On Fri, May 20, 2016 at 4:00 PM, Roman Gelfand <rgelfa...@gmail.com> wrote:
> In the last 2 days we have received roughly 1milion of the following > requests. Just to confirm, is this a DOS attack? > > 191.96.249.52 - - [20/May/2016:18:19:22 -0400] "POST /xmlrpc.php HTTP/1.0" > 500 251 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" > Probably just broken malware trying to guess WordPress account credentials. It's probably been handed just your host name or IP address and, not having any other victims to target, keeps repeatedly hitting your site. I occasionally see this type of behavior. I have my firewall configured to blackhole the source when there are an unreasonable number of POST requests in a short interval. > Also, what does this mean? > > ::1 - - [20/May/2016:18:26:09 -0400] "OPTIONS * HTTP/1.0" 200 - "-" > "Apache/2.4.6 (Red Hat Enterprise Linux) PHP/5.4.16 (internal dummy > connection)" > It's checking whether your web server allows the OPTIONS command which might allow other forms of attacks to succeed. I strongly recommend disallowing that HTTP command. Easiest way is via mod_allowmethods: https://httpd.apache.org/docs/2.4/mod/mod_allowmethods.html -- Kurtis Rader Caretaker of the exceptional canines Junior and Hank