> Date: Saturday, May 21, 2016 09:22:24 -0400 > From: "D'Arcy J.M. Cain" <darcy@xxxxxxx> > > On 5/20/16 4:00 PM, Roman Gelfand wrote: >> In the last 2 days we have received roughly 1milion of the >> following requests. Just to confirm, is this a DOS attack? >> >> 191.96.249.52 - - [20/May/2016:18:19:22 -0400] "POST /xmlrpc.php >> HTTP/1.0" 500 251 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows >> NT 6.0)" > > That looks like a break-in attempt. The effect may be a DOS but I > believe that the intent is more sinister. They want to break into > your system and take it over. You would think that once they got > the first 251 response their code would be smart enough to move on > to the next victim but if the coders of these things were smart > they would be making real money with legitimate work. > > Wouldn't life as an ISP be so much better if we could wipe PHP off > our servers? I know mine would. One note -- the values listed after the "HTTP/1.0" are return/status code and then the number of bytes returned. So, the response: ... HTTP/1.0" 500 251 indicates a "500" status code, with 251 bytes returned. A "500" status code is an "internal server error", generally an indication of some type of mal-configuration. There isn't (officially) a 251 status code, rather the "251" is the error message byte count, not an indication of success. Because that wasn't a "404" (not found) error I suspect that WP, and hence /xmlrpc.php, is installed but that that explicit exploit attempt failed -- not to say that other aspects of that WP site aren't vulnerable. If WP isn't being actively maintained it should be removed. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|