Results 1 to 22 of 22
  1. #1
    Join Date
    May 2014
    Location
    Turkey
    Posts
    261

    * Getting low volume DDOS or Bruteforce

    Hello guys,

    It's me again.

    My vps is kind of getting ddos or bruteforce attacks.

    I am not sure what I am getting but I am getting something, since my cpu usage is getting higher everyday.

    I am running nginx phpfpm varnish and mariadb on debian.
    I am using configserver as firewall.

    Here are my stats

    Click image for larger version. 

Name:	sc1.jpg 
Views:	29 
Size:	47.5 KB 
ID:	29086

    Click image for larger version. 

Name:	sc2.jpg 
Views:	23 
Size:	90.9 KB 
ID:	29087

    Click image for larger version. 

Name:	sc3.jpg 
Views:	19 
Size:	127.6 KB 
ID:	29088

    Configserver blocks udp from various ip addresses.

    How can I be sure what I am getting? Has any of you experienced configserver before?

    When I view vnc console view from digitalocean I see live firewall stats, but can't view when logged from ssh.

    Cpu is relatively high on php-fpm does that mean I am getting bruteforced (wordpress login page)

    I am new to linux, I am looking forward to hear what you say, so that I can dig deeper into this issue.

  2. #2
    Join Date
    Feb 2014
    Location
    London
    Posts
    1,374
    I wouldn't call it DDOS, check: http://en.wikipedia.org/wiki/Denial-of-service_attack.

    Have a look at access log. Look for anything unusual, like high number of request/IP. Our customers tend to have similar problems because of bots trying to abuse their Wordpress sites.
    Clouvider Limited; Leading USA & Europe Cloud Hosting Solution Provider
    Web hosting in Cloud | VPS servers in 8 Datacenters with Intel Xeon and AMD Epyc CPUs | Private Cloud | Dedicated Servers | Colocation | Managed Services
    100% Uptime Guarantee | Fully Redundant | 24/7 Technical Support

  3. #3
    Join Date
    May 2014
    Location
    Turkey
    Posts
    261
    would renaming wp-login.php to wp-something.php solve the issue temporarily?

  4. #4
    Join Date
    Feb 2014
    Location
    London
    Posts
    1,374
    Yes, but it would also prevent you and visitors from logging in. Try to block attackers on firewall instead.
    Clouvider Limited; Leading USA & Europe Cloud Hosting Solution Provider
    Web hosting in Cloud | VPS servers in 8 Datacenters with Intel Xeon and AMD Epyc CPUs | Private Cloud | Dedicated Servers | Colocation | Managed Services
    100% Uptime Guarantee | Fully Redundant | 24/7 Technical Support

  5. #5
    Join Date
    May 2014
    Location
    Turkey
    Posts
    261
    I found this http://forum.configserver.com/viewtopic.php?t=6235
    but it's apache oriented.

    wordpress should have something built-in, it should offer us custom login url during installation, I know some plugins fake that, but theyre not dependable at the moment.

  6. #6
    Join Date
    Feb 2014
    Location
    London
    Posts
    1,374
    There are pros and cons of using nginx unfortunately. It is not for everything and not for everyone.
    Clouvider Limited; Leading USA & Europe Cloud Hosting Solution Provider
    Web hosting in Cloud | VPS servers in 8 Datacenters with Intel Xeon and AMD Epyc CPUs | Private Cloud | Dedicated Servers | Colocation | Managed Services
    100% Uptime Guarantee | Fully Redundant | 24/7 Technical Support

  7. #7
    Join Date
    May 2014
    Location
    Turkey
    Posts
    261
    I renamed all wp-login but the cpu usage is still high.

    when somebody tries to connect wp-admin or wp-login.php they get 404 error (as expected)

    as I told cpu usage did not drop, what can cause high cpu (php-fpm) usage? how can I identify it?

  8. #8
    Join Date
    May 2011
    Location
    /root
    Posts
    630
    The stats do not show that its a DDOS. Did you check the domain's access logs to see what scripts are being hit the most? Are there indeed hits for wp-login.php ? It may also be one of your plugins causing high php usage. Do you have any cache plugins implemented or any php cache plugins?
    || Tecsys Solutions LLC | Outperforming the Performers!! ||
    || Outsourced Server Management and Technical Support Solutions ||
    || Now Offering Secure Managed VPS and Dedicated Servers specially setup for Hosting Providers ||
    || https://www.24x7TechnicalSupport.net || https://www.mxv.net ||

  9. #9
    Join Date
    May 2014
    Location
    Turkey
    Posts
    261
    127.0.0.1 - - [01/Sep/2014:22:23:06 +0300] "POST /xmlrpc.php HTTP/1.0" 301 184 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
    127.0.0.1 - - [01/Sep/2014:22:23:07 +0300] "POST /xmlrpc.php HTTP/1.0" 301 184 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
    127.0.0.1 - - [01/Sep/2014:22:23:08 +0300] "POST /xmlrpc.php HTTP/1.1" 200 412 "-" "-"
    127.0.0.1 - - [01/Sep/2014:22:23:09 +0300] "POST /xmlrpc.php HTTP/1.0" 301 184 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
    127.0.0.1 - - [01/Sep/2014:22:23:09 +0300] "POST /xmlrpc.php HTTP/1.0" 301 184 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
    127.0.0.1 - - [01/Sep/2014:22:23:10 +0300] "POST /xmlrpc.php HTTP/1.0" 301 184 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
    127.0.0.1 - - [01/Sep/2014:22:23:10 +0300] "POST /xmlrpc.php HTTP/1.1" 200 230 "-" "-"
    127.0.0.1 - - [01/Sep/2014:22:23:11 +0300] "POST /xmlrpc.php HTTP/1.0" 301 184 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
    127.0.0.1 - - [01/Sep/2014:22:23:11 +0300] "POST /xmlrpc.php HTTP/1.0" 301 184 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
    127.0.0.1 - - [01/Sep/2014:22:23:11 +0300] "POST /xmlrpc.php HTTP/1.1" 200 412 "-" "-"
    127.0.0.1 - - [01/Sep/2014:22:23:12 +0300] "POST /xmlrpc.php HTTP/1.0" 301 184 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
    127.0.0.1 - - [01/Sep/2014:22:23:13 +0300] "POST /xmlrpc.php HTTP/1.0" 301 184 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
    127.0.0.1 - - [01/Sep/2014:22:23:13 +0300] "POST /xmlrpc.php HTTP/1.0" 301 184 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
    127.0.0.1 - - [01/Sep/2014:22:23:13 +0300] "POST /xmlrpc.php HTTP/1.1" 200 412 "-" "-"
    127.0.0.1 - - [01/Sep/2014:22:23:13 +0300] "POST /xmlrpc.php HTTP/1.0" 301 184 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
    127.0.0.1 - - [01/Sep/2014:22:23:14 +0300] "POST /xmlrpc.php HTTP/1.0" 301 184 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
    127.0.0.1 - - [01/Sep/2014:22:23:14 +0300] "POST /xmlrpc.php HTTP/1.1" 200 412 "-" "-"
    127.0.0.1 - - [01/Sep/2014:22:23:15 +0300] "POST /xmlrpc.php HTTP/1.0" 301 184 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
    127.0.0.1 - - [01/Sep/2014:22:23:15 +0300] "POST /xmlrpc.php HTTP/1.0" 301 184 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
    127.0.0.1 - - [01/Sep/2014:22:23:15 +0300] "POST /xmlrpc.php HTTP/1.0" 301 184 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
    127.0.0.1 - - [01/Sep/2014:22:23:15 +0300] "POST /xmlrpc.php HTTP/1.0" 301 184 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
    127.0.0.1 - - [01/Sep/2014:22:23:15 +0300] "POST /xmlrpc.php HTTP/1.1" 200 412 "-" "-"
    127.0.0.1 - - [01/Sep/2014:22:23:15 +0300] "POST /xmlrpc.php HTTP/1.0" 301 184 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
    127.0.0.1 - - [01/Sep/2014:22:23:16 +0300] "POST /xmlrpc.php HTTP/1.0" 301 184 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
    127.0.0.1 - - [01/Sep/2014:22:23:16 +0300] "POST /xmlrpc.php HTTP/1.0" 301 184 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
    this is generated every second.

    I use APC and Varnish. W3 Total Cache as plugin.

  10. #10
    Join Date
    May 2014
    Location
    Turkey
    Posts
    261
    maybe this is what I am getting? Wordpress xmlrpc ddos attack? lol?
    https://isc.sans.edu/forums/diary/Wo...+Attacks/17801

  11. #11
    Join Date
    Jul 2013
    Posts
    296
    it seems abuser try to use your wordpress to make ddos attacks, the attack called XML-RPC attacks and use XML-RPC bug to make attack to victim. if you using latest WP update it fixed but better to disbale XML-RPC in WP.

  12. #12
    Join Date
    May 2014
    Location
    Turkey
    Posts
    261
    ok, now I am giving it a try and lets see what will happen.

    By the way nginx access log gives 127.0.0.1 as abuser, because varnish serves requests.

    I think to check who the attacker is I should read varnish access logs.

    I will keep this post updated.

  13. #13
    Join Date
    Dec 2005
    Posts
    3,110
    You can use the location configuration option in nginx to temporarily block access to files which are being targeted, and whitelist specific IPs. This will block the activity before it reaches PHP and help get things under control.

    e.g. add this to your server{} section.

    Code:
      location ~ ^/(xmlrpc\.php) {
                    allow yourip;
                    deny all;
      }

  14. #14
    Join Date
    May 2014
    Location
    Turkey
    Posts
    261
    here's the mofo from varnish access log

    Code:
    195.154.126.240 - - [01/Sep/2014:22:54:43 +0300] "POST http://178.62.153.4/xmlrpc.php HTTP/1.0" 301 184 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
    195.154.105.219 - - [01/Sep/2014:22:54:43 +0300] "POST http://178.62.153.4/xmlrpc.php HTTP/1.0" 301 184 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
    195.154.105.219 - - [01/Sep/2014:22:54:44 +0300] "POST http://178.62.153.4/xmlrpc.php HTTP/1.0" 301 184 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
    195.154.126.240 - - [01/Sep/2014:22:54:45 +0300] "POST http://178.62.153.4/xmlrpc.php HTTP/1.0" 301 184 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
    195.154.105.219 - - [01/Sep/2014:22:54:45 +0300] "POST http://178.62.153.4/xmlrpc.php HTTP/1.0" 301 184 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
    195.154.105.219 - - [01/Sep/2014:22:54:48 +0300] "POST http://178.62.153.4/xmlrpc.php HTTP/1.0" 301 184 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
    195.154.126.240 - - [01/Sep/2014:22:54:49 +0300] "POST http://178.62.153.4/xmlrpc.php HTTP/1.0" 301 184 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
    Thanks for the code, I will try to disable xmlrpc from wordpress, if it doesn't work, I will try your method.

  15. #15
    Join Date
    May 2014
    Location
    Turkey
    Posts
    261
    Quote Originally Posted by PCS-Chris View Post
    You can use the location configuration option in nginx to temporarily block access to files which are being targeted, and whitelist specific IPs. This will block the activity before it reaches PHP and help get things under control.

    e.g. add this to your server{} section.

    Code:
      location ~ ^/(xmlrpc\.php) {
                    allow yourip;
                    deny all;
      }
    Your code worked, thank you very much and thanks to all who helped me figuring out what's going on.
    Click image for larger version. 

Name:	sc4.jpg 
Views:	19 
Size:	37.7 KB 
ID:	29089

    btw: wordpress xmlrpc disable xmlrpc plugin didn't do anything good https://wordpress.org/plugins/disable-xml-rpc-pingback/

  16. #16
    Join Date
    Dec 2005
    Posts
    3,110
    Quote Originally Posted by Eretek View Post
    Your code worked, thank you very much and thanks to all who helped me figuring out what's going on.
    No problem

  17. #17
    Join Date
    Dec 2011
    Location
    Netherlands
    Posts
    979
    Quote Originally Posted by Eretek View Post
    btw: wordpress xmlrpc disable xmlrpc plugin didn't do anything good https://wordpress.org/plugins/disable-xml-rpc-pingback/
    Most likely the call that is done to xmlrpc.php - is to log in to WordPress - we've been seeing that a lot lately - but indeed the solution is just to use the code like above - that 'solves' the issue

  18. #18
    It should work well.

  19. #19
    Have you tried cloudflare try it add your domain and put on under attack mode hopefully their ddosing your domain not your direct IP if their attacking your domain it should be easier to stop.

  20. #20
    Join Date
    May 2014
    Location
    Turkey
    Posts
    261
    their actual ddos protection plan starts from $200/month, that's quite expensive.

  21. #21
    Quote Originally Posted by Eretek View Post
    their actual ddos protection plan starts from $200/month, that's quite expensive.
    Their free package is very good if you have the right configuration in your dns settings which will not allow attackers to find your IP by using revolvers. Their under attack mode can only be bypassed by a limited people, but the free package should protect this user from most attacks.

  22. #22
    Join Date
    May 2014
    Location
    Turkey
    Posts
    261
    I use ssl, therefore it's not impossible to hide ip with cloudflare basic/free plan.

Similar Threads

  1. looking for a low volume, low latency shared host
    By ForestForTrees in forum Web Hosting
    Replies: 10
    Last Post: 10-25-2011, 11:44 PM
  2. how to protect my vps from ddos and bruteforce attacks?
    By Ishee in forum Hosting Security and Technology
    Replies: 4
    Last Post: 02-13-2011, 02:25 PM
  3. Mic volume really low...
    By Hastings in forum Computers and Peripherals
    Replies: 6
    Last Post: 08-09-2007, 08:17 AM
  4. low volume name registration
    By debtman7 in forum Domain Names
    Replies: 6
    Last Post: 07-26-2005, 04:59 PM
  5. Best low-volume CC solution?
    By theNonsuch in forum Running a Web Hosting Business
    Replies: 40
    Last Post: 08-02-2002, 10:30 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •