Re: Possible DOS Attack

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




> Date: Friday, May 20, 2016 16:09:58 -0700
> From: Kurtis Rader <krader@xxxxxxxxxxxxx>
>
> On Fri, May 20, 2016 at 4:00 PM, Roman Gelfand
> <rgelfand2@xxxxxxxxx> wrote:
> 
>> In the last 2 days we have received roughly 1milion of the
>> following requests.  Just to confirm, is this a DOS attack?
>> 
>> 191.96.249.52 - - [20/May/2016:18:19:22 -0400] "POST /xmlrpc.php
>> HTTP/1.0" 500 251 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows
>> NT 6.0)"
>> 
> 
> Probably just broken malware trying to guess WordPress account
> credentials. It's probably been handed just your host name or IP
> address and, not having any other victims to target, keeps
> repeatedly hitting your site. I occasionally see this type of
> behavior. I have my firewall configured to blackhole the source
> when there are an unreasonable number of POST requests in a short
> interval.
> 
> 
>> Also, what does this mean?
>> 
>> ::1 - - [20/May/2016:18:26:09 -0400] "OPTIONS * HTTP/1.0" 200 - "-"
>> "Apache/2.4.6 (Red Hat Enterprise Linux) PHP/5.4.16 (internal dummy
>> connection)"
>> 
> 
> It's checking whether your web server allows the OPTIONS command
> which might allow other forms of attacks to succeed. I strongly
> recommend disallowing that HTTP command. Easiest way is via
> mod_allowmethods:
> https://httpd.apache.org/docs/2.4/mod/mod_allowmethods.html

This:

  > ::1 - - [20/May/2016:18:26:09 -0400] ...

is coming from your localhost-ipv6 -- i.e., these are being generated
by something on the server itself.

In the case of the connections from "191.96.249.52" ... I would just
firewall off that ip (and associated range as necessary) with
iptables.



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx




[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux