httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kurtis Rader <kra...@skepticism.us>
Subject Re: [users@httpd] Possible DOS Attack
Date Fri, 20 May 2016 23:09:58 GMT
On Fri, May 20, 2016 at 4:00 PM, Roman Gelfand <rgelfand2@gmail.com> wrote:

> In the last 2 days we have received roughly 1milion of the following
> requests.  Just to confirm, is this a DOS attack?
>
> 191.96.249.52 - - [20/May/2016:18:19:22 -0400] "POST /xmlrpc.php HTTP/1.0"
> 500 251 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
>

Probably just broken malware trying to guess WordPress account credentials.
It's probably been handed just your host name or IP address and, not having
any other victims to target, keeps repeatedly hitting your site. I
occasionally see this type of behavior. I have my firewall configured to
blackhole the source when there are an unreasonable number of POST requests
in a short interval.


> Also, what does this mean?
>
> ::1 - - [20/May/2016:18:26:09 -0400] "OPTIONS * HTTP/1.0" 200 - "-"
> "Apache/2.4.6 (Red Hat Enterprise Linux) PHP/5.4.16 (internal dummy
> connection)"
>

It's checking whether your web server allows the OPTIONS command which
might allow other forms of attacks to succeed. I strongly recommend
disallowing that HTTP command. Easiest way is via mod_allowmethods:
https://httpd.apache.org/docs/2.4/mod/mod_allowmethods.html

-- 
Kurtis Rader
Caretaker of the exceptional canines Junior and Hank

Mime
View raw message