Wapsi Square Forum

I've been trying to delay doing some upgrades, but there's a plugin (or an assault on the site) that's locking the server up repeatedly.

Right now, I have wordpress moved aside with just a basic text/html page. I have a new processor and motherboard ready to go in, but that's only a short term fix. To fix it long term, I need to figure out what plugin is being attacked, or otherwise why the server is spawning off 150+ php-cgi processes within 60 seconds of the system coming online - all to Wapsi Square.

BW

Ewww.

Of course, last night, my net connection crashed, too ... right in the middle of the last stage of e-filing our taxes. (The data was all in and saved online, but when it came back a couple of hours later, i had to re-do the e-file.)

Seems like something is happening across the board... the internet seems to crawl for me anymore and I've got 10gb internet... All the sudden my main computer is suffering all kinds of crap too.

Bookworm, if what I read in one of the anti-spam forums is correct, it's not just you. The Bad Guys are out scanning around looking for exploitable WordPress sites again.

EDIT: the RevSlider plugin has been a target recently ("Slider Revolution"). Apparently comes bundled with many UI themes, with auto-updates disabled. Versions prior to 4.1.4 were at risk.

There may well be some new (even "zero-day") explioits in WordPress plugins being used

Well, I did a manual upgrade to the wp-super-cache plugin, but I wasn't willing to spend another two hours breaking back into the server if it didn't work. (I have the flu)

I'm going to change the board out - from a dual core to a quad core, with double the ram. That should absorb the impact better and let me figure out what's going nuts.

151 apache processes, of which they want between .7 and 1.7 percent CPU does some damage.

The page directing traffic to the forums has the URL misspelled.

Currently the redirect page has: http://forum.wapsisqare.com

Should be http://forum.wapsisquare.com

Fixed. Would you believe I had to retype that three times to get it to that level of incorrect? Being ready to collapse from the flu isn't condusive to accurate spelling.

Ugh... sorry to hear that it's not just the server/board that is under the weather.

Here's hoping that proper application of chicken soup, hot rum toddies, and sleep (in whatever order) help you get back to feeling better soon!

I changed out the board and memory, and it looks like the load is back to normal. I do suspect there is/was an assault going on.

BW

So, i'm seeing yesterday's comic, not today's.

Perhaps the intermediate servers haven't updated yet?

You did the best that could possibly be done and it worked. Thank you for bringing the site back to life. Now please just take care of yourself Bookworm.

I haven't gotten back home yet.

Anyway - tracked it down. It wasn't just wapsi, but that's the biggest target, and it was wapsi the last few times.

Specifically, it's an attack on xmlrpc.php (used for pingbacks, mostly). Apparently often used to try to inject a referral to another website. One attacking server is in Missouri, another in Russia. (The Russian one is trying to hack wp-login.php)

The new hardware should be better at absorbing the impact of the assaults until I can block their IP's.

Ouch! Sorry you're in somebody's sights.

Would OSSEC or a similar automated defense mechanism help out? (Of course, there's the problem of distinguishing between genuine attackers, and rabid Wapsi fans )

These are automated attacks. I'm seeing them on at least three different sites.

the "fix" is to disable xmlrpc.php - but that also disables the ability to do pingbacks. Of course, for webcomics, I suspect that pingbacks aren't that important.