Activity

  • John Walker posted an update in the group Group logo of UpdatesUpdates 5 months, 1 week ago

    2020 June 25

    Starting at 06:10:24 UTC, the site came under an intense attack
    from 185.174.40.173, part of a class C, 185.174.40.0/24,
    registered to "Libertas Network UK", but whose abuse contact is,
    for some reason, in Antigua and Barbuda.  The attack began with
    a fairly conventional scan for WordPress vulnerabilities,
    hammered in at a rate of around two per second.  Apparently,
    having found no vulnerability which could be exploited, the
    attack then switched into nihilistic destruction mode, in which
    it began to hit the home page at a rate of around ten times per
    second.  This, of course, massacred PHP-FPM, and at 06:12:13 we
    began to encounter 500 errors due to exhaustion of memory by
    spawned worker processes.  In this mode, it never hit anything
    other than the home page or wp-login.php.  The attack continued
    until 06:15:24, when it abruptly stopped.  The User Agent on
    almost all of these requests was:
        Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0)
            Gecko/20100101 Firefox/72.0
    however, weirdly, there were a few mixed in with a User Agent of:
        Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0)
            Gecko/20100101 Firefox/28.0
    all requesting "GET //.env HTTP/1.1".  After the attack stopped,
    we haven't seen this IP address since.  We had never seen this
    IP address before in the current access_log which began on
    2019-10-16.
    
    I firewalled the ISP.  We won't see this malefactor again.