Title: PHP frenzy — an attack? Last modified: August 18, 2016 --- # PHP frenzy — an attack? * [johnaugust](https://wordpress.org/support/users/johnaugust/) * (@johnaugust) * [21 years, 4 months ago](https://wordpress.org/support/topic/php-frenzy-an-attack/) * My webhosting provider has pulled me off the normal (shared) server because PHP activity for my site was running up to 99%. They said it was a sudden spike that jeopardized other users, but I hadn’t changed anything code-wise for weeks, which leads me to believe that some external force (a worm or somesuch) was doing evil. You can see my site here: [http://johnaugust.com](http://johnaugust.com) I’ve been running 1.3 alpha 2 successfully for months. I could downgrade to 1.2.2, but I rely on the semi-static pages in 1.3 for the sectioning in my site. Unfortunately, I’m out of the country, so it’s nearly impossible to figure out what’s actually happening. I’ve turned off comments, on the theory that someone may be trying to break through my anti-comment-spam system, but I really need some helpful suggestions for what else I can do. Viewing 12 replies - 1 through 12 (of 12 total) * [NuclearMoose](https://wordpress.org/support/users/nuclearmoose/) * (@nuclearmoose) * [21 years, 4 months ago](https://wordpress.org/support/topic/php-frenzy-an-attack/#post-121356) * Search for dotCanada.com on this forum and you’ll see I had my site shut down because of some unknown problem where my site allegedly brought down dual Xenon CPUs and enough RAM to choke a herd of moose. They were never able to tell me what the problem was. I wish you better results than I had in dealing with your host. * Moderator [Matt Mullenweg](https://wordpress.org/support/users/matt/) * (@matt) * [21 years, 4 months ago](https://wordpress.org/support/topic/php-frenzy-an-attack/#post-121357) * Without more details it’s hard to say what’s causing the problem. Anything strange in your logs? * Moderator [James Huff](https://wordpress.org/support/users/macmanx/) * (@macmanx) * [21 years, 4 months ago](https://wordpress.org/support/topic/php-frenzy-an-attack/#post-121366) * Sorry, Tparlin, that’s old news for this board. * [tparlin](https://wordpress.org/support/users/tparlin/) * (@tparlin) * [21 years, 4 months ago](https://wordpress.org/support/topic/php-frenzy-an-attack/#post-121367) * Figures… 🙂 * Moderator [James Huff](https://wordpress.org/support/users/macmanx/) * (@macmanx) * [21 years, 4 months ago](https://wordpress.org/support/topic/php-frenzy-an-attack/#post-121368) * BTW, this is the article on the situation that NM is referring to: [http://wordpress.org/docs/hosts/to-avoid/dot-canada](http://wordpress.org/docs/hosts/to-avoid/dot-canada) * Thread Starter [johnaugust](https://wordpress.org/support/users/johnaugust/) * (@johnaugust) * [21 years, 4 months ago](https://wordpress.org/support/topic/php-frenzy-an-attack/#post-121378) * Thanks for your feedback so far. My situation does seem similar to that of NuclearMoose, in that the folks at Lunarpages (the webhosting company) can’t seem to tell me much other than that I’m suddenly using up way too much of the CPU. They’ve been varying degrees of helpful. I understand that at $7.95 a month, they can’t afford to spend hours playing cyber CSI. Ironically, it was Lunarpages that brought me to WordPress; my site was originally Movable Type, but they banned MT for being a resource hog. Checking the logs was my first instinct, but that’s been a challenge because they moved me to a non-production server, so the logs for the past few days show blank. I’ve asked them to give me access. The christmas holiday has made everything slower. I’ll post what I get when I get it. One of the last entries in the server log before they moved my site was the Googlebot, which led me to think our happy spider had gotten lost and panicked. Based on suggestions in the forums, I added `noindex,follow` to index pages (as you can see in the source). Lunarpages reported that the CPU load had dropped, so I assumed everything was fine. But then the numbers spiked again. My install of WP is pretty standard (for an alpha-2). The only real coding I’ve done is for the comment spam protection, which should only kick in when someone tries to post a comment.( And thus, should not running some sort of infinite loop.) But if anyone smarter than me (not hard) wants to take a look at the coding behind it, you can see it at: [http://internetalchemy.org/2004/09/zero-comment-spam](http://internetalchemy.org/2004/09/zero-comment-spam) I haven’t had a single piece of comment spam since I implemented it weeks ago. But if it’s causing the problem — or inspiring some hacker to try to break it— I’d sure like to know. Thoughts? Suggestions? * [DianeV](https://wordpress.org/support/users/dianev/) * (@dianev) * [21 years, 4 months ago](https://wordpress.org/support/topic/php-frenzy-an-attack/#post-121397) * The recent Santy Virus attack on phpBB forums took down at least one forum that I participate in. [http://www.searchenginejournal.com/index.php?p=1178](http://www.searchenginejournal.com/index.php?p=1178) I have a virtual private server at Verio, who emailed three days ago to suggest that we *immediately* upgrade PHP to version 4.3.10, which I did without mishap to either of the WP blogs we host. As to Lunarpages, I’ve tried to use them twice for clients. The last time, we paid for the hosting account, purchased a domain elsewhere and pointed it to the IP address provided by Lunarpages; within a day or so, the domain was going to someone else’s site. After some back and forth discussion with Lunarpages, they supposedly fixed it … and I then found the domain going to the Lunarpages home page. (Sigh.) I am done with recommending cheap web hosting. I know cheap is supposed to be a good thing, but I have been putting clients at Verio (about $20 a month) without problems and *with* excellent tech support that essentially means Verio does the support instead of me. I consider* that* a good thing. As a contrast to Lunarpages, the forum taken down by the recent PHP/phpBB exploit is also hosted on Verio; the forum owners were worked with to circumvent the problems rather than kicked off. What the santy worm has to do with WP, or if it has anything to do with these recent events, I don’t know; I’m just noting the coincidence. * [dreamerfi](https://wordpress.org/support/users/dreamerfi/) * (@dreamerfi) * [21 years, 4 months ago](https://wordpress.org/support/topic/php-frenzy-an-attack/#post-121409) * [here](http://wordpress.org/support/7/19285) is adescription of another attack, including solution. It may help you as well. * Thread Starter [johnaugust](https://wordpress.org/support/users/johnaugust/) * (@johnaugust) * [21 years, 4 months ago](https://wordpress.org/support/topic/php-frenzy-an-attack/#post-121422) * Thanks for all your suggestions. I’ve backed up all my WP files, along with the database and related images, just in case. I’m leery to install a nightly while away on vacation, since half an hour at an internet cafe doesn’t bode well for smooth installation. I’ll certainly keep recommendations about hosting providers under consideration. Once I get a chance to look at the real logs, I’ll hopefully have a better sense of what’s actually been happening, and whether another provider could/would/should have done a better job working through it. I know that Lunarpages has upgraded to the latest PHP/Zend (after the problems began, so that’s not the cause). * [patito](https://wordpress.org/support/users/patito/) * (@patito) * [21 years, 4 months ago](https://wordpress.org/support/topic/php-frenzy-an-attack/#post-121430) * I have the same problem. My host stop my blog a little time, we wait, and hope, maybe the attacks will end. For this time i will write the same blog, the same database in a new location. I hate this. * Moderator [James Huff](https://wordpress.org/support/users/macmanx/) * (@macmanx) * [21 years, 4 months ago](https://wordpress.org/support/topic/php-frenzy-an-attack/#post-121484) * Just my 2 cents, but try installing mod_security. It blocks some older PHP attacks and it may help against this one. [http://www.modsecurity.org/](http://www.modsecurity.org/) * [Glo](https://wordpress.org/support/users/glo/) * (@glo) * [21 years, 4 months ago](https://wordpress.org/support/topic/php-frenzy-an-attack/#post-121485) * There is current info on the PHP attacks here – [http://isc.sans.org/](http://isc.sans.org/) Viewing 12 replies - 1 through 12 (of 12 total) The topic ‘PHP frenzy — an attack?’ is closed to new replies. * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/) * 12 replies * 9 participants * Last reply from: [Glo](https://wordpress.org/support/users/glo/) * Last activity: [21 years, 4 months ago](https://wordpress.org/support/topic/php-frenzy-an-attack/#post-121485) * Status: not resolved ## Topics ### Topics with no replies ### Non-support topics ### Resolved topics ### Unresolved topics ### All topics