WordPress.org

Ready to get started?Download WordPress

Forums

Unusual traffic with POST status (20 posts)

  1. wtreyes
    Member
    Posted 11 months ago #

    I've been getting this type of traffic on my site. Here's a sample from my access log. I don't have any idea to stop it. Please help.

    95.56.74.200 - - [30/Aug/2013:12:43:54 +0800] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    117.241.48.101 - - [30/Aug/2013:12:43:55 +0800] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    171.97.171.127 - - [30/Aug/2013:12:43:55 +0800] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    189.137.176.109 - - [30/Aug/2013:12:43:56 +0800] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    183.82.1.13 - - [30/Aug/2013:12:43:56 +0800] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    83.160.91.252 - - [30/Aug/2013:12:43:56 +0800] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    203.74.0.211 - - [30/Aug/2013:12:43:57 +0800] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    114.143.167.11 - - [30/Aug/2013:12:43:57 +0800] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    122.161.102.170 - - [30/Aug/2013:12:43:58 +0800] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    114.143.32.198 - - [30/Aug/2013:12:43:58 +0800] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    187.150.57.67 - - [30/Aug/2013:12:43:58 +0800] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    119.154.240.182 - - [30/Aug/2013:12:43:59 +0800] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    113.28.224.10 - - [30/Aug/2013:12:43:59 +0800] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    110.168.197.229 - - [30/Aug/2013:12:43:59 +0800] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    78.22.27.239 - - [30/Aug/2013:12:43:59 +0800] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    94.156.247.94 - - [30/Aug/2013:12:44:00 +0800] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    85.65.141.248 - - [30/Aug/2013:12:44:01 +0800] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    112.119.237.197 - - [30/Aug/2013:12:44:01 +0800] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    119.93.23.96 - - [30/Aug/2013:12:44:01 +0800] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    106.51.151.134 - - [30/Aug/2013:12:44:01 +0800] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    114.79.12.178 - - [30/Aug/2013:12:44:01 +0800] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    77.36.236.130 - - [30/Aug/2013:12:44:01 +0800] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    122.166.1.27 - - [30/Aug/2013:12:44:02 +0800] "POST / HTTP/1.0" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    93.86.161.12 - - [30/Aug/2013:12:44:02 +0800] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    103.12.132.66 - - [30/Aug/2013:12:44:02 +0800] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    114.143.32.198 - - [30/Aug/2013:12:44:02 +0800] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    86.134.74.100 - - [30/Aug/2013:12:44:03 +0800] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    2.180.11.163 - - [30/Aug/2013:12:44:04 +0800] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    24.182.149.150 - - [30/Aug/2013:12:44:04 +0800] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    151.245.13.167 - - [30/Aug/2013:12:44:04 +0800] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    83.39.194.47 - - [30/Aug/2013:12:44:05 +0800] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    181.166.98.251 - - [30/Aug/2013:12:44:05 +0800] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    69.125.251.89 - - [30/Aug/2013:12:44:06 +0800] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    46.40.121.209 - - [30/Aug/2013:12:44:06 +0800] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    61.7.190.76 - - [30/Aug/2013:12:44:06 +0800] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    83.160.91.252 - - [30/Aug/2013:12:44:07 +0800] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    108.81.171.199 - - [30/Aug/2013:12:44:07 +0800] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    61.15.174.108 - - [30/Aug/2013:12:44:07 +0800] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    115.240.215.74 - - [30/Aug/2013:12:44:07 +0800] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    101.109.2.129 - - [30/Aug/2013:12:44:08 +0800] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
  2. wtreyes
    Member
    Posted 11 months ago #

    Yeah. I think I did everything I could. Captcha, Honeypot, Antimalware, Antivirus, etc. But nothing seems to stop it. Traffic is still coming in.

  3. catacaustic
    Member
    Posted 11 months ago #

    The only thing that can stop inbound traffic like this is a firewall outside of WordPress. The best thing would be a dedicated hardware firewall in front of your web server. Anyone can make any connection request to anywhere. That's just part of the internet. It's what you do with the connections that you receive that makes the difference.

  4. C4talyst
    Member
    Posted 11 months ago #

    I'm seeing this same behavior with one of my sites. Traffic went from approx. 700 visitors a day to over 100,000 about a week ago. And endless stream of post requests to /. All of the traffic appears to be coming from overseas. I will try to capture some payload data today; wondering if others have seen this recently as well?

  5. catacaustic
    Member
    Posted 11 months ago #

    That's hackers trying to break into/brute force your site. It happens. All the time. Just watch your site and check it ofr malware just in case something does happen. There's security plugins that can help with blocking these, and a few that can help block the brute-force attacks.

    If you want to stop these before htey get to your site you need ot read my post above and get your hosts to organise a firewall for your account. That's the only thing that can stop these requests before they get to your site.

  6. C4talyst
    Member
    Posted 11 months ago #

    cata, how are they trying to break in by hitting the homepage? These requests aren't against wp-admin/ or wp-login.php. They all appear to be blank POST requests to the homepage.

    I think it looks similar to this:

    http://www.darkreading.com/attacks-breaches/pushdo-botnet-morphs-to-elude-hunters/240155049

  7. catacaustic
    Member
    Posted 11 months ago #

    There's a whole lot of vunerabilities out there that aren't in the login or admin area. It's mostly themes or plugins that are not updated that are the target. The public-faciing side of WordPress all runs through the index.php page and that loads all of the theme and plugins by default, so by targeting that you can get access to the vunerbilities in the theme or plugins.

    That article really is way to much overkill ofr your problem. It is possible that that's what they are uisng, but almost all of these sort o fattempts are nowhere near that sopisticated - because they don't need to be. Webmasters that don't do updates on their sites leave them open for really easy hacks, and the sort of scanning that they are doing by posting that many requests is all automated and done by some pretty easy-to-find tools.

  8. C4talyst
    Member
    Posted 11 months ago #

    We're running an update StudioPress theme, update Genesis framework, updated WP 3.6 and only a few plugins. The POST payload is empty...this is just weird.

  9. catacaustic
    Member
    Posted 11 months ago #

    There's also the possiblity that someone somewhere is trying to do a DDOS request on your site, or at least the server that it's on.

    There's a million things that people out there could be trying to do to your site. You don't have any control over what outisde people/systems do or what they request. There is nothing that you can do to stop people doing what they are doing. The only thing that you can do is deal with it when it gets to your site. As I've said before you need either a firewall before the requests get to the site or some security in the site. There is nothing else and no other answers to it.

  10. wtreyes
    Member
    Posted 11 months ago #

    Thanks cata for the suggestion. I think you're right, the only way to stop these traffic is through a separate hardware firewall. A software based firewall which I installed didn't help actually. What it does was just slow the whole server. Anyway thanks once again.

  11. C4talyst
    Member
    Posted 11 months ago #

    A hardware firewall will work well against only a small botnet.

    For my case, I think I'm going to change the site's ip tonight and have my network provider blackhole their prior ip.

    wtreyes, do you have root on the machine your site is hosted on?

  12. blograzzi
    Member
    Posted 10 months ago #

    Did you look google analytics or slimstat wordpress plugin for analysis this traffic. If you see where traffic coming from, may be you can have a solution.

  13. C4talyst
    Member
    Posted 10 months ago #

    blograzzi, in my case, we've seen over a million unique ip's in the last two weeks. Over 40,000 yesterday alone; it's a botnet.

    My server load seems to be doing fine with the following iptables rule, which is blocking all of them:

    iptables -I INPUT 1 -p tcp --dport 80 -m string --string "MSIE 6.0; Windows NT 5.1; SV1" --algo bm -j DROP

  14. wtreyes
    Member
    Posted 10 months ago #

    Hi C4ta, actually I do have root access to the server. I also tried the iptable you posted here but it blocked access to all sites that are hosted under the same server. So I removed it.

    Here's what I did

    iptables -I INPUT 1 -p tcp --dport 80 -m string --string "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" --algo bm -j DROP

  15. wtreyes
    Member
    Posted 10 months ago #

    I don't know if this will do the trick

    iptables -I INPUT -d my_server_ip -p tcp --dport 80 -m string --string 'POST / HTTP/1.1' --algo bm -j DROP

    But I'm also afraid that it will block all post traffic to my other sites.

  16. aommundsen
    Member
    Posted 10 months ago #

    @wtreyes: Did you resolve this, or did you have to let the attack continue? We are having the exact same attack as you. Empty post requests on the front page, and exact same user agent. All ips is different. If you solved this, please share. Thanks!

  17. wtreyes
    Member
    Posted 10 months ago #

    Hi aommundsen, I'm sorry to say that we didn't completely solve the issue. What we did was change their domain name (since their account was the one targeted) as a band-aid solution. We also suggested cloudflare.

  18. C4talyst
    Member
    Posted 10 months ago #

    For us, the firewall rule mitigated the issue. A more permanent fix was accomplished by changing the site's ip address and then blackholing the original ip.

  19. Scott_G
    Member
    Posted 9 months ago #

    I don't use WordPress but someone pointed me to this thread so I thought I would share what I have found out about this problem.

    It seems to be caused by a recent variant of the Pushdo virus. It does not mean that your systems are infected, but that they are being contacted by infected machines.

    The later variants of the Pushdo virus (and probably a few others now) are masking their true command and control systems by also contacting 300 other non infected sites (see here) The description given in the article does not fit exactly, as they describe a GET request whereas I am receiving POSTs but I have seen other reports of variants using POST.

    The virus uses an algorithm to come up with 300 domain names, and it apears that yours (as well as mine) is one of the unfortunate ones. I am also receiving SMTP traffic from the same IPs, which fits in with the Pushdo 'modus operandi' as it also tries to send Spam at the same time. So if you run your own email server you may want to check those logs too.

    I don't actually think there are that many infected systems contacting my domain(despite the fact I have logged over 100K different IPs) but rather the IPs are spoofed (I have yet to find a definitive answer on this). Inspecting the incoming packet TTLs with tcpdump *seems* to indicate 4 different sources but this is a VERY unreliable method. Also the steady stream of traffic would point to a low number of sources as there are no peaks and troughs as there would be if all these IPs were real?? If all the thousands of IPs I have logged were real I am sure they would have swamped the server a long time ago!

    I am not able to offer a solution, sorry. I started banning the IPs with Fail2Ban but after 100K IPs banned I gave up on that idea as the overhead was getting too high! I am now using .htaccess to redirect the http POST traffic from that user-agent to a non existent domain. Unfortunately using iptables to block it causes my Apache to generate lots of child processes that refuse to die, causing instability so I cannot use that method. The SMTP requests simply return a bad request message which uses almost no resources so I have left that to it.

    Sorry again for not having a solution but hopefully this additional info may help someone.

  20. wtreyes
    Member
    Posted 9 months ago #

    Thanks for the info @Scott_G.

    Here's more info about the Pushdo virus and how you can mitigate it.
    http://www.distilnetworks.com/is-pushdo-screwing-you-details-of-the-botnet/

Reply

You must log in to post.

About this Topic