Our server started to get hit with a particular URL from many different IPs. The URL was for the file wp-login.php. We are running PHP but we are not running Word Press. This looks like some sort of brute force attack. We have thousands of error log entries that look like this: [Mon Sep 25 08:49:02.199784 2017] [:error] [pid 55904] [client 85.101.234.119:62848] script '/var/www/html/wp-login.php' not found or unable to stat [Mon Sep 25 08:52:59.426923 2017] [:error] [pid 62559] [client 157.50.13.248:57481] script '/var/www/html/wp-login.php' not found or unable to stat [Mon Sep 25 08:59:24.561571 2017] [:error] [pid 73252] [client 42.115.49.147:39332] script '/var/www/html/wp-login.php' not found or unable to stat [Mon Sep 25 09:03:36.470029 2017] [:error] [pid 74502] [client 24.14.179.217:34758] script '/var/www/html/wp-login.php' not found or unable to stat Eventually we get the following error log entry: [Tue Sep 26 07:31:04.925077 2017] [mpm_prefork:error] [pid 53301] AH00161: server reached MaxRequestWorkers setting, consider raising the MaxRequestWorkers setting Then we start getting thousands of these entries: [Tue Sep 26 07:40:26.028058 2017] [core:notice] [pid 53301] AH00051: child pid 61097 exit signal Bus error (7), possible coredump in /etc/apache2 [Tue Sep 26 07:40:27.032093 2017] [core:notice] [pid 53301] AH00051: child pid 61118 exit signal Bus error (7), possible coredump in /etc/apache2 [Tue Sep 26 07:40:28.032829 2017] [mpm_prefork:error] [pid 53301] (12)Cannot allocate memory: AH00159: fork: Unable to fork new process [Tue Sep 26 07:40:38.034664 2017] [core:notice] [pid 53301] AH00051: child pid 61127 exit signal Bus error (7), possible coredump in /etc/apache2 [Tue Sep 26 07:40:38.035026 2017] [core:notice] [pid 53301] AH00051: child pid 61116 exit signal Bus error (7), possible coredump in /etc/apache2 [Tue Sep 26 07:40:38.035068 2017] [core:notice] [pid 53301] AH00051: child pid 61115 exit signal Bus error (7), possible coredump in /etc/apache2 [Tue Sep 26 07:40:39.499756 2017] [mpm_prefork:error] [pid 53301] (12)Cannot allocate memory: AH00159: fork: Unable to fork new process [Tue Sep 26 07:40:49.501294 2017] [core:notice] [pid 53301] AH00051: child pid 73499 exit signal Bus error (7), possible coredump in /etc/apache2 [Tue Sep 26 07:40:49.501632 2017] [core:notice] [pid 53301] AH00051: child pid 73498 exit signal Bus error (7), possible coredump in /etc/apache2 [Tue Sep 26 07:40:49.501667 2017] [core:notice] [pid 53301] AH00051: child pid 73500 exit signal Bus error (7), possible coredump in /etc/apache2 [Tue Sep 26 07:40:49.501764 2017] [core:notice] [pid 53301] AH00051: child pid 61188 exit signal Bus error (7), possible coredump in /etc/apache2 [Tue Sep 26 07:40:49.501797 2017] [core:notice] [pid 53301] AH00051: child pid 61170 exit signal Bus error (7), possible coredump in /etc/apache2 [Tue Sep 26 07:40:50.509833 2017] [mpm_prefork:error] [pid 53301] (12)Cannot allocate memory: AH00159: fork: Unable to fork new process [Tue Sep 26 07:41:00.512913 2017] [mpm_prefork:error] [pid 53301] (12)Cannot allocate memory: AH00159: fork: Unable to fork new process [Tue Sep 26 07:41:10.529013 2017] [core:notice] [pid 53301] AH00051: child pid 61268 exit signal Bus error (7), possible coredump in /etc/apache2 [Tue Sep 26 07:41:10.535317 2017] [core:notice] [pid 53301] AH00051: child pid 61201 exit signal Bus error (7), possible coredump in /etc/apache2 [Tue Sep 26 07:41:10.535367 2017] [core:notice] [pid 53301] AH00051: child pid 61204 exit signal Bus error (7), possible coredump in /etc/apache2 Then we have literally 100 or more apache2 processes running and our swap space maxes out and the server comes to a crawl and is unresponsive. I temporarily fixed it by putting a blank wp-login.php page in the root and restarting apache. But now I can reproduce the same behavior by simply making a request to a bogus URL. I get a 404 but I also get more apache2 processes running and the same log entries. I don’t know very much about Apache and it’s configuration. Is there anyone that can help me with this issue ? Thanks, Warren --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|