Webserver hit about every 24 hours

So glancing at some logs for my wordpress server that just hangs out in my DMZ, about once a day a different IP (today was 45.195.133.100 out of Hong Kong) will blast me with about 1700 successful hits on port 80, about 118 hits a minute.

I’m used to random places port scanning me, but I don’t understand the motive behind this spike in allowed traffic to one port. Is it a type of bot activity? Should I get into some deeper logs to see if its some sort of injection or brute force effort?

So there’s some interesting backstory around those IP addresses. Those were actually provisioned for a small island North-North East of Madagascar and the Chinese Government actually bought up a lot of that IP space from them. So, generally when you see those AfriNIC IP’s with HK destinations, that’s who you’re dealing with.

I was seeing a lot of those same things, directly targeting wordpress (and since the company I was working for at the time hosted >250k wordpress sites, i saw it a lot) to add shells to unpatched websites. The shells themselves just sit there, and are rarely touched after the fact, so my bet is, they’re just laying ground for a dormant botnet.

The reason we linked it back to the state was because a few months later a similar netblock (Seychelles Registered, routed to China) hit our windows infrastructure with a STILL unrevealed (as far as we could tell) 0-day. It’s since been patched, but it’s pretty freaky shit that comes from those netblocks.

They’re probably going after the xmlrpc api for wordpress since it has been very insecure for years, and I’d be checking to make sure nothing like ‘shell.php.jpg’ was in my upload folder.

1 Like

Awesome stuff, will need to look at my other logs I guess.

Looked at some notes just now, crap almost two years ago on the mark someone was using the xmlrpc ping back attack on my website, that time it was 191.96.249.80.

Will mess around with Splunk to see if I have a lot of outgoing traffic from my wordpress IP when this happens- if so, they are using my server as part of a DDoS.

  • Edit, doesn’t look like a ping back attack from what I can tell so far. Another thing seems to be maybe a cat and mouse game with pfblocker, I’ve seen an address try and try, be blocked, then rolls over to the next IP and starts to be allowed. For example xxx.xxx.xx.102 gets blocked multiple times, rolls over to xxx.xxx.xx.103.

If I may recommend yara scanner https://github.com/virustotal/yara/releases/tag/v3.8.1

Combined with these rules: https://github.com/DarkenCode/yara-rules/tree/master/malware

Helped me a ton at keeping my environments clean.

2 Likes

I better get some sleep, I’ll look at logs all night- finding that my Asus wifi (in access point) is the nosiest of my NAT IPs with a ton of blocked outgoing traffic, followed by my four IP cams. Ignorance is going to be bliss for tonight.