[CentOS] slammed
Mark Felder
feld at feld.me
Thu Oct 2 14:40:18 UTC 2014
On Thu, Oct 2, 2014, at 09:29, Mike Burger wrote:
> On 2014-10-02 10:23 am, Jerry Geis wrote:
> > I just got SLAMMED with accessed to httpd from
> > 91.230.121.156
> >
> > I added the address to my firewall to drop it.
> > FYI
> >
> > host 91.230.121.156
> > 156.121.230.91.in-addr.arpa domain name pointer
> > no-rdns.offshorededicated.net.
>
> Are you running Wordpress?
>
> My company's Wordpress installation was getting hammered by an IP in the
> same netblock, yesterday...look in your httpd logs for repeated POST
> operations to xmlrpc.php.
>
Most people don't even need xmlrpc.php to be open to the world, so I
prefer to block all requests to it. I also have successfully used ngrep
to capture POSTs on a server hosting many Wordpress sites and log them
to a file that is watched by fail2ban. After x many POSTs automatically
ban the IP, for example.
The reason I did not just monitor the Apache log files for POSTs is that
there were so many sites with their own log files . I had to aggregate
all the POSTs to a single log file so when the botnet hit multiple
Wordpress sites it could be more easily identified. Occasionally they'll
only do a couple POSTs from each IP/bot in the group and so it would
evade detection unless you aggregated it all into one log file.
More information about the CentOS
mailing list