[TriLUG] Web attack?

David Both dboth at millennium-technology.com
Sat Sep 6 19:30:09 EDT 2014 

I run a few web sites and have noticed some interesting activity on two of them 
today. One set of web sites is out of my home business and another is one that I 
manage at a remote location and I am getting constant stream of connections that 
look like the following.


80.82.65.17 - - [06/Sep/2014:19:16:30 -0400] "POST /xmlrpc.php HTTP/1.0" 200 370 
"-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
195.154.105.219 - - [06/Sep/2014:19:16:30 -0400] "POST /xmlrpc.php HTTP/1.0" 200 
370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
195.154.105.219 - - [06/Sep/2014:19:16:30 -0400] "POST /xmlrpc.php HTTP/1.0" 200 
370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
80.82.65.17 - - [06/Sep/2014:19:16:31 -0400] "POST /xmlrpc.php HTTP/1.0" 200 370 
"-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
80.82.65.17 - - [06/Sep/2014:19:16:32 -0400] "POST /xmlrpc.php HTTP/1.0" 200 370 
"-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
195.154.105.219 - - [06/Sep/2014:19:16:32 -0400] "POST /xmlrpc.php HTTP/1.0" 200 
370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
195.154.105.219 - - [06/Sep/2014:19:16:32 -0400] "POST /xmlrpc.php HTTP/1.0" 200 
370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
195.154.105.219 - - [06/Sep/2014:19:16:32 -0400] "POST /xmlrpc.php HTTP/1.0" 200 
370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
80.82.65.17 - - [06/Sep/2014:19:16:32 -0400] "POST /xmlrpc.php HTTP/1.0" 200 370 
"-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
176.227.196.90 - - [06/Sep/2014:19:16:33 -0400] "POST /xmlrpc.php HTTP/1.0" 200 
370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
80.82.65.17 - - [06/Sep/2014:19:16:33 -0400] "POST /xmlrpc.php HTTP/1.0" 200 370 
"-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
176.227.196.90 - - [06/Sep/2014:19:16:33 -0400] "POST /xmlrpc.php HTTP/1.0" 200 
370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
176.227.196.90 - - [06/Sep/2014:19:16:34 -0400] "POST /xmlrpc.php HTTP/1.0" 200 
370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
80.82.65.17 - - [06/Sep/2014:19:16:34 -0400] "POST /xmlrpc.php HTTP/1.0" 200 370 
"-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
195.154.105.219 - - [06/Sep/2014:19:16:34 -0400] "POST /xmlrpc.php HTTP/1.0" 200 
370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
195.154.105.219 - - [06/Sep/2014:19:16:35 -0400] "POST /xmlrpc.php HTTP/1.0" 200 
370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
176.227.196.90 - - [06/Sep/2014:19:16:35 -0400] "POST /xmlrpc.php HTTP/1.0" 200 
370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
80.82.65.17 - - [06/Sep/2014:19:16:35 -0400] "POST /xmlrpc.php HTTP/1.0" 200 370 
"-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
176.227.196.90 - - [06/Sep/2014:19:16:35 -0400] "POST /xmlrpc.php HTTP/1.0" 200 
370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
80.82.65.17 - - [06/Sep/2014:19:16:36 -0400] "POST /xmlrpc.php HTTP/1.0" 200 370 
"-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
195.154.105.219 - - [06/Sep/2014:19:16:36 -0400] "POST /xmlrpc.php HTTP/1.0" 200 
370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
176.227.196.90 - - [06/Sep/2014:19:16:36 -0400] "POST /xmlrpc.php HTTP/1.0" 200 
370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
195.154.105.219 - - [06/Sep/2014:19:16:36 -0400] "POST /xmlrpc.php HTTP/1.0" 200 
370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
176.227.196.90 - - [06/Sep/2014:19:16:36 -0400] "POST /xmlrpc.php HTTP/1.0" 200 
370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
195.154.105.219 - - [06/Sep/2014:19:16:37 -0400] "POST /xmlrpc.php HTTP/1.0" 200 
370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
195.154.105.219 - - [06/Sep/2014:19:16:37 -0400] "POST /xmlrpc.php HTTP/1.0" 200 
370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
80.82.65.17 - - [06/Sep/2014:19:16:37 -0400] "POST /xmlrpc.php HTTP/1.0" 200 370 
"-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"

Both servers use CentOS 6.5, Apache, WordPress and MySQL. I have a continuous 
load of anywhere from 4-8 connections on my own server and upwards of 100-125 
connections on the remote one. Almost all connections seem to be from Europe and 
west Asia, France, Netherlands, Great Britain, Afganistan, Russia, and a few 
others.

Other servers I manage remotely do not have anything similar happening.

I found this because htop was showing a somewhat higher than normal CPU usage 
for each of these hosts. Nothing overwhelming but enough to make a noticeable 
difference from usual.

Do any of you who run web servers see anything similar?

Due to the fact that the number of connections on each server seems relatively 
constant and the IP addresses of the sources are constantly changing, I wonder 
if the apparent source might be an anonymizing network such as TOR.

Any information would be helpful.


-- 


*********************************************************
David P. Both, RHCE
Millennium Technology Consulting LLC
Raleigh, NC, USA
919-389-8678

dboth at millennium-technology.com

www.millennium-technology.com
www.databook.bz - Home of the DataBook for Linux
DataBook is a Registered Trademark of David Both
*********************************************************
This communication may be unlawfully collected and stored by the National Security Agency (NSA) in secret. The parties to this email do not consent to the retrieving or storing of this communication and any related metadata, as well as printing, copying, re-transmitting, disseminating, or otherwise using it. If you believe you have received this communication in error, please delete it immediately.

More information about the TriLUG mailing list