Opened 5 weeks ago
Closed 4 weeks ago
#64586 closed defect (bug) (invalid)
Possible attack detected
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Priority: | normal | |
| Severity: | normal | Version: | |
| Component: | General | Keywords: | |
| Focuses: | Cc: |
Description
Hi all
A server got DDoSed the other day, memory full, server not doing much and I found tons of traffic in the nginx log looking like below (anonymised here). I got the same sort of traffic with slightly varying URLs, mostly the last two digits before the repeating https:/ (with a single /) and then on and on. I don't think it did much damange other than DoSing the server, but with thousands of requests from all over the globe, it did introduce some stress.
x.x.x.x - - [02/31/2098:03:32:52 +0100] "GET https://mysrv.my.tld/2099/02/31/somearticle/28https:/mysrv.my.tld/2018/05/11/somearticle/26https:/mysrv.my.tld/2018/05/11/somearticle/26https:/mysrv.my.tld/2018/05/11/somearticle/27https:/myx.x.x.x - - [02/31/2098:03:32:52 +0100] "GET https://mysrv.my.tld/2099/02/31/somearticle/28https:/mysrv.my.tld/2018/05/11/somearticle/26https:/mysrv.my.tld/2018/05/11/somearticle/26https:/mysrv.my.tld/2018/05/11/somearticle/27https:/mysrv.my.tld/2018/05/11/somearticle/30https:/mysrv.my.tld/2018/05/11/somearticle/27https:/mysrv.my.tld/2018/05/11/somearticle/26https:/mysrv.my.tld/2018/05/11/somearticle/30https:/mysrv.my.tld/2018/05/11/somearticle/28https:/mysrv.my.tld/2018/05/11/somearticle/28https:/mysrv.my.tld/2018/05/11/somearticle/29https:/mysrv.my.tld/2018/05/11/somearticle/27https:/mysrv.my.tld/2018/05/11/somearticle/27https:/mysrv.my.tld/2018/05/11/somearticle/27https:/mysrv.my.tld/2018/05/11/somearticle/ HTTP/1.0" 301 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0"`
I don't know if this addresses a potential bug in wordpress, either existing or former, but I thought it interesting enough to report. I stopped this by adding this to my server{} block in the nginx config and the problem was reduced to just some log flooding, which I can live with.
# 444 No Response
# Used internally to instruct the server to return no information to the
# client and close the connection immediately.
if ($request ~ "[0-9]https:/[a-z]") {
return 444;
}
Hi @rkarlsba, welcome to WordPress Trac.
I'm sorry to hear you are having difficulty with your site, however Trac is used for the development of the WordPress software, not for assistance with individual sites or plugins.
I would suggest reaching out to the WordPress Support Forums for further assistance. There are volunteers there who can hopefully help you.
If you are concerned about the security of your individual site, I would recommend you start by reading this article: https://wordpress.org/documentation/article/faq-my-site-was-hacked/ and if you have questions, to reach out in the WordPress Support Forums for further assistance. There are volunteers there who can hopefully help you.
I've closed this ticket of with the term
invalid, in this case it's the unfriendly term trac uses to indicate that I've referred you to somewhere where you can find people better able to assist you.