Cause:
Today suddenly opened a personal blog, and found that open very slow, and then appeared the feedback: Server service is not available! Waht? Refresh a few times do not, quickly log on to the server background to view the situation.
650) this.width=650; "Src=" Http://s4.51cto.com/wyfs02/M00/8B/AB/wKiom1hT-RmyHsNlAAAQ1c-RRtg154.png-wh_500x0-wm_3 -wmp_4-s_3915360241.png "title=" Untitled picture. png "width=" 650 "height=" "border=" 0 "hspace=" 0 "vspace=" 0 "style=" width : 650px;height:68px; "alt=" Wkiom1ht-rmyhsnlaaaq1c-rrtg154.png-wh_50 "/>
Confirm attack:
After landing in the background through the netstat found that the number of connections, relative to peacetime, several times more, hurriedly through the log load out of the crazy IP access
# Cat 2016-12-16-access_log | awk ' {print '} ' | Sort | uniq-c | sort-rn| Head-n 10
30305 191.96.249.53
29016 191.96.249.54
4275 127.0.0.1
461 139.199.66.174
14 123.126.113.79
......
Then see what these two IPs did to my site
650) this.width=650; "Src=" Http://s2.51cto.com/wyfs02/M01/8B/A7/wKioL1hT-tvQOoyYAAHm9kVB0qw286.png-wh_500x0-wm_3 -wmp_4-s_2509242813.png "title=" unnamed picture. png "alt=" wkiol1ht-tvqooyyaahm9kvb0qw286.png-wh_50 "/>
Found its constant post data to xmlrpc.php, Baidu a bit xmlrpc.php found to be a brute force attack.
This attack specifically resolves the following link:
Http://www.freebuf.com/articles/web/38861.html
Website Paralysis Reason:
Through the Iostat,vmstat view, the server CPU, memory and other resources are not abnormal, then my site how to collapse. My understanding is: 1. My cloud server bandwidth is not well paid 1M, so the attack has filled my bandwidth. 2. The attack request accounted for the Apache service process.
PS: This is my own understanding, if there is a better explanation, welcome to leave a message.
Solution:
The corresponding IP is blocked by the security group settings of the iptable or cloud server.
Access to xmlrpc.php files through. htaccess masking.
# Protect Xmlrpc
<files xmlrpc.php>
Order Deny,allow
Deny from all
</Files>
This article from "Walk on the road in the operation and maintenance of the dog~" blog, reproduced please contact the author!
"Ops small share" personal blog site by the violence against xmlrpc.php attack