受到xmlrpc.php拒绝服务攻击

昨天发现博客开始出现502和504错误,最开始以为是php5-fpm 有什么bug,因为重启一下php5-fpm 就好了。但是后来重启都没有用了,于是分析了一下,发现受到了攻击。

CPU Usage

被攻击后CPU占用一直100%,是几个php5-fpm 进程。

2015/07/10 08:44:19 [error] 2858#0: *13803 connect() to unix:/var/run/php5-fpm.sock failed (11: Resource temporarily unavailable) while connecting to upstream, client: 185.62.189.239, server: jayxon.com, request: "POST /xmlrpc.php HTTP/1.0", upstream: "fastcgi://unix:/var/run/php5-fpm.sock:", host: "jayxon.com"
2015/07/10 08:44:19 [error] 2858#0: *13805 connect() to unix:/var/run/php5-fpm.sock failed (11: Resource temporarily unavailable) while connecting to upstream, client: 188.209.52.133, server: jayxon.com, request: "POST /xmlrpc.php HTTP/1.0", upstream: "fastcgi://unix:/var/run/php5-fpm.sock:", host: "jayxon.com"
2015/07/10 08:44:19 [error] 2858#0: *13807 connect() to unix:/var/run/php5-fpm.sock failed (11: Resource temporarily unavailable) while connecting to upstream, client: 188.209.52.133, server: jayxon.com, request: "POST /xmlrpc.php HTTP/1.0", upstream: "fastcgi://unix:/var/run/php5-fpm.sock:", host: "jayxon.com"
2015/07/10 08:44:19 [error] 2858#0: *13809 connect() to unix:/var/run/php5-fpm.sock failed (11: Resource temporarily unavailable) while connecting to upstream, client: 188.209.52.133, server: jayxon.com, request: "POST /xmlrpc.php HTTP/1.0", upstream: "fastcgi://unix:/var/run/php5-fpm.sock:", host: "jayxon.com"
2015/07/10 08:44:19 [error] 2858#0: *13811 connect() to unix:/var/run/php5-fpm.sock failed (11: Resource temporarily unavailable) while connecting to upstream, client: 185.62.189.239, server: jayxon.com, request: "POST /xmlrpc.php HTTP/1.0", upstream: "fastcgi://unix:/var/run/php5-fpm.sock:", host: "jayxon.com"
2015/07/10 08:44:20 [error] 2858#0: *13813 connect() to unix:/var/run/php5-fpm.sock failed (11: Resource temporarily unavailable) while connecting to upstream, client: 185.62.189.239, server: jayxon.com, request: "POST /xmlrpc.php HTTP/1.0", upstream: "fastcgi://unix:/var/run/php5-fpm.sock:", host: "jayxon.com"
2015/07/10 08:44:20 [error] 2858#0: *13815 connect() to unix:/var/run/php5-fpm.sock failed (11: Resource temporarily unavailable) while connecting to upstream, client: 188.209.52.133, server: jayxon.com, request: "POST /xmlrpc.php HTTP/1.0", upstream: "fastcgi://unix:/var/run/php5-fpm.sock:", host: "jayxon.com"
2015/07/10 08:44:20 [error] 2858#0: *13817 connect() to unix:/var/run/php5-fpm.sock failed (11: Resource temporarily unavailable) while connecting to upstream, client: 188.209.52.133, server: jayxon.com, request: "POST /xmlrpc.php HTTP/1.0", upstream: "fastcgi://unix:/var/run/php5-fpm.sock:", host: "jayxon.com"

分析log发现大量重复POST请求xmlrpc.php,来自两个ip地址188.209.52.133和185.62.189.239,伪装成Google的爬虫。

185.62.189.239 - - [10/Jul/2015:08:48:23 +0000] "POST /xmlrpc.php HTTP/1.0" 499 0 "-" "Mozilla/5.0 (compatible; Googlebot/2.1;  http://www.google.com/bot.html)"
188.209.52.133 - - [10/Jul/2015:08:48:23 +0000] "POST /xmlrpc.php HTTP/1.0" 499 0 "-" "Mozilla/5.0 (compatible; Googlebot/2.1;  http://www.google.com/bot.html)"
185.62.189.239 - - [10/Jul/2015:08:48:23 +0000] "POST /xmlrpc.php HTTP/1.0" 499 0 "-" "Mozilla/5.0 (compatible; Googlebot/2.1;  http://www.google.com/bot.html)"
188.209.52.133 - - [10/Jul/2015:08:48:23 +0000] "POST /xmlrpc.php HTTP/1.0" 499 0 "-" "Mozilla/5.0 (compatible; Googlebot/2.1;  http://www.google.com/bot.html)"
188.209.52.133 - - [10/Jul/2015:08:48:24 +0000] "POST /xmlrpc.php HTTP/1.0" 499 0 "-" "Mozilla/5.0 (compatible; Googlebot/2.1;  http://www.google.com/bot.html)"
185.62.189.239 - - [10/Jul/2015:08:48:24 +0000] "POST /xmlrpc.php HTTP/1.0" 499 0 "-" "Mozilla/5.0 (compatible; Googlebot/2.1;  http://www.google.com/bot.html)"
185.62.189.239 - - [10/Jul/2015:08:48:24 +0000] "POST /xmlrpc.php HTTP/1.0" 499 0 "-" "Mozilla/5.0 (compatible; Googlebot/2.1;  http://www.google.com/bot.html)"
185.62.189.239 - - [10/Jul/2015:08:48:24 +0000] "POST /xmlrpc.php HTTP/1.0" 499 0 "-" "Mozilla/5.0 (compatible; Googlebot/2.1;  http://www.google.com/bot.html)"
188.209.52.133 - - [10/Jul/2015:08:48:24 +0000] "POST /xmlrpc.php HTTP/1.0" 499 0 "-" "Mozilla/5.0 (compatible; Googlebot/2.1;  http://www.google.com/bot.html)"
185.62.189.239 - - [10/Jul/2015:08:48:25 +0000] "POST /xmlrpc.php HTTP/1.0" 499 0 "-" "Mozilla/5.0 (compatible; Googlebot/2.1;  http://www.google.com/bot.html)"
185.62.189.239 - - [10/Jul/2015:08:48:25 +0000] "POST /xmlrpc.php HTTP/1.0" 499 0 "-" "Mozilla/5.0 (compatible; Googlebot/2.1;  http://www.google.com/bot.html)"
188.209.52.133 - - [10/Jul/2015:08:48:25 +0000] "POST /xmlrpc.php HTTP/1.0" 499 0 "-" "Mozilla/5.0 (compatible; Googlebot/2.1;  http://www.google.com/bot.html)"

访问这两个ip地址发现攻击者是Aaron和Zach。

attacker ip

抓取到Payload如下

POST /xmlrpc.php HTTP/1.0
Host: jayxon.com
Content-type: text/xml
Content-length: 263
User-agent: Mozilla/5.0 (compatible; Googlebot/2.1;  http://www.google.com/bot.html)
Connection: close

<?xmlversion="1.0"?><methodCall><methodName>pingback.ping</methodName><params><param><value><string>http://panel.gamersolutions.net/</string></value></param><param><value><string>https://www.jayxon.com/thunder7-2-13/</string></value></param></params></methodCall>

看上去只是正常的Pingback,但实际上收到请求后WordPress会访问http://panel.gamersolutions.net/,也就是说攻击者在利用我的服务器来攻击http://panel.gamersolutions.net/(这个网站昨天还能打得开,现在就已经挂掉了)

临时解决办法是把xmlrpc.php文件重命名,反正这个文件没什么太大作用。

目前CPU占用降下来了,博客也恢复正常,但是攻击仍在持续攻击已停止。

您可能还喜欢...

15 条回复

  1. sorz说道:
    Firefox 40.0 Firefox 40.0 Windows 8.1 x64 Edition Windows 8.1 x64 Edition

    也就两个 IP,索性防火墙里全部 drop 掉吧
    WordPress 就不对这个做点限制什么的吗..

  2. wilbeibi说道:
    Google Chrome 44.0.2403.61 Google Chrome 44.0.2403.61 Mac OS X  10.10.4 Mac OS X 10.10.4

    很嚣张啊,敢动你。

  3. 泡泡说道:
    Google Chrome 43.0.2357.130 Google Chrome 43.0.2357.130 Windows 7 Windows 7

    你让他等着,我去打他啊!

  4. 花非花说道:
    Google Chrome 30.0.1599.101 Google Chrome 30.0.1599.101 Windows 7 x64 Edition Windows 7 x64 Edition

    再次上来看看,迅雷依旧没有更新可下

  5. 六度分离说道:
    Firefox 31.0 Firefox 31.0 Windows 7 Windows 7

    J大现在作品有点少。

  6. hua说道:
    Sogou Explorer Sogou Explorer Windows 8.1 Windows 8.1

    想下载大侠的Ashampoo Photo Commander 11,到处找不到,只能找到12,请问何处能下载到11?

  7. 1说道:
    Google Chrome 44.0.2403.125 Google Chrome 44.0.2403.125 Windows 7 x64 Edition Windows 7 x64 Edition

    他的目的是什么呀

  8. 氢氮说道:
    Google Chrome 41.0.2272.118 Google Chrome 41.0.2272.118 Windows 7 Windows 7

    大神太厉害了,请收我为徒吧!——来自一个做IC的小伙

  9. 爆实惠说道:
    Google Chrome 45.0.2454.101 Google Chrome 45.0.2454.101 Windows 10 x64 Edition Windows 10 x64 Edition

    这么嚣张,无聊的人真多啊

  10. Vans爱好者说道:
    Google Chrome 45.0.2454.99 Google Chrome 45.0.2454.99 Windows 10 x64 Edition Windows 10 x64 Edition

    他们是在尝试爆破管理员密码,这个xmlprc文件有点Bug,想要通过xmlprc发表文章又必备不可,但是又会成为攻击的靶子。

  11. 烟灰说道:
    Google Chrome 43.0.2357.132 Google Chrome 43.0.2357.132 Windows 10 x64 Edition Windows 10 x64 Edition

    我都是专门新建了个sb.conf,把那些暴力破解/?author=1的IP都填进去,然后在ngnix.conf里填加个执行,经过两三个月的添加,现在安静多了,隔四五天才会有一次了

  12. 孤独的小说道:
    Sogou Explorer Sogou Explorer Windows 10 x64 Edition Windows 10 x64 Edition

    我的站前两天也是遇到这个情况了,
    http://www.zzjiude.com

发表回复

您的电子邮箱地址不会被公开。 必填项已用 * 标注