Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Crazy WordPress DDoS Attack
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Crazy WordPress DDoS Attack

MeanServersMeanServers Member, Host Rep

Hey All,

We usually have DDoS attacks anytime we post a LET offer, go figure, but most of the time it doesn't really affect us. This time, we were smacked by something that we have never seen before and was wondering if anyone else has experienced a similar DDoS attack? It was essentially made by remote WordPress sites, thousands of them and it started within about 10 minutes of posting our offer. We have since mitigated the issue after about 90 minutes of slowness on our website. At it's peak, it was pulling about 10Mbps, not very big in terms of a DDoS attack but clearly causing a load on the server.

Our access log has a couple hundred thousand of the following entries, always similar, never the same (probably why our normal modes of protection were no good). This is just a very small sample:

108.174.151.74 - - [25/Feb/2015:12:01:30 -0700] "GET / HTTP/1.0" 403 494 "-" "WordPress/3.1; http://www.pentlargelaw.com"

108.45.120.51 - - [25/Feb/2015:12:01:30 -0700] "GET / HTTP/1.0" 403 494 "-" "WordPress/3.1; http://www.deepmarket.com"

91.135.235.15 - - [25/Feb/2015:12:01:30 -0700] "GET / HTTP/1.0" 403 494 "-" "WordPress/2.9.1; http://www.backyardadventures.co.uk"

204.147.202.36 - - [25/Feb/2015:12:01:30 -0700] "GET / HTTP/1.0" 403 494 "-" "WordPress/3.3.1; http://sounddesign.sva.edu"

64.207.177.124 - - [25/Feb/2015:12:01:30 -0700] "GET / HTTP/1.0" 403 494 "-" "WordPress/3.3.2; http://www.outlandexposure.com"

194.29.153.16 - - [25/Feb/2015:12:01:30 -0700] "GET / HTTP/1.0" 403 494 "-" "WordPress/3.3.1; http://www.ztmind.il.pw.edu.pl"

61.195.154.212 - - [25/Feb/2015:12:01:30 -0700] "GET / HTTP/1.0" 403 494 "-" "WordPress/3.1.4; http://www.ishp.co.jp"

173.245.51.67 - - [25/Feb/2015:12:01:30 -0700] "GET / HTTP/1.1" 403 531 "-" "WordPress/4.0.1; http://www.click2005.org; verifying pingback from 192.99.71.21"

108.45.120.51 - - [25/Feb/2015:12:01:30 -0700] "GET / HTTP/1.0" 403 494 "-" "WordPress/3.1; http://www.deepmarket.com"

198.63.32.250 - - [25/Feb/2015:12:01:30 -0700] "GET / HTTP/1.0" 403 494 "-" "WordPress/3.1; http://hausinteriordesign.com"

216.157.17.136 - - [25/Feb/2015:12:01:30 -0700] "GET / HTTP/1.0" 403 494 "-" "WordPress/3.4.2; http://www.isreligion.org"

216.187.153.138 - - [25/Feb/2015:12:01:30 -0700] "GET / HTTP/1.0" 403 494 "-" "WordPress/3.4.2; http://www.pinecc.com"

69.164.211.147 - - [25/Feb/2015:12:01:31 -0700] "GET / HTTP/1.0" 403 494 "-" "WordPress/4.1; http://www.themains.net; verifying pingback from 192.99.71.21"

Anyone else experience this or seen this type of attack before?

Guess just another reason to avoid WordPress like the plague.

Comments

  • raindog308raindog308 Administrator, Veteran

    Maybe if you were Nice Servers instead of Mean Servers people would be, well, nicer :-)

    Thanked by 3Termiet yomero rahulks
  • adxnadxn Member, Host Rep

    It is a XMLRPC attack!

  • Block WordPress user agent in your virtual host conf should help a lot.

    Thanked by 3adxn MeanServers Blanoz
  • MeanServersMeanServers Member, Host Rep

    @Patrick said:
    Block WordPress user agent in your virtual host conf should help a lot.

    Yepp that's what solved it for us. Sorry, forgot to post the solution.

  • linuxthefishlinuxthefish Member
    edited February 2015

    report abuse to the IP triggering all these pingbacks also, 192.99.71.21.

    [email protected]

  • SpeedBusSpeedBus Member, Host Rep

    MeanServers said: Yepp that's what solved it for us. Sorry, forgot to post the solution.

    What's the fix that you've used if you don't mind sharing?

  • adxnadxn Member, Host Rep

    Patrick said: Block WordPress user agent in your virtual host conf should help a lot.

    try that!

  • SpeedBusSpeedBus Member, Host Rep

    aah yes, sorry forgot to read that bit :/

  • matthewvzmatthewvz Member, Host Rep

    @SpeedBus:

    @Patrick said:
    Block WordPress user agent in your virtual host conf should help a lot.


    @MeanServers said:
    Yepp that's what solved it for us. Sorry, forgot to post the solution.

    Thanked by 1SpeedBus
  • adxnadxn Member, Host Rep
    edited February 2015

    All those wordpress sites are the hacked sites where a shell ( XMLRPC Shell ) is injected and the attackers is using those sites to attack. There are 162,000 WordPress-powered websites!

    Thanked by 1MeanServers
  • @MeanServers, if the useragent consistently contains "WordPress" block it using fail2ban.

    Better to nullroute the individual IPs, and firewall whole subnets if there are numerous IPs in the subnet, IMHO. Or, use Ipsets.

    Thanked by 1MeanServers
  • MeanServersMeanServers Member, Host Rep

    @geekalot said:
    MeanServers, if the useragent consistently contains "WordPress" block it using fail2ban.

    Better to nullroute the individual IPs, and firewall whole subnets if there are numerous IPs in the subnet, IMHO. Or, use Ipsets.

    Thousands of individual IP address. Still busy collecting them all so I can just run a few commands in one go to the router nullrouting them =D

  • MeanServersMeanServers Member, Host Rep

    @adxn said:
    All those wordpress sites are the hacked sites where a shell ( XMLRPC Shell ) is injected and the attackers is using those sites to attack. There are 162,000 WordPress-powered websites!

    Thanks for the extra insight!

  • @MeanServers, You can nullroute 1000's automatically via fail2ban ... without any major impact on performance.

    PM if you want to discuss further. (Don't want to fan any "flame wars" or disclose too much as your attackers are obviously lurking here as well).

  • MeanServersMeanServers Member, Host Rep

    @geekalot said:
    MeanServers, You can nullroute 1000's automatically via fail2ban ... without any major impact on performance.

    PM if you want to discuss further. (Don't want to fan any "flame wars" or disclose too much as your attackers are obviously lurking here as well).

    Thanks but we will be banning them network wide to prevent them from harming any customers in the future as well. Just means the IPs need to be formatted and ran as a batch in our router instead, not really a big inconvenience.

  • @MeanServers said:
    Thanks but ...

    OK

    Cheers

  • Ever wondered why 95% of those are OVH IPs? Because OVH doesn't care about it at all.

    Thanked by 1Pwner
  • Any chance you can share the IP list, so that others can block them as well?

  • MeanServersMeanServers Member, Host Rep

    @isaacl said:
    Any chance you can share the IP list, so that others can block them as well?

    Certainly! http://www.meanservers.com/max/wordpress-wall-of-shame.txt.bz2

    The file is in it's raw format so you can do what you would like with the data, the uncompressed version is just around 1.1GB FYI.

    Thanked by 4Cryck Blanoz nadz black
Sign In or Register to comment.