Support » Everything else WordPress » Unusual traffic with POST status

  • I’ve been getting this type of traffic on my site. Here’s a sample from my access log. I don’t have any idea to stop it. Please help.

    95.56.74.200 - - [30/Aug/2013:12:43:54 +0800] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    117.241.48.101 - - [30/Aug/2013:12:43:55 +0800] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    171.97.171.127 - - [30/Aug/2013:12:43:55 +0800] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    189.137.176.109 - - [30/Aug/2013:12:43:56 +0800] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    183.82.1.13 - - [30/Aug/2013:12:43:56 +0800] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    83.160.91.252 - - [30/Aug/2013:12:43:56 +0800] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    203.74.0.211 - - [30/Aug/2013:12:43:57 +0800] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    114.143.167.11 - - [30/Aug/2013:12:43:57 +0800] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    122.161.102.170 - - [30/Aug/2013:12:43:58 +0800] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    114.143.32.198 - - [30/Aug/2013:12:43:58 +0800] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    187.150.57.67 - - [30/Aug/2013:12:43:58 +0800] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    119.154.240.182 - - [30/Aug/2013:12:43:59 +0800] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    113.28.224.10 - - [30/Aug/2013:12:43:59 +0800] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    110.168.197.229 - - [30/Aug/2013:12:43:59 +0800] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    78.22.27.239 - - [30/Aug/2013:12:43:59 +0800] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    94.156.247.94 - - [30/Aug/2013:12:44:00 +0800] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    85.65.141.248 - - [30/Aug/2013:12:44:01 +0800] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    112.119.237.197 - - [30/Aug/2013:12:44:01 +0800] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    119.93.23.96 - - [30/Aug/2013:12:44:01 +0800] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    106.51.151.134 - - [30/Aug/2013:12:44:01 +0800] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    114.79.12.178 - - [30/Aug/2013:12:44:01 +0800] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    77.36.236.130 - - [30/Aug/2013:12:44:01 +0800] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    122.166.1.27 - - [30/Aug/2013:12:44:02 +0800] "POST / HTTP/1.0" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    93.86.161.12 - - [30/Aug/2013:12:44:02 +0800] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    103.12.132.66 - - [30/Aug/2013:12:44:02 +0800] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    114.143.32.198 - - [30/Aug/2013:12:44:02 +0800] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    86.134.74.100 - - [30/Aug/2013:12:44:03 +0800] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    2.180.11.163 - - [30/Aug/2013:12:44:04 +0800] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    24.182.149.150 - - [30/Aug/2013:12:44:04 +0800] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    151.245.13.167 - - [30/Aug/2013:12:44:04 +0800] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    83.39.194.47 - - [30/Aug/2013:12:44:05 +0800] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    181.166.98.251 - - [30/Aug/2013:12:44:05 +0800] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    69.125.251.89 - - [30/Aug/2013:12:44:06 +0800] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    46.40.121.209 - - [30/Aug/2013:12:44:06 +0800] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    61.7.190.76 - - [30/Aug/2013:12:44:06 +0800] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    83.160.91.252 - - [30/Aug/2013:12:44:07 +0800] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    108.81.171.199 - - [30/Aug/2013:12:44:07 +0800] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    61.15.174.108 - - [30/Aug/2013:12:44:07 +0800] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    115.240.215.74 - - [30/Aug/2013:12:44:07 +0800] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    101.109.2.129 - - [30/Aug/2013:12:44:08 +0800] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
Viewing 15 replies - 1 through 15 (of 19 total)
  • Yeah. I think I did everything I could. Captcha, Honeypot, Antimalware, Antivirus, etc. But nothing seems to stop it. Traffic is still coming in.

    The only thing that can stop inbound traffic like this is a firewall outside of WordPress. The best thing would be a dedicated hardware firewall in front of your web server. Anyone can make any connection request to anywhere. That’s just part of the internet. It’s what you do with the connections that you receive that makes the difference.

    I’m seeing this same behavior with one of my sites. Traffic went from approx. 700 visitors a day to over 100,000 about a week ago. And endless stream of post requests to /. All of the traffic appears to be coming from overseas. I will try to capture some payload data today; wondering if others have seen this recently as well?

    That’s hackers trying to break into/brute force your site. It happens. All the time. Just watch your site and check it ofr malware just in case something does happen. There’s security plugins that can help with blocking these, and a few that can help block the brute-force attacks.

    If you want to stop these before htey get to your site you need ot read my post above and get your hosts to organise a firewall for your account. That’s the only thing that can stop these requests before they get to your site.

    cata, how are they trying to break in by hitting the homepage? These requests aren’t against wp-admin/ or wp-login.php. They all appear to be blank POST requests to the homepage.

    I think it looks similar to this:

    http://www.darkreading.com/attacks-breaches/pushdo-botnet-morphs-to-elude-hunters/240155049

    There’s a whole lot of vunerabilities out there that aren’t in the login or admin area. It’s mostly themes or plugins that are not updated that are the target. The public-faciing side of WordPress all runs through the index.php page and that loads all of the theme and plugins by default, so by targeting that you can get access to the vunerbilities in the theme or plugins.

    That article really is way to much overkill ofr your problem. It is possible that that’s what they are uisng, but almost all of these sort o fattempts are nowhere near that sopisticated – because they don’t need to be. Webmasters that don’t do updates on their sites leave them open for really easy hacks, and the sort of scanning that they are doing by posting that many requests is all automated and done by some pretty easy-to-find tools.

    We’re running an update StudioPress theme, update Genesis framework, updated WP 3.6 and only a few plugins. The POST payload is empty…this is just weird.

    There’s also the possiblity that someone somewhere is trying to do a DDOS request on your site, or at least the server that it’s on.

    There’s a million things that people out there could be trying to do to your site. You don’t have any control over what outisde people/systems do or what they request. There is nothing that you can do to stop people doing what they are doing. The only thing that you can do is deal with it when it gets to your site. As I’ve said before you need either a firewall before the requests get to the site or some security in the site. There is nothing else and no other answers to it.

    Thanks cata for the suggestion. I think you’re right, the only way to stop these traffic is through a separate hardware firewall. A software based firewall which I installed didn’t help actually. What it does was just slow the whole server. Anyway thanks once again.

    A hardware firewall will work well against only a small botnet.

    For my case, I think I’m going to change the site’s ip tonight and have my network provider blackhole their prior ip.

    wtreyes, do you have root on the machine your site is hosted on?

    Did you look google analytics or slimstat wordpress plugin for analysis this traffic. If you see where traffic coming from, may be you can have a solution.

    blograzzi, in my case, we’ve seen over a million unique ip’s in the last two weeks. Over 40,000 yesterday alone; it’s a botnet.

    My server load seems to be doing fine with the following iptables rule, which is blocking all of them:

    iptables -I INPUT 1 -p tcp –dport 80 -m string –string “MSIE 6.0; Windows NT 5.1; SV1” –algo bm -j DROP

    Hi C4ta, actually I do have root access to the server. I also tried the iptable you posted here but it blocked access to all sites that are hosted under the same server. So I removed it.

    Here’s what I did

    iptables -I INPUT 1 -p tcp --dport 80 -m string --string "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" --algo bm -j DROP

    I don’t know if this will do the trick

    iptables -I INPUT -d my_server_ip -p tcp --dport 80 -m string --string 'POST / HTTP/1.1' --algo bm -j DROP

    But I’m also afraid that it will block all post traffic to my other sites.

    @wtreyes: Did you resolve this, or did you have to let the attack continue? We are having the exact same attack as you. Empty post requests on the front page, and exact same user agent. All ips is different. If you solved this, please share. Thanks!

Viewing 15 replies - 1 through 15 (of 19 total)
  • The topic ‘Unusual traffic with POST status’ is closed to new replies.