[TriLUG] Web attack?

Ken MacKenzie ken at mack-z.com
Sat Sep 6 19:33:26 EDT 2014 

Do you have fail2ban setup. That would be my first suggestion.
On Sep 6, 2014 7:30 PM, "David Both" <dboth at millennium-technology.com>
wrote:

> I run a few web sites and have noticed some interesting activity on two of
> them today. One set of web sites is out of my home business and another is
> one that I manage at a remote location and I am getting constant stream of
> connections that look like the following.
>
>
> 80.82.65.17 - - [06/Sep/2014:19:16:30 -0400] "POST /xmlrpc.php HTTP/1.0"
> 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
> 195.154.105.219 - - [06/Sep/2014:19:16:30 -0400] "POST /xmlrpc.php
> HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
> 195.154.105.219 - - [06/Sep/2014:19:16:30 -0400] "POST /xmlrpc.php
> HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
> 80.82.65.17 - - [06/Sep/2014:19:16:31 -0400] "POST /xmlrpc.php HTTP/1.0"
> 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
> 80.82.65.17 - - [06/Sep/2014:19:16:32 -0400] "POST /xmlrpc.php HTTP/1.0"
> 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
> 195.154.105.219 - - [06/Sep/2014:19:16:32 -0400] "POST /xmlrpc.php
> HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
> 195.154.105.219 - - [06/Sep/2014:19:16:32 -0400] "POST /xmlrpc.php
> HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
> 195.154.105.219 - - [06/Sep/2014:19:16:32 -0400] "POST /xmlrpc.php
> HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
> 80.82.65.17 - - [06/Sep/2014:19:16:32 -0400] "POST /xmlrpc.php HTTP/1.0"
> 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
> 176.227.196.90 - - [06/Sep/2014:19:16:33 -0400] "POST /xmlrpc.php
> HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
> 80.82.65.17 - - [06/Sep/2014:19:16:33 -0400] "POST /xmlrpc.php HTTP/1.0"
> 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
> 176.227.196.90 - - [06/Sep/2014:19:16:33 -0400] "POST /xmlrpc.php
> HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
> 176.227.196.90 - - [06/Sep/2014:19:16:34 -0400] "POST /xmlrpc.php
> HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
> 80.82.65.17 - - [06/Sep/2014:19:16:34 -0400] "POST /xmlrpc.php HTTP/1.0"
> 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
> 195.154.105.219 - - [06/Sep/2014:19:16:34 -0400] "POST /xmlrpc.php
> HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
> 195.154.105.219 - - [06/Sep/2014:19:16:35 -0400] "POST /xmlrpc.php
> HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
> 176.227.196.90 - - [06/Sep/2014:19:16:35 -0400] "POST /xmlrpc.php
> HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
> 80.82.65.17 - - [06/Sep/2014:19:16:35 -0400] "POST /xmlrpc.php HTTP/1.0"
> 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
> 176.227.196.90 - - [06/Sep/2014:19:16:35 -0400] "POST /xmlrpc.php
> HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
> 80.82.65.17 - - [06/Sep/2014:19:16:36 -0400] "POST /xmlrpc.php HTTP/1.0"
> 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
> 195.154.105.219 - - [06/Sep/2014:19:16:36 -0400] "POST /xmlrpc.php
> HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
> 176.227.196.90 - - [06/Sep/2014:19:16:36 -0400] "POST /xmlrpc.php
> HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
> 195.154.105.219 - - [06/Sep/2014:19:16:36 -0400] "POST /xmlrpc.php
> HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
> 176.227.196.90 - - [06/Sep/2014:19:16:36 -0400] "POST /xmlrpc.php
> HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
> 195.154.105.219 - - [06/Sep/2014:19:16:37 -0400] "POST /xmlrpc.php
> HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
> 195.154.105.219 - - [06/Sep/2014:19:16:37 -0400] "POST /xmlrpc.php
> HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
> 80.82.65.17 - - [06/Sep/2014:19:16:37 -0400] "POST /xmlrpc.php HTTP/1.0"
> 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
>
> Both servers use CentOS 6.5, Apache, WordPress and MySQL. I have a
> continuous load of anywhere from 4-8 connections on my own server and
> upwards of 100-125 connections on the remote one. Almost all connections
> seem to be from Europe and west Asia, France, Netherlands, Great Britain,
> Afganistan, Russia, and a few others.
>
> Other servers I manage remotely do not have anything similar happening.
>
> I found this because htop was showing a somewhat higher than normal CPU
> usage for each of these hosts. Nothing overwhelming but enough to make a
> noticeable difference from usual.
>
> Do any of you who run web servers see anything similar?
>
> Due to the fact that the number of connections on each server seems
> relatively constant and the IP addresses of the sources are constantly
> changing, I wonder if the apparent source might be an anonymizing network
> such as TOR.
>
> Any information would be helpful.
>
>
> --
>
>
> *********************************************************
> David P. Both, RHCE
> Millennium Technology Consulting LLC
> Raleigh, NC, USA
> 919-389-8678
>
> dboth at millennium-technology.com
>
> www.millennium-technology.com
> www.databook.bz - Home of the DataBook for Linux
> DataBook is a Registered Trademark of David Both
> *********************************************************
> This communication may be unlawfully collected and stored by the National
> Security Agency (NSA) in secret. The parties to this email do not consent
> to the retrieving or storing of this communication and any related
> metadata, as well as printing, copying, re-transmitting, disseminating, or
> otherwise using it. If you believe you have received this communication in
> error, please delete it immediately.
>
> --
> This message was sent to: Ken M. <ken at mack-z.com>
> To unsubscribe, send a blank message to trilug-leave at trilug.org from that
> address.
> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> Unsubscribe or edit options on the web  : http://www.trilug.org/mailman/
> options/trilug/ken%40mack-z.com
> Welcome to TriLUG: http://trilug.org/welcome
>

More information about the TriLUG mailing list