Scans for existing exploits causing high load and not detected.

snewtonge · October 23, 2015, 2:31am

Recently, more and more we are seeing the following types of scans for existing exploits on our servers:

64.207.185.144 - - [22/Oct/2015:21:15:26 -0400] "GET /wp-restore.php?450699=1&php4=1&root=1&upl=1&wphp4=1&abdullkarem=1&wp=1&module=1&php=1&php5=1&wphp5=1 HTTP/1.0" 404 15322 "-" "-" 64.207.185.144 - - [22/Oct/2015:21:15:26 -0400] "GET /wp-content/wp-restore.php?450699=1&php4=1&root=1&upl=1&wphp4=1&abdullkarem=1&wp=1&module=1&php=1&php5=1&wphp5=1 HTTP/1.0" 404 15322 "-" "-" 64.207.185.144 - - [22/Oct/2015:21:15:27 -0400] "GET /wp-content/_input__.php.jd?450699=1&php4=1&root=1&upl=1&wphp4=1&abdullkarem=1&wp=1&module=1&php=1&php5=1&wphp5=1 HTTP/1.0" 404 15322 "-" "-" 64.207.185.144 - - [22/Oct/2015:21:15:28 -0400] "GET /wp-content/uploads/sites/_input__.php.jd?450699=1&php4=1&root=1&upl=1&wphp4=1&abdullkarem=1&wp=1&module=1&php=1&php5=1&wphp5=1 HTTP/1.0" 404 15322 "-" "-" 64.207.185.144 - - [22/Oct/2015:21:15:32 -0400] "GET /wp-content/uploads/_input_3_.php.?450699=1&php4=1&root=1&upl=1&wphp4=1&abdullkarem=1&wp=1&module=1&php=1&php5=1&wphp5=1 HTTP/1.0" 404 15322 "-" "-" 64.207.185.144 - - [22/Oct/2015:21:15:32 -0400] "GET /_input__.php.jd?450699=1&php4=1&root=1&upl=1&wphp4=1&abdullkarem=1&wp=1&module=1&php=1&php5=1&wphp5=1 HTTP/1.0" 404 15322 "-" "-" 64.207.185.144 - - [22/Oct/2015:21:15:32 -0400] "GET /wp-content/themes/twentyten/css_.php?450699=1&php4=1&root=1&upl=1&wphp4=1&abdullkarem=1&wp=1&module=1&php=1&php5=1&wphp5=1 HTTP/1.0" 404 15322 "-" "-" 64.207.185.144 - - [22/Oct/2015:21:15:32 -0400] "GET /wp-content/uploads/_input_3_.php5?450699=1&php4=1&root=1&upl=1&wphp4=1&abdullkarem=1&wp=1&module=1&php=1&php5=1&wphp5=1 HTTP/1.0" 404 15322 "-" "-" 64.207.185.144 - - [22/Oct/2015:21:15:32 -0400] "GET /wp-content/uploads/_input_3_.phtml?450699=1&php4=1&root=1&upl=1&wphp4=1&abdullkarem=1&wp=1&module=1&php=1&php5=1&wphp5=1 HTTP/1.0" 404 15322 "-" "-" 64.207.185.144 - - [22/Oct/2015:21:15:32 -0400] "GET /wp-content/uploads/_input_3_.php?450699=1&php4=1&root=1&upl=1&wphp4=1&abdullkarem=1&wp=1&module=1&php=1&php5=1&wphp5=1 HTTP/1.0" 404 15322 "-" "-" 64.207.185.144 - - [22/Oct/2015:21:15:33 -0400] "GET /wp-admin/wp-editors.php?450699=1&php4=1&root=1&upl=1&wphp4=1&abdullkarem=1&wp=1&module=1&php=1&php5=1&wphp5=1 HTTP/1.0" 404 15322 "-" "-" 64.207.185.144 - - [22/Oct/2015:21:15:32 -0400] "GET /wp-content/uploads/2015/06/css_.php?450699=1&php4=1&root=1&upl=1&wphp4=1&abdullkarem=1&wp=1&module=1&php=1&php5=1&wphp5=1 HTTP/1.0" 404 15322 "-" "-" 64.207.185.144 - - [22/Oct/2015:21:15:34 -0400] "GET /wp-content/plugins/hi.php?450699=1&php4=1&root=1&upl=1&wphp4=1&abdullkarem=1&wp=1&module=1&php=1&php5=1&wphp5=1 HTTP/1.0" 404 15322 "-" "-" 64.207.185.144 - - [22/Oct/2015:21:15:34 -0400] "GET /wp-content/plugins/gravityforms/css/formsmain.css HTTP/1.0" 404 15322 "-" "-" 64.207.185.144 - - [22/Oct/2015:21:15:36 -0400] "GET /index.php?450699=1&php4=1&root=1&upl=1&wphp4=1&abdullkarem=1&wp=1&module=1&php=1&php5=1&wphp5=1 HTTP/1.0" 301 - "-" "-" 64.207.185.144 - - [22/Oct/2015:21:15:35 -0400] "GET /wp-content/uploads/ HTTP/1.0" 404 15322 "-" "-" 64.207.185.144 - - [22/Oct/2015:21:15:37 -0400] "GET /wp-content/uploads/_input__test.php5?php4&root&upl&wphp4&abdullkarem& HTTP/1.0" 301 - "-" "-" 64.207.185.144 - - [22/Oct/2015:21:15:33 -0400] "GET /wp-includes/js/tinymce/themes/advanced/skins/default/css_.php?450699=1&php4=1&root=1&upl=1&wphp4=1&abdullkarem=1&wp=1&module=1&php=1&php5=1&wphp5=1 HTTP/1.0" 404 15322 "-" "-" 64.207.185.144 - - [22/Oct/2015:21:15:37 -0400] "GET /index.php?php4&root&upl&wphp4&abdullkarem& HTTP/1.0" 301 - "-" "-"

Each time we block an IP, they just come right back with another or change to another domain to scan and from another IP address.

They hit the servers hard with hundreds of requests a second from multiple IP’s at times, which causes a high load.

They all seem the scan for the same exploit with the string:

1&php4=1&root=1&upl=1&wphp4=1&abdullkarem=1&wp=1&module=1&php=1&php5=1&wphp5=1

It’s bad enough having to deal with wp-login.php and xmlrpc.php attacks and this is just the ice on the cake.

It would really be nice to see a rule to help block this.

oleg.tsygany · October 23, 2015, 6:36am

Hi

Yes it possible to create rule to block this type of attack but I’d recommend to stop it BEFORE it hit Apache.
This possible with ConfigServer Security & Firewall (ConfigServer Security and Firewall (csf) – ConfigServer Services) which block on iptables level.

Regards, Oleg

snewtonge · October 23, 2015, 3:38pm

Yes, but using CSF to block excessive 404’s, you risk the chance of blocking legitimate search bots that could easily hit a large number of 404’s in a short period, especially on a shared hosting server (which these are).

brijendrasial · October 24, 2015, 7:44am

Install nginx as proxy to apache.

https://www.nginx.com/blog/mitigating-ddos-attacks-with-nginx-and-nginx-plus/

snewtonge · October 24, 2015, 8:37pm

Thanks, but installing and configuring additional software on multiple production servers was really not the answer I was looking for.