Dealing with Brute Force Attack

Question

For the better part of yesterday (and today so far) my server is being attacked with brute force.

I am rather an inexperience admin when it gets passed the basics. I understand how to find things, sometimes understand how to configure things. This attack has got me stressed and tired now.

Every time I think I got it, it comes back. Here is my CPU usage for the las 24 hours.

It initialized as an xmlrpc attack with some WordPress sites, I've since disabled that with some plugins - I've also removed the files themselves.

The attacks continue. My auth.log show a lot of attempts. I did some reading, could fail2ban is a great tool for stopping brute force attacks.

Configured it - I think it's right even though there are some "Command not found" errors - it says it banned an IP that was attacking me.

Things are quiet for now. I check this morning - CPU cranked up. I run top to see whats taking up all the APU the program 'host' is running.

4274 forge     20   0 1721620   6760   3264 S 98.8  0.3  14:04.99 host                                               
4537 forge     20   0  362804  33656   8664 R  0.3  1.6   0:00.14 php5-fpm                                           
1 root      20   0   33504   3968   2624 S  0.0  0.2   0:01.48 init                                               
2 root      20   0       0      0      0 S  0.0  0.0   0:00.00 kthreadd                                           
3 root      20   0       0      0      0 S  0.0  0.0   0:00.06 ksoftirqd/0                                        
5 root       0 -20       0      0      0 S  0.0  0.0   0:00.00 kworker/0:0H                                       
6 root      20   0       0      0      0 S  0.0  0.0   0:00.10 kworker/u2:0

It even says by my user. Something else is running this - how can I find out?

The `host` command can be launched by `fail2ban`. Can you show the output of `ps auxf`? — shodanshok, Sep 24 '16 at 17:23
Hi -Here is my output for ps aux http://paste.ofcode.org/XD2ggSwg2xYLj7YRDtmxw4 — Richard Testani, Sep 25 '16 at 14:17
I setup fail2ban after the attack began. It seems on a timer, because I can kill the process but usually between an hour or two it starts up. Something already on the machine? A lot of attempts in my auth.log. Hard to tell where to look. — Richard Testani, Sep 25 '16 at 14:25

score 1 · Answer 1 · answered Sep 27 '16 at 19:10

Xmlrpc.php can start dos to other domains keeping your host as source.. You should remove xmlrpc.php , change login page link , or allow login to your known few IPs from .htaccess .

example from wpscan:

[!] The WordPress 'http://cffcinc.com/readme.html' file exists exposing a version number
[+] Interesting header: LINK: http://cffcinc.com/wp-json/; rel="https://api.w.org/", http://cffcinc.com/; rel=shortlink
[+] Interesting header: SERVER: Apache
[+] XML-RPC Interface available under: http://cffcinc.com/xmlrpc.php
[+] WordPress version 4.6.1 (Released on 2016-09-07) identified from advanced fingerprinting, meta generator, readme, links opml, stylesheets numbers

I got things under control - I did find more malicious files inside the yoast-seo plugin. A .sh file (shell script) which once I removed the plugin altogether it stopped the bots from running. Meanwhile I changed the login links to all WP; xmlrpc; setup banning with fail2ban; and disallowed reading of directories and such. I'll continue working out various aspects as well to keep it secure. — Richard Testani, Sep 28 '16 at 15:05

Dealing with Brute Force Attack

1 Answers1