Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Strange Attack (Need Help)
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Strange Attack (Need Help)

UknownUknown Member

I have a site that continuously comes under attack by someone and i am unable to identify what kind of what attack is that and how to get rid of it because i moved the site to at least 3 ddos protected shared hosts and vps but issues still exist.

This attacks doesn't eat the bandwidth at all what it does is that it increase load on CPU continuously and get it to the point where site becomes offline and on VPS the cpu load get to as much as 50+. As soon as i enable Cloudflare Under Attack mode (where you have to wait 5 second for a browser check before accessing site) the cpu comes back to normal and site starts working. The site is in wordpress so is it some kind of attack on php to create this cpu load and why the ddos protected hosting can't handle it while Cloudflare under attack mode helps me get cpu back to normal?

I posted this question as comment in another thread but i think it got unnoticed that's why i am posting it here sorry for the duplicate.

Comments

  • Are you using any caching plugins? What DDoS protected hosts have you used?

  • UknownUknown Member

    @Traffic said:
    Are you using any caching plugins? What DDoS protected hosts have you used?

    This happens with or without caching plugins. The only way site surive is when i enable under attack mode through cloudflare which gets cpu to normal. I tried godaddy cloud linux hosting which have ddos protection, i tried trentahost cloud linux with ddos protection, i tried hostgator no cloud linux so i was suspended almost every day if i forgot to enable under attack mode on cloudflare, i tried servermania vps as well.

    This attack doesn't eat bandwidth at all instead it create load on cpu and as soon as i enable cloudflare under attack mode the cpu get back to normal.

  • spl0i7spl0i7 Member

    Since you haven't provided any logs I can only guess. What http server you use? apache ? Slow http dos attacks can cause that kind of trouble and most apache server are vulnerable to it , if this is the case then try using nginx on your server.

  • UknownUknown Member

    @spl0i7 said:
    Since you haven't provided any logs I can only guess. What http server you use? apache ? Slow http dos attacks can cause that kind of trouble and most apache server are vulnerable to it , if this is the case then try using nginx on your server.

    Yes mostly apache but on trentahost i had Litespeed Webserver and still this was happening. I thought maybe this is a common attack going on wordpress sites so i asked here thinking maybe someone else has faced it too

  • Maybe XMLRPC abuse?

  • UknownUknown Member

    @nexmark said:
    Maybe XMLRPC abuse?

    I read about it on wordpress site so i renamed the XMLRPC.php file in wordpress root and disabled access to it by .htaccess but still the attack was happening is it still possible to do XMLRPC abuse if the file is renamed or access is disabled?

  • blackblack Member

    What's in your server logs? Surely there's some useful information there.

    Thanked by 1Traffic
  • varwwwvarwww Member

    Maybe you are getting brute forced on wp-login.php

  • black said: What's in your server logs? Surely there's some useful information there.

    +1. Check them and post the information you get here. With the info you have provided us there's not much we can do.

  • Uknown said: This attacks doesn't eat the bandwidth at all

    Maybe it was a SSYN flood ?

  • adxnadxn Member, Host Rep

    it might be a XMLRPC attack! using wordpress exploit! check your log and see of there is a bunch of Wordpress sites!

  • adxnadxn Member, Host Rep

    Reffer to http://lowendtalk.com/discussion/comment/933699 if it is a XMLRPC attack!

  • Its very hard to troubleshoot issue like this. The DDOS is only used to exhaust resource of server and then it becomes in accessible. The ddos may have hit you on port 80 but you should analyse your server log before coming to any conclusion. Did you every try to use tcpdump to record network logs? Well you should do that as that can tell you what exactly its happening.

    Next if you are running apache a simple slowloris DOS not even DDOS can take down your server. Your error log and access log plays very important role in this. Dont forget to prevent your server from slowloris. Just use nginx to avoid it or you can use haproxy.

    Recently one of our server was hit by joomla, wordpress plugin exploit. N number of sites (joomla and wordpress) sites were involved in attacking a site at port 80. Upon checking it was found useragent registered were WordPress and for joomla there was blank useragent. So cloudfare even doesnt provide protection against that usnless you have enterprise plan. Safely you werent hit by that.

    Its best to install web application firewall like Comdo WAF to protect your web for the time. Rest you should always analyse your weblog for further action.

  • UknownUknown Member

    To all thanks for the replies currently i am on shared host is it possible to get all type logs in it? error_log doesn't show anything important except a couple of errors in theme files which was because i edited the code and missed some symbols which i corrected later.

  • jh_aurologicjh_aurologic Member, Patron Provider

    Maybe it's Layer7 Request Flood which targets the webserver application and overloads the system ressources. Layer7 attacks are often not filtered by some "anti-ddos hosting providers".

    First have a look at your access log, if it's layer7 ddos, you should see random requests in a short time frame. After this, you should consider contacting your provider and ask for layer7 mitigation.

  • sinsin Member

    Whenever that used to happen to me it was because of bots constantly hitting wp-login.php which causes CPU to skyrocket

  • jh_aurologicjh_aurologic Member, Patron Provider

    Have you tried to add password authentication for wp-login.php?

    Thanked by 1Ole_Juul
  • i guess its xmlrpc and wp-login.php attack.

    you can check this on your webserver logs.

  • Hey.

    Just from the sport interest, i am ready to help you with it. You will have to change one thing in DNS (the IP) to proxy the traffic through my server, then i can analyze the logs and detect the method.

    Let me know, if you're interested.

Sign In or Register to comment.