On Thu, Oct 2, 2014, at 09:29, Mike Burger wrote:
On 2014-10-02 10:23 am, Jerry Geis wrote:
I just got SLAMMED with accessed to httpd from 91.230.121.156
I added the address to my firewall to drop it. FYI
host 91.230.121.156 156.121.230.91.in-addr.arpa domain name pointer no-rdns.offshorededicated.net.
Are you running Wordpress?
My company's Wordpress installation was getting hammered by an IP in the same netblock, yesterday...look in your httpd logs for repeated POST operations to xmlrpc.php.
Most people don't even need xmlrpc.php to be open to the world, so I prefer to block all requests to it. I also have successfully used ngrep to capture POSTs on a server hosting many Wordpress sites and log them to a file that is watched by fail2ban. After x many POSTs automatically ban the IP, for example.
The reason I did not just monitor the Apache log files for POSTs is that there were so many sites with their own log files . I had to aggregate all the POSTs to a single log file so when the botnet hit multiple Wordpress sites it could be more easily identified. Occasionally they'll only do a couple POSTs from each IP/bot in the group and so it would evade detection unless you aggregated it all into one log file.