Greetings.
I would like to seek advice on the best way to mitigate a rather severe attack that brought down our server last night for a period of 30 minutes due to a mass DDOS / vulnerability scan of dozens of wordpress sites simultaneously.
I've not seen an attack of this nature - it was not particularly complex or clever, but a mass of IP addresses (hundreds) used all at once were "probing" for specific wordpress plugin files (I assume these must be notified vulnerable software exploits) on dozens of sites on one server virtually simultaneously. Having gone through all of the sites and logs, none of our sites actually have any of the wordpress plugins installed, so I guess this co-ordinated bot attack must just be doing a wide sweep to see where it can get lucky with finding one of these installations....
I do have a copy of the Apache Server Status log that shows the attack, but I don't really want to assist the attackers by publishing the vulnerabilities they were probing for. However, for sample here are just a few of the hundreds:
So what to do:
I have the usual security set up: using CSF firewall, cphulk, modsecurity etc.... but none of these effectively stopped this.
I guess what would be good would be a script or mod security rule that would block an IP after x number of 404's ? Would anyone happen to know one of those ?
Thanks
I would like to seek advice on the best way to mitigate a rather severe attack that brought down our server last night for a period of 30 minutes due to a mass DDOS / vulnerability scan of dozens of wordpress sites simultaneously.
I've not seen an attack of this nature - it was not particularly complex or clever, but a mass of IP addresses (hundreds) used all at once were "probing" for specific wordpress plugin files (I assume these must be notified vulnerable software exploits) on dozens of sites on one server virtually simultaneously. Having gone through all of the sites and logs, none of our sites actually have any of the wordpress plugins installed, so I guess this co-ordinated bot attack must just be doing a wide sweep to see where it can get lucky with finding one of these installations....
I do have a copy of the Apache Server Status log that shows the attack, but I don't really want to assist the attackers by publishing the vulnerabilities they were probing for. However, for sample here are just a few of the hundreds:
Code:
GET /wp-content/plugins/simple-download-button-shortcode/simple
GET /wp-content/plugins/robotcpa/f.php?l=../../../wp-config.php
GET /wp-content/plugins/wp-swimteam/include/user/download.php?f
GET /wp-content/plugins/advanced-custom-fields/core/actions/exp
GET /wp-content/plugins/gracemedia-media-player/templates/files
GET /wp-content/plugins/wp-swimteam/include/user/download.php?f
GET /wp-content/plugins/bookx/includes/bookx_export.php?file=..
So what to do:
I have the usual security set up: using CSF firewall, cphulk, modsecurity etc.... but none of these effectively stopped this.
I guess what would be good would be a script or mod security rule that would block an IP after x number of 404's ? Would anyone happen to know one of those ?
Thanks