View Single Post
Old 09-07-2015, 03:38 AM  
JuicyBunny
So Fucking Banned
 
Industry Role:
Join Date: Jun 2010
Location: Tokyo Red Light District
Posts: 2,145
Quote:
Originally Posted by Zverka View Post
hmmm this is highly unusual unless it is vps with 32mb of RAM.

Anyway by any chance you are running WP sites on that server? And must be one at least on the server, who dosen't have it nowdays. The real culprit could be xmlrpc.php in root of wp site. I have seen recently many attacks on this file and one Quad Core server which usual load is about 2-3 constantly, suddently go high up to 40 because of those attacks from many bad bots trying to hacks wp site thru xmlrpc.

Run this against access.log (apache or nginx) to see if there are many access attempts to xmlrpc.php

grep xmlrpc access.log | cut -d' ' -f1 | sort | uniq -c | sort -rn | head -n8

Those attacks are usually frequent on weekends when "hackers" are out from school and they are hacking sites from their free amazone instances ;)

I forbid access to xmlrpc.php in nginx and they are gone; since then server is cool.

More info here Disable XML-RPC in WordPress to Prevent DDoS Attack - BlogAid

Hope this will help someone
Thats pretty helpful. Thanks a lot. Yes there are some WP sites and bots have been hitting certain files, usually search or jpg related.
JuicyBunny is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote