XMLRPC Attack
By Mr.Seiko on Oct 3, 2015 | In Uncategorized
Had a server today with a huge load on it.
It was a VPS Node. Had a look at the VPS's on it, and saw that one was sitting at a load of ~200
Shut down that VPS, and the Load on the Node returned to normal immediately.
Restarted the VPS, and the load started to climb steadily.
Ended up finding out that There was a range of IP's that were attacking the server, kept grabbing xmlrpc.php from a single site over and over.
Looks like the IP was 169.50.5.40 The last octet was a few different numbers.
Did a whois on the IP, and discovered that the attacker owns the IP range 169.50.5.32 - 169.50.5.47
Blocked the range 169.50.5.32/28 in CSF, and the load started to drop immediately.
Attack over.
No feedback yet
| « New server setup | Python Install » |