Server very high load when wordpress was attacked
 

Hi All

My wordpress was attacked and it made my server very high load. After that users couldn't connect to all other websites in the same server. It seems wordpress took all resources of the server at that time.
I checked and found so many strange logs from an unique IP.
Most of request has this "450699=1&php4=1&root=1&upl=1&wphp4=1&abdullkarem=1&wp=1&module=1&php=1&php5=1&wphp5=1"

Could you please help in this issue?

Thanks a lot.

Did you try to install fail2ban?

This is what you need to ban automatically IP with bad behavior.

I stuck abdullkarem into my filter.conf a while ago.
1 hit and they're toast.

Thanks a lot for your help angle115 and Habitual

But this log came from an attack? What attack? Brute force or something else?

Could you please explain me more about this?

Thank you.

Random attacks and port scans are a fact of online life.

Not nice folks are constantly looking for vulnerabilities. They don't care who you are. They just want you for your vulnerabilities.

Thank you Frankbell

Need help please
 

Hi Habitual,

I am keen to know where this filter.conf is. I run WHM and my server is getting some very bad attacks from this "abdullkarem" scans.

Any help you can provide in blocking this scan would be really appreciated. I have lost my peace of mind because of this ongoing attacks (and my server has sky rocketed to 80 load as I type this)

Help :-(

Also, I do have some basic tools in place such as :
- ConfigServer Security Firewall
- ConfigServer Exploit Scanner
- Comodo's WAF Mod Security Ruleset
- wp-login protection script (that challenges wordpress's login page)

but none of them seem to help in this case.

Please help.

You'll need to install fail2ban from the repo.
WHM is CentOS-flavored, so
After that, we'll proceed.

I would also suggest some iptable rules to prevent a ip to DOS'ing you.

Something like this

IMO, a ip making a ton of requests (legit or not) should slow down if they want to access my server. Shouldn't affect any "human" user.

Hi Habitual,

I have successfully installed Fail2ban and copied the conf files as advised.

What should be done next ?

Thanks for your help.

To make sure that Fail2ban is working you can do 3 things

1. ps aux |grep fail
   and you should see the process running
   
   Code:

   ---

   root    21374  0.1  0.3 125428  5736 ?        Sl  May25 231:27 /usr/bin/python /usr/bin/fail2ban-server -b -s /var/run/fail2ban/fail2ban.sock

   ---

2. iptables --list
   and you should see a rule for each module that you have activated
   
   Code:

   ---

   Chain fail2ban-apache (1 references)
target    prot opt source              destination
RETURN    all  --  anywhere            anywhere

Chain fail2ban-apache-multiport (1 references)
target    prot opt source              destination
RETURN    all  --  anywhere            anywhere

Chain fail2ban-apache-noscript (1 references)
target    prot opt source              destination
RETURN    all  --  anywhere            anywhere

Chain fail2ban-apache-overflows (1 references)
target    prot opt source              destination
RETURN    all  --  anywhere            anywhere

Chain fail2ban-pam-generic (1 references)
target    prot opt source              destination
RETURN    all  --  anywhere            anywhere

Chain fail2ban-ssh (1 references)
target    prot opt source              destination
RETURN    all  --  anywhere            anywhere

Chain fail2ban-ssh-ddos (1 references)
target    prot opt source              destination
RETURN    all  --  anywhere            anywhere

   ---

3. Fom on other machine you can run a vulnerability test against your machine and see if the scanning machine get banned (with the command above 'Step 2')
   For example if your machine you try to protect is running a web server you can do this with nikto
   Ex: nikto -h 10.0.0.2

Thanks for your input angel, but I haven't really added any rules for the wordpress "abdullkarem" attacks that are going on my server right now.

My fail2ban is working fine, but I believe I will have to add some specific rule, which habitual said he added in filter.conf ?

Please help and thank you in advance.

I forgot to ask you to create the action.conf, so
we'll do that below. ;)

You'll need to edit /etc/fail2ban/jail.local and add
You'll need to verify that your apache2 access.log is at /var/log/apache2/access.log
before this edit and adjust as necessary.

NOTES:
Spacing counts here! So use either a constant tab or spaces in the edits, but not both.
I suggest spaces. Just make certain that they all "line up" equally on the right-side of the "=" in the jail.local
and all .conf files you edit, and you should be good.

<do_not_ban0> and <do_not_ban1>
are IPs that are excluded from fail2ban, such as your home IP address and or work ip, other...
eg:
You can have more than 2 <do_not_ban>/32 IPs...
I also include the server's external internet-facing IP as good measure.


The filter and action statements:
filter points to /etc/fail2ban/filter.d/myfilter.conf
action points to /etc/fail2ban/action.d/myaction.conf

in the (should be) empty file at /etc/fail2ban/filter.d/myfilter.conf, use
Verify your DocumentRoot (docroot) before this edit, or after, but it must be correct before you start fail2ban.
Spacing counts here (in all .conf files for fail2ban) also.

Now the forgotten myaction.conf:
Create by edit /etc/fail2ban/action.d/myaction.conf and add:
Now we test our config manually before starting fai2ban:
You should see a lot of stuff fly by on the screen.
The "tell" that it is correctly catching bad guys is this line in the Summary of the output:
NOTE: Excluded IPs will show up in a manual run of the filter.

If the test is NOT successful, verify your edits and re-check manually.

More NOTES:
the reason we use
/etc/fail2ban/jail.local
/etc/fail2ban/filter.d/myfilter.conf
/etc/fail2ban/action.d/myfilter.conf
is because fail2ban 'reads' jail.conf files first then jail.local and custom actions
and custom filters are excluded during package upgrades if they are so named. jail.local
is safe from upgrades also.

I included wp-login.php above because that is usually the first thing attackers
go after, brute forcing your admin account.

IF your site allows other 'users' to login (editors and contributors of 'content'
other that the admin account), you will need to exclude their IPs, or remove
wp-login.php from badadmin in myfilter.conf

myfilter.conf and myaction.conf in those directories can be any name you choose,
and will be excluded if fail2ban is upgraded.

If the test is successful, you then start fail2ban, but...
I suggest you save your IP tables rules first, as fail2ban restarts iptables and those
are stored in memory, so I tend to use
manually first before starting fail2ban.

When fail2ban starts, stops or ban using the above myaction.conf, it will save the iptables to /root/safe.rules
as a safety measure.

is ban the bad guys for a whole year.

I hope this helps you out.
fail2ban out of the box, starts sshd protection, but you may wish to add your home and/or work IPs
to the
for good measure.

That should get you started.
I probably forgot something but I pray it's not a fatal omission. :)

Subscribed with interest...

Hi,

Thank you so much for taking time to write this easy-to-understand steps.

In my /etc/fail2ban/jail.local, I added my apache logpath as :

In my /etc/fail2ban/filter.d/myfilter.conf , I added my docroot as :

I used rest of the configs that you gave as is.

Then when I test fail2ban (while fail2ban service is still off ), I see this :

Did I miss something ?