Today our server was not reachable. It was returning a 502.
We are running Nginx 1.10 on Ubuntu 14.04. We also use PHP7 (only, no PHP5).
In the logs, we got the same error from the same client (2 different, but similar IP).
connect() to unix:/run/php/php7.0-fpm.sock failed (11:Resource temporarily unavailable) while connecting to upstream, client 191.xx.xx.53, server: example.com, request: "POST /xmlrpc.php HTTP/1.0", upstream: "fastcgi:/unix:/run/php/php7.0-fpm.sock:", host: "xx.xx.xx.xx"
This was in the logs in a per second to 5 second intervals. From 191.xx.xx.53 and 191.xx.xx.54. "Similar" IPs.
We run wordpress sites here. And we got hammered!
What do you make of this? Using the XML-RPC is a bruteforce attack? Or is this a DDOS attack or both? (both meaning bruteforce but failed but resulted to ddos).
Our logs say Resource temporarily unavailable. Does this mean that the resource could no longer be served or is the resource that's being called not supported in PHP7?
The attack went on for around 6 hours before we noticed the site was down. We immediately blocked the IP and site was immediately back up. Why was it immediately back online? Because resources were already available?
Words of wisdom needed...