httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Richard <>
Subject Re: [users@httpd] Possible DOS Attack
Date Sat, 21 May 2016 14:15:56 GMT

> Date: Saturday, May 21, 2016 09:22:24 -0400
> From: "D'Arcy J.M. Cain" <darcy@Vex.Net>
> On 5/20/16 4:00 PM, Roman Gelfand wrote:
>> In the last 2 days we have received roughly 1milion of the
>> following requests.  Just to confirm, is this a DOS attack?
>> - - [20/May/2016:18:19:22 -0400] "POST /xmlrpc.php
>> HTTP/1.0" 500 251 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows
>> NT 6.0)"
> That looks like a break-in attempt.  The effect may be a DOS but I
> believe that the intent is more sinister.  They want to break into
> your system and take it over.  You would think that once they got
> the first 251 response their code would be smart enough to move on
> to the next victim but if the coders of these things were smart
> they would be making real money with legitimate work.
> Wouldn't life as an ISP be so much better if we could wipe PHP off
> our servers?  I know mine would.

One note -- the values listed after the "HTTP/1.0" are return/status
code and then the number of bytes returned. So, the response:

   ... HTTP/1.0" 500 251 

indicates a "500" status code, with 251 bytes returned. A "500"
status code is an "internal server error", generally an indication of
some type of mal-configuration. There isn't (officially) a 251 status
code, rather the "251" is the error message byte count, not an
indication of success.

Because that wasn't a "404" (not found) error I suspect that WP, and
hence /xmlrpc.php, is installed but that that explicit exploit
attempt failed -- not to say that other aspects of that WP site
aren't vulnerable. If WP isn't being actively maintained it should be

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message