[TriLUG] Web attack?

Sat Sep 6 20:34:04 EDT 2014

I do. I have enabled the bad-bots but these do not appear to be listed there. I 
suppose I will have to create a configuration for lots of hits from an IP as I 
don't see one like that. Since the vast majority of these seen to be looking for 
specific PHP file I could key on that.

Thanks!

On 09/06/2014 07:33 PM, Ken MacKenzie wrote:
> Do you have fail2ban setup. That would be my first suggestion.
> On Sep 6, 2014 7:30 PM, "David Both" <dboth at millennium-technology.com>
> wrote:
>
>> I run a few web sites and have noticed some interesting activity on two of
>> them today. One set of web sites is out of my home business and another is
>> one that I manage at a remote location and I am getting constant stream of
>> connections that look like the following.
>>
>>
>> 80.82.65.17 - - [06/Sep/2014:19:16:30 -0400] "POST /xmlrpc.php HTTP/1.0"
>> 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
>> 195.154.105.219 - - [06/Sep/2014:19:16:30 -0400] "POST /xmlrpc.php
>> <snip>
>>
>> Both servers use CentOS 6.5, Apache, WordPress and MySQL. I have a
>> continuous load of anywhere from 4-8 connections on my own server and
>> upwards of 100-125 connections on the remote one. Almost all connections
>> seem to be from Europe and west Asia, France, Netherlands, Great Britain,
>> Afganistan, Russia, and a few others.
>>
>> Other servers I manage remotely do not have anything similar happening.
>>
>> I found this because htop was showing a somewhat higher than normal CPU
>> usage for each of these hosts. Nothing overwhelming but enough to make a
>> noticeable difference from usual.
>>
>> Do any of you who run web servers see anything similar?
>>
>> Due to the fact that the number of connections on each server seems
>> relatively constant and the IP addresses of the sources are constantly
>> changing, I wonder if the apparent source might be an anonymizing network
>> such as TOR.
>>
>> Any information would be helpful.
>>
>>
>> --
>>
>>
>> *********************************************************
>> David P. Both, RHCE
>> Millennium Technology Consulting LLC
>> Raleigh, NC, USA
>> 919-389-8678
>>
>> dboth at millennium-technology.com
>>
>> www.millennium-technology.com
>> www.databook.bz - Home of the DataBook for Linux
>> DataBook is a Registered Trademark of David Both
>> *********************************************************
>> This communication may be unlawfully collected and stored by the National
>> Security Agency (NSA) in secret. The parties to this email do not consent
>> to the retrieving or storing of this communication and any related
>> metadata, as well as printing, copying, re-transmitting, disseminating, or
>> otherwise using it. If you believe you have received this communication in
>> error, please delete it immediately.
>>
>> --
>> This message was sent to: Ken M. <ken at mack-z.com>
>> To unsubscribe, send a blank message to trilug-leave at trilug.org from that
>> address.
>> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
>> Unsubscribe or edit options on the web  : http://www.trilug.org/mailman/
>> options/trilug/ken%40mack-z.com
>> Welcome to TriLUG: http://trilug.org/welcome
>>
>>
>> -- 
>>
>>
>> *********************************************************
>> David P. Both, RHCE
>> Millennium Technology Consulting LLC
>> Raleigh, NC, USA
>> 919-389-8678
>>
>> dboth at millennium-technology.com
>>
>> www.millennium-technology.com
>> www.databook.bz - Home of the DataBook for Linux
>> DataBook is a Registered Trademark of David Both
>> *********************************************************
>> This communication may be unlawfully collected and stored by the National Security Agency (NSA) in secret. The parties to this email do not consent to the retrieving or storing of this communication and any related metadata, as well as printing, copying, re-transmitting, disseminating, or otherwise using it. If you believe you have received this communication in error, please delete it immediately.
>>