httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Richard <lists-apa...@listmail.innovate.net>
Subject Re: [users@httpd] Possible DOS Attack
Date Fri, 20 May 2016 23:36:14 GMT


> Date: Friday, May 20, 2016 16:09:58 -0700
> From: Kurtis Rader <krader@skepticism.us>
>
> On Fri, May 20, 2016 at 4:00 PM, Roman Gelfand
> <rgelfand2@gmail.com> wrote:
> 
>> In the last 2 days we have received roughly 1milion of the
>> following requests.  Just to confirm, is this a DOS attack?
>> 
>> 191.96.249.52 - - [20/May/2016:18:19:22 -0400] "POST /xmlrpc.php
>> HTTP/1.0" 500 251 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows
>> NT 6.0)"
>> 
> 
> Probably just broken malware trying to guess WordPress account
> credentials. It's probably been handed just your host name or IP
> address and, not having any other victims to target, keeps
> repeatedly hitting your site. I occasionally see this type of
> behavior. I have my firewall configured to blackhole the source
> when there are an unreasonable number of POST requests in a short
> interval.
> 
> 
>> Also, what does this mean?
>> 
>> ::1 - - [20/May/2016:18:26:09 -0400] "OPTIONS * HTTP/1.0" 200 - "-"
>> "Apache/2.4.6 (Red Hat Enterprise Linux) PHP/5.4.16 (internal dummy
>> connection)"
>> 
> 
> It's checking whether your web server allows the OPTIONS command
> which might allow other forms of attacks to succeed. I strongly
> recommend disallowing that HTTP command. Easiest way is via
> mod_allowmethods:
> https://httpd.apache.org/docs/2.4/mod/mod_allowmethods.html

This:

  > ::1 - - [20/May/2016:18:26:09 -0400] ...

is coming from your localhost-ipv6 -- i.e., these are being generated
by something on the server itself.

In the case of the connections from "191.96.249.52" ... I would just
firewall off that ip (and associated range as necessary) with
iptables.



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message