I used rest of the configs that you gave as is.

Then when I test fail2ban (while fail2ban service is still off ), I see this :

Code:
root@lsn5 [~]# fail2ban-regex /usr/local/apache/logs/access_log /etc/fail2ban/filter.d/myfilter.conf                                                                    

Running tests
=============

Use regex file : /etc/fail2ban/filter.d/myfilter.conf
Use log file   : /usr/local/apache/logs/access_log

Results
=======

Failregex: 0 total

Ignoreregex: 0 total

Summary
=======

Sorry, no match

Look at the above section 'Running tests' which could contain important
information.
root@lsn5 [~]#
Did I miss something ?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
mysql server not responding with high cpu usage and high load avgs landysaccount Linux - Server 2 09-15-2013 03:46 AM
How to use Apache Bench to simulate server load on a Wordpress cluster? sneakyimp Linux - Server 5 01-21-2013 01:46 AM
[SOLVED] tc-server high load zhjim Linux - Software 6 09-25-2012 07:23 AM
Server load gets really high... Skillz Linux - Software 24 05-19-2010 03:38 AM
server load high graziano1968 Linux - General 5 03-12-2009 01:32 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 09:15 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration