[TriLUG] Web attack?
David Both
dboth at millennium-technology.com
Sat Sep 6 19:30:09 EDT 2014
I run a few web sites and have noticed some interesting activity on two of them
today. One set of web sites is out of my home business and another is one that I
manage at a remote location and I am getting constant stream of connections that
look like the following.
80.82.65.17 - - [06/Sep/2014:19:16:30 -0400] "POST /xmlrpc.php HTTP/1.0" 200 370
"-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
195.154.105.219 - - [06/Sep/2014:19:16:30 -0400] "POST /xmlrpc.php HTTP/1.0" 200
370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
195.154.105.219 - - [06/Sep/2014:19:16:30 -0400] "POST /xmlrpc.php HTTP/1.0" 200
370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
80.82.65.17 - - [06/Sep/2014:19:16:31 -0400] "POST /xmlrpc.php HTTP/1.0" 200 370
"-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
80.82.65.17 - - [06/Sep/2014:19:16:32 -0400] "POST /xmlrpc.php HTTP/1.0" 200 370
"-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
195.154.105.219 - - [06/Sep/2014:19:16:32 -0400] "POST /xmlrpc.php HTTP/1.0" 200
370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
195.154.105.219 - - [06/Sep/2014:19:16:32 -0400] "POST /xmlrpc.php HTTP/1.0" 200
370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
195.154.105.219 - - [06/Sep/2014:19:16:32 -0400] "POST /xmlrpc.php HTTP/1.0" 200
370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
80.82.65.17 - - [06/Sep/2014:19:16:32 -0400] "POST /xmlrpc.php HTTP/1.0" 200 370
"-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
176.227.196.90 - - [06/Sep/2014:19:16:33 -0400] "POST /xmlrpc.php HTTP/1.0" 200
370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
80.82.65.17 - - [06/Sep/2014:19:16:33 -0400] "POST /xmlrpc.php HTTP/1.0" 200 370
"-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
176.227.196.90 - - [06/Sep/2014:19:16:33 -0400] "POST /xmlrpc.php HTTP/1.0" 200
370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
176.227.196.90 - - [06/Sep/2014:19:16:34 -0400] "POST /xmlrpc.php HTTP/1.0" 200
370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
80.82.65.17 - - [06/Sep/2014:19:16:34 -0400] "POST /xmlrpc.php HTTP/1.0" 200 370
"-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
195.154.105.219 - - [06/Sep/2014:19:16:34 -0400] "POST /xmlrpc.php HTTP/1.0" 200
370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
195.154.105.219 - - [06/Sep/2014:19:16:35 -0400] "POST /xmlrpc.php HTTP/1.0" 200
370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
176.227.196.90 - - [06/Sep/2014:19:16:35 -0400] "POST /xmlrpc.php HTTP/1.0" 200
370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
80.82.65.17 - - [06/Sep/2014:19:16:35 -0400] "POST /xmlrpc.php HTTP/1.0" 200 370
"-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
176.227.196.90 - - [06/Sep/2014:19:16:35 -0400] "POST /xmlrpc.php HTTP/1.0" 200
370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
80.82.65.17 - - [06/Sep/2014:19:16:36 -0400] "POST /xmlrpc.php HTTP/1.0" 200 370
"-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
195.154.105.219 - - [06/Sep/2014:19:16:36 -0400] "POST /xmlrpc.php HTTP/1.0" 200
370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
176.227.196.90 - - [06/Sep/2014:19:16:36 -0400] "POST /xmlrpc.php HTTP/1.0" 200
370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
195.154.105.219 - - [06/Sep/2014:19:16:36 -0400] "POST /xmlrpc.php HTTP/1.0" 200
370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
176.227.196.90 - - [06/Sep/2014:19:16:36 -0400] "POST /xmlrpc.php HTTP/1.0" 200
370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
195.154.105.219 - - [06/Sep/2014:19:16:37 -0400] "POST /xmlrpc.php HTTP/1.0" 200
370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
195.154.105.219 - - [06/Sep/2014:19:16:37 -0400] "POST /xmlrpc.php HTTP/1.0" 200
370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
80.82.65.17 - - [06/Sep/2014:19:16:37 -0400] "POST /xmlrpc.php HTTP/1.0" 200 370
"-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
Both servers use CentOS 6.5, Apache, WordPress and MySQL. I have a continuous
load of anywhere from 4-8 connections on my own server and upwards of 100-125
connections on the remote one. Almost all connections seem to be from Europe and
west Asia, France, Netherlands, Great Britain, Afganistan, Russia, and a few
others.
Other servers I manage remotely do not have anything similar happening.
I found this because htop was showing a somewhat higher than normal CPU usage
for each of these hosts. Nothing overwhelming but enough to make a noticeable
difference from usual.
Do any of you who run web servers see anything similar?
Due to the fact that the number of connections on each server seems relatively
constant and the IP addresses of the sources are constantly changing, I wonder
if the apparent source might be an anonymizing network such as TOR.
Any information would be helpful.
--
*********************************************************
David P. Both, RHCE
Millennium Technology Consulting LLC
Raleigh, NC, USA
919-389-8678
dboth at millennium-technology.com
www.millennium-technology.com
www.databook.bz - Home of the DataBook for Linux
DataBook is a Registered Trademark of David Both
*********************************************************
This communication may be unlawfully collected and stored by the National Security Agency (NSA) in secret. The parties to this email do not consent to the retrieving or storing of this communication and any related metadata, as well as printing, copying, re-transmitting, disseminating, or otherwise using it. If you believe you have received this communication in error, please delete it immediately.
More information about the TriLUG
mailing list