[TriLUG] Web attack?

Keith Woodie kwoodie at gmail.com
Sat Sep 6 19:37:10 EDT 2014 

+1

Apache and ssh plugins are great.

On Saturday, September 6, 2014, Ken MacKenzie <ken at mack-z.com> wrote:

> Do you have fail2ban setup. That would be my first suggestion.
> On Sep 6, 2014 7:30 PM, "David Both" <dboth at millennium-technology.com
> <javascript:;>>
> wrote:
>
> > I run a few web sites and have noticed some interesting activity on two
> of
> > them today. One set of web sites is out of my home business and another
> is
> > one that I manage at a remote location and I am getting constant stream
> of
> > connections that look like the following.
> >
> >
> > 80.82.65.17 - - [06/Sep/2014:19:16:30 -0400] "POST /xmlrpc.php HTTP/1.0"
> > 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
> > 195.154.105.219 - - [06/Sep/2014:19:16:30 -0400] "POST /xmlrpc.php
> > HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT
> 6.0)"
> > 195.154.105.219 - - [06/Sep/2014:19:16:30 -0400] "POST /xmlrpc.php
> > HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT
> 6.0)"
> > 80.82.65.17 - - [06/Sep/2014:19:16:31 -0400] "POST /xmlrpc.php HTTP/1.0"
> > 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
> > 80.82.65.17 - - [06/Sep/2014:19:16:32 -0400] "POST /xmlrpc.php HTTP/1.0"
> > 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
> > 195.154.105.219 - - [06/Sep/2014:19:16:32 -0400] "POST /xmlrpc.php
> > HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT
> 6.0)"
> > 195.154.105.219 - - [06/Sep/2014:19:16:32 -0400] "POST /xmlrpc.php
> > HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT
> 6.0)"
> > 195.154.105.219 - - [06/Sep/2014:19:16:32 -0400] "POST /xmlrpc.php
> > HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT
> 6.0)"
> > 80.82.65.17 - - [06/Sep/2014:19:16:32 -0400] "POST /xmlrpc.php HTTP/1.0"
> > 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
> > 176.227.196.90 - - [06/Sep/2014:19:16:33 -0400] "POST /xmlrpc.php
> > HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT
> 6.0)"
> > 80.82.65.17 - - [06/Sep/2014:19:16:33 -0400] "POST /xmlrpc.php HTTP/1.0"
> > 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
> > 176.227.196.90 - - [06/Sep/2014:19:16:33 -0400] "POST /xmlrpc.php
> > HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT
> 6.0)"
> > 176.227.196.90 - - [06/Sep/2014:19:16:34 -0400] "POST /xmlrpc.php
> > HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT
> 6.0)"
> > 80.82.65.17 - - [06/Sep/2014:19:16:34 -0400] "POST /xmlrpc.php HTTP/1.0"
> > 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
> > 195.154.105.219 - - [06/Sep/2014:19:16:34 -0400] "POST /xmlrpc.php
> > HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT
> 6.0)"
> > 195.154.105.219 - - [06/Sep/2014:19:16:35 -0400] "POST /xmlrpc.php
> > HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT
> 6.0)"
> > 176.227.196.90 - - [06/Sep/2014:19:16:35 -0400] "POST /xmlrpc.php
> > HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT
> 6.0)"
> > 80.82.65.17 - - [06/Sep/2014:19:16:35 -0400] "POST /xmlrpc.php HTTP/1.0"
> > 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
> > 176.227.196.90 - - [06/Sep/2014:19:16:35 -0400] "POST /xmlrpc.php
> > HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT
> 6.0)"
> > 80.82.65.17 - - [06/Sep/2014:19:16:36 -0400] "POST /xmlrpc.php HTTP/1.0"
> > 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
> > 195.154.105.219 - - [06/Sep/2014:19:16:36 -0400] "POST /xmlrpc.php
> > HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT
> 6.0)"
> > 176.227.196.90 - - [06/Sep/2014:19:16:36 -0400] "POST /xmlrpc.php
> > HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT
> 6.0)"
> > 195.154.105.219 - - [06/Sep/2014:19:16:36 -0400] "POST /xmlrpc.php
> > HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT
> 6.0)"
> > 176.227.196.90 - - [06/Sep/2014:19:16:36 -0400] "POST /xmlrpc.php
> > HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT
> 6.0)"
> > 195.154.105.219 - - [06/Sep/2014:19:16:37 -0400] "POST /xmlrpc.php
> > HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT
> 6.0)"
> > 195.154.105.219 - - [06/Sep/2014:19:16:37 -0400] "POST /xmlrpc.php
> > HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT
> 6.0)"
> > 80.82.65.17 - - [06/Sep/2014:19:16:37 -0400] "POST /xmlrpc.php HTTP/1.0"
> > 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
> >
> > Both servers use CentOS 6.5, Apache, WordPress and MySQL. I have a
> > continuous load of anywhere from 4-8 connections on my own server and
> > upwards of 100-125 connections on the remote one. Almost all connections
> > seem to be from Europe and west Asia, France, Netherlands, Great Britain,
> > Afganistan, Russia, and a few others.
> >
> > Other servers I manage remotely do not have anything similar happening.
> >
> > I found this because htop was showing a somewhat higher than normal CPU
> > usage for each of these hosts. Nothing overwhelming but enough to make a
> > noticeable difference from usual.
> >
> > Do any of you who run web servers see anything similar?
> >
> > Due to the fact that the number of connections on each server seems
> > relatively constant and the IP addresses of the sources are constantly
> > changing, I wonder if the apparent source might be an anonymizing network
> > such as TOR.
> >
> > Any information would be helpful.
> >
> >
> > --
> >
> >
> > *********************************************************
> > David P. Both, RHCE
> > Millennium Technology Consulting LLC
> > Raleigh, NC, USA
> > 919-389-8678
> >
> > dboth at millennium-technology.com <javascript:;>
> >
> > www.millennium-technology.com
> > www.databook.bz - Home of the DataBook for Linux
> > DataBook is a Registered Trademark of David Both
> > *********************************************************
> > This communication may be unlawfully collected and stored by the National
> > Security Agency (NSA) in secret. The parties to this email do not consent
> > to the retrieving or storing of this communication and any related
> > metadata, as well as printing, copying, re-transmitting, disseminating,
> or
> > otherwise using it. If you believe you have received this communication
> in
> > error, please delete it immediately.
> >
> > --
> > This message was sent to: Ken M. <ken at mack-z.com <javascript:;>>
> > To unsubscribe, send a blank message to trilug-leave at trilug.org
> <javascript:;> from that
> > address.
> > TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> > Unsubscribe or edit options on the web  : http://www.trilug.org/mailman/
> > options/trilug/ken%40mack-z.com
> > Welcome to TriLUG: http://trilug.org/welcome
> >
> --
> This message was sent to: Keith Woodie <kwoodie at gmail.com <javascript:;>>
> To unsubscribe, send a blank message to trilug-leave at trilug.org
> <javascript:;> from that address.
> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> Unsubscribe or edit options on the web  :
> http://www.trilug.org/mailman/options/trilug/kwoodie%40gmail.com
> Welcome to TriLUG: http://trilug.org/welcome
>


-- 
Keith Woodie

More information about the TriLUG mailing list