2020 June 25
Starting at 06:10:24 UTC, the site came under an intense attack from 220.127.116.11, part of a class C, 18.104.22.168/24, registered to "Libertas Network UK", but whose abuse contact is, for some reason, in Antigua and Barbuda. The attack began with a fairly conventional scan for WordPress vulnerabilities, hammered in at a rate of around two per second. Apparently, having found no vulnerability which could be exploited, the attack then switched into nihilistic destruction mode, in which it began to hit the home page at a rate of around ten times per second. This, of course, massacred PHP-FPM, and at 06:12:13 we began to encounter 500 errors due to exhaustion of memory by spawned worker processes. In this mode, it never hit anything other than the home page or wp-login.php. The attack continued until 06:15:24, when it abruptly stopped. The User Agent on almost all of these requests was: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0 however, weirdly, there were a few mixed in with a User Agent of: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0 all requesting "GET //.env HTTP/1.1". After the attack stopped, we haven't seen this IP address since. We had never seen this IP address before in the current access_log which began on 2019-10-16. I firewalled the ISP. We won't see this malefactor again.