Server Attack

Teng   January 16, 2016   No Comments on Server Attack

Somebody is attacking my server currently.

The IP is coming from 185.130.5.209

He keeps posting garbage data to the XMLRPC interface of my Blog wordpress

<?xmlversion=”1.0″?><methodCall><methodName>pingback.ping</methodName><params><param><value><string>http://www.butlerharris.com/?s=a&amp;submit=Search</string></value></param><param><value><string>https://blog.twei7.com/lvm-in-ubuntu/</string></value></param></params></methodCall>

The attack starts 7:00PM. I have dinner with my friends and I come back at 10PM.

When I look at my server status, I discover an unusual increase of my CPU load and network load.

samprate-905e6_adc-2e10-win samprate-905e6_adc-2e9-win

Then I find the MYSQL has unusually high traffic.samprate-905e6_adc-2e8-win

Then I find the WordPress database is rather busy.

Finally, I pull the log of Apache access, and find an evil guy is crazily posting data to my blog through xmlrpc.php

samprate-905e6_adc-2e7-win

Then I temporary delete the xmlrpc.php file. So it will only has 404 error and get nothing meanful.

I will then block the IP address, and patch the xmlrpc file. Fuck you 185.130.5.209.

==============================================

After some google, I now realize this is a kind of DDoS attack.

The attacker is not targeting at my server. He is using my machine to target somebody else. It uses the pingback hole of the wordpress to do so. For more details in here.

https://isc.sans.edu/forums/diary/Wordpress+Pingback+DDoS+Attacks/17801/

Leave a Reply