httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Richard <lists-apa...@listmail.innovate.net>
Subject Re: [users@httpd] Possible DOS Attack
Date Sat, 21 May 2016 02:25:57 GMT


> Date: Friday, May 20, 2016 23:36:14 +0000
> From: Richard
> 
>> Date: Friday, May 20, 2016 16:09:58 -0700
>> From: Kurtis Rader <krader@skepticism.us>
>> 
>> On Fri, May 20, 2016 at 4:00 PM, Roman Gelfand
>> <rgelfand2@gmail.com> wrote:
>> 
>>> In the last 2 days we have received roughly 1milion of the
>>> following requests.  Just to confirm, is this a DOS attack?
>>> 
>>> 191.96.249.52 - - [20/May/2016:18:19:22 -0400] "POST /xmlrpc.php
>>> HTTP/1.0" 500 251 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows
>>> NT 6.0)"
>>> 
>> 
>> Probably just broken malware trying to guess WordPress account
>> credentials. It's probably been handed just your host name or IP
>> address and, not having any other victims to target, keeps
>> repeatedly hitting your site. I occasionally see this type of
>> behavior. I have my firewall configured to blackhole the source
>> when there are an unreasonable number of POST requests in a short
>> interval.
>> 
>> 
>>> Also, what does this mean?
>>> 
>>> ::1 - - [20/May/2016:18:26:09 -0400] "OPTIONS * HTTP/1.0" 200 -
>>> "-" "Apache/2.4.6 (Red Hat Enterprise Linux) PHP/5.4.16 (internal
>>> dummy connection)"
>>> 
>> 
>> It's checking whether your web server allows the OPTIONS command
>> which might allow other forms of attacks to succeed. I strongly
>> recommend disallowing that HTTP command. Easiest way is via
>> mod_allowmethods:
>> https://httpd.apache.org/docs/2.4/mod/mod_allowmethods.html
> 
> This:
> 
>   > ::1 - - [20/May/2016:18:26:09 -0400] ...
> 
> is coming from your localhost-ipv6 -- i.e., these are being
> generated by something on the server itself.
> 
> In the case of the connections from "191.96.249.52" ... I would just
> firewall off that ip (and associated range as necessary) with
> iptables.
> 

By the way, a quick search shows that posts to /xmlrpc.php is a
wordpress attack vector, with a range of potential ramifications. If
you aren't running wordpress, then I'd just block the IPnumber(s) in
question with iptables. If you are, then you should read up on what
this attack can accomplish and take the necessary actions.

Your log is showing a 500 return code, not a 404, so the implication
is that you have a /xmlrpc.php file (and wp is likely installed),
just not configured correctly so it's getting an "internal server
error" rather than "file not found".



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message