Jump to content
phil_s

HTTP GET/POST FLOOD attacks?

Recommended Posts

Hey there, 

A friend's server (php, to be exact) is now going down rather frequently (still irregular but almost every week), and I am trying to get to the bottom of it.
It's a serverpilot configured small to middle tier DO Ubuntu server, running php 7 on nginx, https only, (with a letsencrypt certificate added manually by me, not via serverpilot)
When looking through the various log files I found a couple of things I couldn't place, can you guys make anything of this?

This happens multiple times a day (form different IPs) and goes on for 40-50 pings:

200.8.223.47 - - [07/Mar/2017:01:02:27 +0100] "POST / HTTP/1.0" 301 229
200.8.223.47 - - [07/Mar/2017:01:03:13 +0100] "POST / HTTP/1.0" 301 229
200.8.223.47 - - [07/Mar/2017:01:03:59 +0100] "POST / HTTP/1.0" 301 229
200.8.223.47 - - [07/Mar/2017:01:04:45 +0100] "POST / HTTP/1.0" 301 229
200.8.223.47 - - [07/Mar/2017:01:05:32 +0100] "POST / HTTP/1.0" 301 229
200.8.223.47 - - [07/Mar/2017:01:06:19 +0100] "POST / HTTP/1.0" 301 229
200.8.223.47 - - [07/Mar/2017:01:07:05 +0100] "POST / HTTP/1.0" 301 229
....

Is this suspicious? (nobody was editing the site at this time)

 

And these here come in 2-10 sec intervals, usually in 2-3 minute bursts, from different IPs, sometimes multiple times a day, sometimes followed by 30-40 "POST" commands

86.106.157.213 - - [06/Mar/2017:16:40:53 +0100] "GET /wp-login.php HTTP/1.0" 301 245
86.106.157.213 - - [06/Mar/2017:16:40:58 +0100] "GET /wp-login.php HTTP/1.0" 301 245
86.106.157.213 - - [06/Mar/2017:16:41:03 +0100] "GET / HTTP/1.0" 301 233

While this should by no means get the server to it's knees (or should it?) this is not normal, right?

Cheers folks!
 

Share this post


Link to post
Share on other sites
43 minutes ago, godmok said:

Looks like an attack on a WordPress site with a small wave.

Maybe this is an interesting read for it: https://perishablepress.com/protect-post-requests/

Exactly what I needed... have only been cross-reading but: very interesting article with lots of hands on information, thanks a bunch!

 

Share this post


Link to post
Share on other sites

Thanks again guys,

Just a quick update for anybody else who might run into this. Simply filtering out these:

RewriteCond %{REQUEST_URI} !\.(cgi|pl|asp|rar|zip)$ [NC]
RewriteCond %{REQUEST_URI} !wp-.*\.php$ [NC]

...took care of my problems. (No more crashes too)

:)

Cheers!

  • Like 3

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Similar Content

    • By gebeer
      Hello all,
      wasn't sure where to put this, so it goes in General section.
      Ryan shows a hook that we can use to mirror files on demand from live server to development environment to be up to date with the files on the server without having to download complete site/assets/files folder.
      I just implemented this but had problems getting files to load from a site in development that is secured with user/password via htaccess.
      First I tried to use WireHttp setHeader method for basic authentication like this
      function mirrorFilesfromLiveServer(HookEvent $event) { $config = $event->wire('config'); $file = $event->return; if ($event->method == 'url') { // convert url to disk path $file = $config->paths->root . substr($file, strlen($config->urls->root)); } if (!file_exists($file)) { // download file from source if it doesn't exist here $src = 'http://mydomain.com/site/assets/files/'; $url = str_replace($config->paths->files, $src, $file); $http = new WireHttp(); // basic authentication $u = 'myuser'; $pw = 'mypassword'; $http->setHeader('Authorization: Basic', base64_encode("$u:$pw")); $http->download($url, $file); } } But, unfortunately this didn't work.
      So now I am using curl to do the download. My hook function now looks like this
      function mirrorFilesfromLiveServer(HookEvent $event) { $config = $event->wire('config'); $file = $event->return; if ($event->method == 'url') { // convert url to disk path $file = $config->paths->root . substr($file, strlen($config->urls->root)); } if (!file_exists($file)) { // download file from source if it doesn't exist here $src = 'http://mydomain.com/site/assets/files/'; $fp = fopen($file, 'w+'); // init file pointer $url = str_replace($config->paths->files, $src, $file); $u = 'myuser'; $pw = 'mypassword'; $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_TIMEOUT, 50); // crazy high timeout just in case there are very large files curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_USERPWD, "$u:$pw"); // authentication curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC); // authentication curl_setopt($ch, CURLOPT_FILE, $fp); // give curl the file pointer so that it can write to it curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true); $data = curl_exec($ch); curl_close($ch); } } Now I can load files and images from the htaccess protected development server 🙂
      If anyone knows how to get this to work with WireHttp, please let me know. Thank you.
    • By rolisx
      Hi Guys,
      Just finished a website locally and wanted to upload it on the webserver of my customer. I got a server 500 error. Now, the guidelines of the hoster (world4you.com) does not allow "Options" in the htaccess-file. So, when I uncomment these:
      Options -Indexes
      Options +FollowSymLinks
      the site is visible, but the content won't show and no links are available. Not sure if I need the Symlinks-part but I guess I need a workaround for the Index-part. Can anybody help here? I need the website up and running asap....
      Thanks!
      Roli
    • By jploch
      Hi folks!
      For a website Iam working on I need to (pre)load a huge amount of images (100-500) from a folder in assets (wich I upload via FTP).
      To preload them I want to add them to the DOM inside a container, that I hide with css.
      This images will be use for a frame by frame animation (that animates with scrolling) so they should be loaded parallel and if the user clicks a cancel button, the loading should be canceled. (My website is using ajax to load pages with different animations, and the loading of the second animation waits till the loading of the first animation is loaded completly, wich I want to prevent). 

      I want to use ajax to do this, so I can cancel the loading with xhr.abort();
      Here is my code:
      var folder = '{$config->urls->assets}sequenzen/test/'; xhr = $.ajax({ url : folder, success: function (data) { $(data).find("a").attr("href", function (i, val) { if( val.match(/\.(jpe?g|png|gif)$/) ) { $(".preloader").append( "<img src='"+ folder + val +"'>" ); } }); } }); this will give me a 403 forbidden error.
      After some research I found out that I have to put a .htaccess in my assets folder.
      I also tried putting it in the sub folder "test", where the files are, but Iam still getting the error.

      Is there anything else Iam missing? Is there a configuration in PW i have to change to do that?
    • By Dennis Spohr
      Hi all,
      with 
      $config->adminEmail it's possible to send out an email for fatal errors (for example a syntax-error).
      It would be nice to get also an email in case of an unhandled exception. There could be a situation of an wrong upload and exceptions on the live-page.
      Is this possible?
      Also it could be a very handy feature to be able to choose specific logs which are sent our via email automatically.
      Thanks for your feedback,
      Dennis
    • By sirhc
      Hi all,
      I got a Internal Server Error when accessing de /setup/fields in my back end...
      Also when i try to reach it through the page tree, i can't edit the 'fields' page, same error.
      I do modify a image field through the api, i don't know if that has something to do with it, below the code i use to upload an image through the api, I deleted the parts that are not important. If anyone can help me that would be great.
      To clarify; the code below works fine, my image and page is created as expected, the only thing is that I can't access my /setup/fields/ page in my CMS anymore due to the Internal Server Error.
       
       <?php              if($input->post->submit) {             $photoPage = new Page(); // create new page object             $photoPage->template = 'photo'; // set template             $photoPage->parent     = wire('pages')->get('/foto/'); // set the parent                          $photoPage->name     = urlBuilder($input->title_photo); // give it a name used in the url for the page             $photoPage->title     = $input->title_photo; // set page title (not neccessary but recommended)                          $photoPage->save();                              // next: process photo upload                          // Set a temporary upload location where the submitted files are stored during form processing             $upload_path = $config->paths->assets . "files/photos/";                          // New wire upload             $file_upload = new WireUpload('file_upload'); // References the name of the field in the HTML form that uploads the photo             $file_upload->setMaxFiles(1);             $file_upload->setOverwrite(true);             $file_upload->setDestinationPath($upload_path);             $file_upload->setValidExtensions(array('jpg', 'jpeg', 'png', 'gif'));                          // execute upload and check for errors             $files = $file_upload->execute();                          // Run a count($files) test to make sure there are actually files; if so, proceed; if not, generate getErrors()             if(!count($files)) {                 $file_upload->error("Sorry, but you need to add a photo!");                 return false;             }             //success                          //echo 'photos stored';exit;                                  $photoPage->save();             //$session->redirect($locationPage->url);         } else {      ?> <section class="add-location">     <div class="container">         <div class="row">             <div class="col-xs-12">                      <h2>Spot toevoegen</h2>                 <form id="add-form" action="" enctype="multipart/form-data" method="post">                     <input type="hidden" name="MAX_FILE_SIZE" value="<?php echo $max_file_size; ?>" />                                          <div class="col-xs-12 col-md-6">                             <label for="fileselect">Upload jouw foto:</label>                         <p>                                                          <input type="file" name="file_upload" id="file_upload" accept="image/*"  class="inputfile" />                             <label for="file_upload">                                 <span></span> <strong><i class="fa fa-upload" aria-hidden="true"></i>                                 Kies je foto…</strong>                             </label>                                                      </p>                         </div>                                                  <input type="submit" name="submit" value="Upload" />                     </div>                 </form>                  </div>         </div>     </div> </div> <?php } } include('./includes/foot.php');?>  
×
×
  • Create New...