Re: Possible DOS Attack

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Fri, May 20, 2016 at 4:00 PM, Roman Gelfand <rgelfand2@xxxxxxxxx> wrote:
In the last 2 days we have received roughly 1milion of the following requests.  Just to confirm, is this a DOS attack?

191.96.249.52 - - [20/May/2016:18:19:22 -0400] "POST /xmlrpc.php HTTP/1.0" 500 251 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"

Probably just broken malware trying to guess WordPress account credentials. It's probably been handed just your host name or IP address and, not having any other victims to target, keeps repeatedly hitting your site. I occasionally see this type of behavior. I have my firewall configured to blackhole the source when there are an unreasonable number of POST requests in a short interval.
 
Also, what does this mean?

::1 - - [20/May/2016:18:26:09 -0400] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.6 (Red Hat Enterprise Linux) PHP/5.4.16 (internal dummy connection)"

It's checking whether your web server allows the OPTIONS command which might allow other forms of attacks to succeed. I strongly recommend disallowing that HTTP command. Easiest way is via mod_allowmethods: https://httpd.apache.org/docs/2.4/mod/mod_allowmethods.html

--
Kurtis Rader
Caretaker of the exceptional canines Junior and Hank
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux