January 3, 2014
Jan 1, 2014 WordPress Attack
A site I monitor saw 1185 requests from 94.138.x.x between Jan 01 05:32:41 & 06:21:09 UTC looking for non existent pages. This site runs on a small server, and WordPress tried to handle the errors in its slow and complicated way. As a result, Apache and MySQL were overloaded.
I believe the goal of the attack was to identify vulnerable software on the web server. Taking the server down was a side effect.
Error log samples
[Wed Jan 01 05:56:19 2014] [error] (12)Cannot allocate memory: fork: Unable to fork new process
[Wed Jan 01 06:16:44 2014] [error] [client] WordPress database err or MySQL server has gone away for query UPDATE `wp_options` SET `option_value` = 'a:3:{i:0;b:0;s:43:\\"events-calendar-pro/events-calendar-pro.php\\";s:19:\\"tribe_ecp_uninstall\\";s:39:\\"options-framework/options-framework.php\\";s:31:\\"optionsframework_delete_options\\";}' WHERE `option_name` = 'uninstall_plugins'made by require('wp-blog-header.php'), require_once('wp-load.php'), require_once('wp-config.php'), require_once('wp-settings.php'), include_once('/plugins/options-framework/options-framework.php'), register_uninstall_hook, update_option
Apache was unable to fork new processes, and MySQL stopped responding.
Useful commands
I found some helpful bash commands on various blogs for searching through Apache logs. These were particularity handy:
Count rows with IP address
cat access.log | grep | wc -l
Get rows with an IP address
cat access.log | grep
Get just URLs requested
cat access.log | grep | sudo awk -F\" '{print $2}' < ~/jan01-badreqs.txt
I’ve added some lines to .htaccess to block WordPress from handling certain requests which I know will result in 404s. Apache will send a 404 response right away, before PHP handles the request.
Fail2Ban would also be a good idea. It could detect a user accessing more than some number of URLs resulting in 404s, and block them from accessing the site temporarily.
Some URLS requested during the attack