0

The last weeks I have more incoming than outgoing traffic, and when I look at my access log I get more than 100.000 of these requests per hour. Because the ip-address is from localhost I have no idea how to block this attack.

127.0.0.1 - - [26/Mar/2015:21:29:15 +0100] "POST /wp-login.php HTTP/1.0" 404 571
127.0.0.1 - - [26/Mar/2015:21:29:15 +0100] "POST /wp-login.php HTTP/1.0" 404 573
127.0.0.1 - - [26/Mar/2015:21:29:15 +0100] "POST /wp-login.php HTTP/1.0" 404 577
127.0.0.1 - - [26/Mar/2015:21:29:15 +0100] "POST /wp-login.php HTTP/1.0" 404 559
127.0.0.1 - - [26/Mar/2015:21:29:15 +0100] "POST /wp-login.php HTTP/1.0" 404 571
127.0.0.1 - - [26/Mar/2015:21:29:15 +0100] "POST /wp-login.php HTTP/1.0" 404 570
127.0.0.1 - - [26/Mar/2015:21:29:15 +0100] "POST /wp-login.php HTTP/1.0" 404 572
Johan
  • 81
  • 1
  • 2
  • 5

1 Answers1

0

Have you tried to identify the process name that is sending these requests? Check tcpdump for the source port number of the packets. Then run sudo netstat -a -u -n --program. Look for the PID/Program name matching the source port number. Then you should determine if this program is legitimate and acting in the way you expect.

5kKate
  • 61
  • 5
  • Thanks for your suggestion. I tried the tcpdump, but I couldn't figure out what everything means. But the problem is already solved, I have no more attacks. The attacker probably figured out it is of no use since the wordpress site is now removed. – Johan Mar 30 '15 at 19:19