-1

I noticed my SQL server was down on my wordpress website, 2 days ago. I couldn't figure out why I wasn't able to restart the SQL server so I looked at my logs.

I noticed this one IP was hitting my xmlrpc.php file. The logs look like this:

80.82.xx.xxx - - [06/Oct/2015:07:11:36 -0500] "POST /xmlrpc.php HTTP/1.0" 403 - "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)"

The IP is making that request several times a second for hours at a time.

I am not a very experienced sysadmin, and didn't have proper security set up, but in the wake of this happening I:

  • disabled xmlrpc for my wordpress app
  • blacklisted that IP in cPanel & WHM
  • set up cloud flare and put myself in DDoS mode

I noticed now that IP is getting a 403 error now and previously they weren't:

80.82.xx.xxx - - [04/Oct/2015:07:02:48 -0500] "POST /xmlrpc.php HTTP/1.0" 500 251 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)"

My questions are:

  • Have I taken the proper steps to secure my server? Is there anything else I should do?

  • Are those 403 errors a drain on my system resources?

  • Am I actually getting DDoS-ed or is this something else? It's been going on for 3 days.

  • When would it be safe to lower my cloud flare settings?

Thank you.

justinw
  • 101
  • 1

1 Answers1

2

Have I taken the proper steps to secure my server? Is there anything else I should do?

You have mitigated this particular attack, but I won't trust your "server" as it became a piece of compromised garbage the second after you installed cPanel/WHM. I suggest you learn proper server administration, reinstall the server from scratch and avoid installing such nonsense in the future.

Also, I would not ever consider Wordpress as secure, consider using Ghost or a static site to lower your attack surface and resource usage.

Are those 403 errors a drain on my system resources?

A tiny bit, but any decent server should be able to respond with hundreds of 403's per second with plenty of resources left.

Am I actually getting DDoS-ed or is this something else? It's been going on for 3 days.

This is an involuntary DoS. The real motive of the attack is to bruteforce the admin credentials to your blog, but by sending so much requests per second they managed to overload your DB. Also, if it's coming from a single IP, it's merely a DoS, not DDoS (which means distributed, aka multiple sources).

When would it be safe to lower my cloud flare settings?

Well, as you saw yourself, Cloudflare didn't do much against this attack, so I guess it doesn't make any difference. In my personal opinion, the only thing they're good at is hiding the real IP of your server and shielding it from bandwidth-exhaustion attacks, but anything else such as these valid (but still malicious requests) are still passing through.

André Borie
  • 769
  • 1
  • 7
  • 22
  • Thanks André - my friend who I went to with this issue said a lot of the same stuff as you, especially about cPanel/WHM and suggested I started using Digital Ocean and learn proper sysadmin. Also note about cloud flare; it *wasn't* setup prior to the attack so I'm unsure if it would have helped. – justinw Oct 06 '15 at 15:31
  • 1
    @Quoid DigitalOcean is a good option, though I would suggest Linode which has slightly better performance for the same price. Just beware of the many cheap VPS providers that are ran on old, compromised machines in some guy's basement, and definitely stay away of any server company that use WHM themselves (sadly, there are many of them). – André Borie Oct 06 '15 at 20:46