An attack or a bug in WordPress?

  • Jehan

    (@jehan)


    15 years, 9 months ago

    Hello,

    my server got completely overloaded this morning. With a top, I could see PHP was taking all my memory and swapping, so I restarted Apache.
    When reading the logs afterwhile, I saw a single IP was responsible of 248 queries in 10 minutes!

    As the log with this IP began as

    [Mon Jul 21 10:56:53 2008] [error] [client X.X.X.X] Premature end of script headers: xmlrpc.php

    I thought the issue was related to the fact I did not upgrade to 2.5.1, but am still in 2.5.0 (note that on my blog, there is no external user and account creation is disabled. I checked: there is still only my account). Yes, I know, I am a bad administrator.

    The queries are of either SELECT:

    [Mon Jul 21 11:01:09 2008] [error] [client X.X.X.X] WordPress database error MySQL server has gone away for query SELECT option_value FROM wp_options WHERE option_name = ‘siteurl’ LIMIT 1 made by get_option, referer: http://my.web.address/blog/category/en/

    with option_name being either ‘siteurl’, ‘home’, ‘hack_file’, ‘active_plugins’, ‘blog_charset’, ‘permalink_structure’, etc.

    or

    [Mon Jul 21 11:05:06 2008] [error] [client X.X.X.X] WordPress database error MySQL server has gone away for query SELECT SQL_CALC_FOUND_ROWS wp_posts.* FROM wp_posts WHERE 1=1 AND wp_posts.post_type = ‘post’ AND (wp_posts.post_status = ‘publish’) ORDER BY wp_posts.post_date DESC LIMIT 0, 1 made by get_posts, referer: http://my.web.address/blog/category/en/

    and
    INSERT:

    [Mon Jul 21 11:04:55 2008] [error] [client X.X.X.X] WordPress database error MySQL server has gone away for query INSERT INTO wp_options (option_name, option_value, autoload) VALUES (‘update_core’, ‘O:8:\\”stdClass\\”:5:{s:12:\\”last_checked\\”;i:1216631077;s:15:\\”version_checked\\”;s:3:\\”2.5\\”;s:8:\\”response\\”;s:7:\\”upgrade\\”;s:3:\\”url\\”;s:30:\\”http://wordpress.org/download/\\”;s:7:\\”current\\”;s:3:\\”2.6\\”;}’, ‘yes’) made by add_option, referer: http://my.web.address/blog/category/en/

    The only difference between the INSERT queries being that this part of the value: “i:1216631077” is increasing-> i:1216631078 (not always incremented by 1 though).

    As I saw my database was down here, the question is:
    – is it clearly an attack, then maybe my database could not handle the many queries and got down (I don’t see errors in the mysql logs!)?
    – Or could it be possible that some unknown issue crashed the database and just at this moment someone was simply browsing my website and then as queries (related to browsing) on the db were running, php went crazy and swapped.

    This would seem strange as there was more than 200 queries in 10 minutes, and some of them are INSERT queries (I don’t think a simple browsing would generate insert queries, would it?). But I want to be sure before reporting this X.X.X.X IP (the IP apparently belongs to some company, not really looking suspicious as far as I could see on their website; I would be unhappy to make problems to some employee there if it is in fact some kind of problem of WordPress when the db goes down).

    Thanks.

    Jehan

  • The topic ‘An attack or a bug in WordPress?’ is closed to new replies.