我有一个 512 MB VPS,并在这台 CentOS 服务器上托管了 2 个 WordPress 网站。我在这台服务器上安装了 apache + mysql + PHP + fast cgi。过去 6 个月,一切都运行良好。我两个网站每天总共有 500 名用户。所以负载不大。
但从昨晚(已经 12 小时了)开始,我的 CPU 使用率就达到 100%,内存使用率也很高。网站和服务器都无法访问。我尝试重启服务器,以为只是出了什么问题,但什么也没发生。
这是 top 的输出,但我不明白问题是什么,也不知道该如何修复。似乎有大量 php-cgi 和 httpd 被处理。
top - 09:11:43 up 2 min, 1 user, load average: 26.91, 10.07, 3.67
Tasks: 137 total, 28 running, 109 sleeping, 0 stopped, 0 zombie
Cpu(s): 36.4%us, 57.5%sy, 0.0%ni, 4.1%id, 1.4%wa, 0.0%hi, 0.1%si, 0.6%st
Mem: 511036k total, 505416k used, 5620k free, 3280k buffers
Swap: 0k total, 0k used, 0k free, 12240k cached
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
804 root 20 0 36160 540 4 S 11.7 0.1 0:03.69 rsyslogd
1548 robert 20 0 51656 25m 812 R 5.8 5.1 0:00.76 php-cgi
1549 robert 20 0 50412 23m 528 R 5.8 4.8 0:00.70 php-cgi
1552 robert 20 0 50704 24m 764 R 5.8 4.9 0:00.64 php-cgi
1568 robert 20 0 44940 18m 760 R 5.8 3.7 0:00.42 php-cgi
1573 robert 20 0 38680 12m 792 R 5.8 2.6 0:00.32 php-cgi
1584 robert 20 0 31964 6300 704 R 5.8 1.2 0:00.19 php-cgi
1553 robert 20 0 49544 23m 1184 R 4.4 4.7 0:00.61 php-cgi
1554 robert 20 0 49544 23m 972 R 4.4 4.7 0:00.60 php-cgi
1557 robert 20 0 46288 19m 816 R 4.4 4.0 0:00.57 php-cgi
1558 robert 20 0 46288 19m 836 R 4.4 4.0 0:00.52 php-cgi
1563 robert 20 0 45452 19m 1104 R 4.4 3.9 0:00.49 php-cgi
1564 robert 20 0 45452 19m 1136 R 4.4 3.9 0:00.46 php-cgi
1565 robert 20 0 44948 18m 764 R 4.4 3.7 0:00.43 php-cgi
1569 robert 20 0 35492 9872 768 R 4.4 1.9 0:00.39 php-cgi
1572 robert 20 0 38680 12m 816 R 4.4 2.6 0:00.34 php-cgi
1574 robert 20 0 38376 12m 784 R 4.4 2.5 0:00.30 php-cgi
1576 robert 20 0 38388 12m 800 R 4.4 2.5 0:00.26 php-cgi
1583 robert 20 0 32736 7688 1332 R 4.4 1.5 0:00.20 php-cgi
1585 robert 20 0 31312 5832 1032 R 4.4 1.1 0:00.17 php-cgi
1586 robert 20 0 31312 5856 1012 R 4.4 1.1 0:00.14 php-cgi
1589 robert 20 0 30008 5320 1728 R 4.4 1.0 0:00.12 php-cgi
1593 robert 20 0 30012 5208 1620 R 4.4 1.0 0:00.07 php-cgi
1594 robert 20 0 30016 5156 1616 R 4.4 1.0 0:00.07 php-cgi
1595 robert 20 0 30008 5320 1728 D 4.4 1.0 0:00.07 php-cgi
1597 robert 20 0 12072 464 276 R 4.4 0.1 0:00.03 php-cgi
1579 robert 20 0 32736 7844 1444 R 2.9 1.5 0:00.24 php-cgi
28 root 20 0 0 0 0 S 1.5 0.0 0:02.65 kswapd0
991 mysql 20 0 139m 14m 692 S 1.5 2.8 0:04.41 mysqld
1186 robert 20 0 35172 6184 984 R 1.5 1.2 0:00.07 httpd
1546 robert 20 0 53412 28m 1632 S 1.5 5.6 0:00.75 php-cgi
1596 robert 20 0 2696 476 228 R 1.5 0.1 0:00.01 top
1 root 20 0 2900 200 4 S 0.0 0.0 0:00.77 init
2 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kthreadd
3 root RT 0 0 0 0 S 0.0 0.0 0:00.00 migration/0
4 root 20 0 0 0 0 S 0.0 0.0 0:00.00 ksoftirqd/0
5 root RT 0 0 0 0 S 0.0 0.0 0:00.00 migration/0
6 root RT 0 0 0 0 S 0.0 0.0 0:00.13 watchdog/0
7 root 20 0 0 0 0 S 0.0 0.0 0:00.33 events/0
8 root 20 0 0 0 0 S 0.0 0.0 0:00.00 cgroup
9 root 20 0 0 0 0 S 0.0 0.0 0:00.00 khelper
10 root 20 0 0 0 0 S 0.0 0.0 0:00.00 netns
11 root 20 0 0 0 0 S 0.0 0.0 0:00.00 async/mgr
12 root 20 0 0 0 0 S 0.0 0.0 0:00.00 pm
13 root 20 0 0 0 0 S 0.0 0.0 0:00.00 sync_supers
14 root 20 0 0 0 0 S 0.0 0.0 0:00.00 bdi-default
15 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kintegrityd/0
16 root 20 0 0 0 0 R 0.0 0.0 0:03.46 kblockd/0
17 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kacpid
18 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kacpi_notify
19 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kacpi_hotplug
20 root 20 0 0 0 0 S 0.0 0.0 0:00.00 ata/0
21 root 20 0 0 0 0 S 0.0 0.0 0:00.00 ata_aux
22 root 20 0 0 0 0 S 0.0 0.0 0:00.00 ksuspend_usbd
23 root 20 0 0 0 0 S 0.0 0.0 0:00.00 khubd
24 root 20 0 0 0 0 S 0.0 0.0 0:00.03 kseriod
25 root 20 0 0 0 0 S 0.0 0.0 0:00.00 md/0
26 root 20 0 0 0 0 S 0.0 0.0 0:00.00 md_misc/0
27 root 20 0 0 0 0 S 0.0 0.0 0:00.00 khungtaskd
29 root 25 5 0 0 0 S 0.0 0.0 0:00.00 ksmd
30 root 20 0 0 0 0 S 0.0 0.0 0:00.00 aio/0
31 root 20 0 0 0 0 S 0.0 0.0 0:00.00 crypto/0
36 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kthrotld/0
38 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kpsmoused
39 root 20 0 0 0 0 S 0.0 0.0 0:00.00 usbhid_resumer
189 root 20 0 0 0 0 S 0.0 0.0 0:00.00 scsi_eh_0
190 root 20 0 0 0 0 S 0.0 0.0 0:00.00 scsi_eh_1
208 root 20 0 0 0 0 S 0.0 0.0 0:00.00 virtio-blk
263 root 20 0 0 0 0 S 0.0 0.0 0:00.03 jbd2/vda-8
264 root 20 0 0 0 0 S 0.0 0.0 0:00.00 ext4-dio-unwrit
333 root 16 -4 2512 400 4 S 0.0 0.1 0:00.15 udevd
361 root 20 0 0 0 0 S 0.0 0.0 0:00.00 virtio-net
364 root 20 0 0 0 0 S 0.0 0.0 0:00.00 vballoon
543 root 18 -2 2508 396 4 S 0.0 0.1 0:00.00 udevd
546 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kstriped
600 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kauditd
816 root 20 0 2020 88 4 S 0.0 0.0 0:00.00 acpid
833 root 20 0 8940 512 4 S 0.0 0.1 0:00.00 sshd
868 root 20 0 3044 184 4 S 0.0 0.0 0:00.00 mysqld_safe
992 root 20 0 0 0 0 S 0.0 0.0 0:00.02 flush-253:0
1084 root 20 0 12960 636 4 S 0.0 0.1 0:00.03 master
1091 postfix 20 0 13036 620 4 S 0.0 0.1 0:00.00 pickup
1092 postfix 20 0 13108 672 4 S 0.0 0.1 0:00.00 qmgr
1094 root 20 0 34900 5036 88 S 0.0 1.0 0:00.52 httpd
1097 robert 20 0 20568 2320 4 S 0.0 0.5 0:00.00 httpd
1103 root 20 0 3956 560 4 S 0.0 0.1 0:00.01 crond
1106 robert 20 0 35172 5216 16 S 0.0 1.0 0:00.05 httpd
1107 robert 20 0 35172 5216 16 S 0.0 1.0 0:00.02 httpd
1119 postfix 20 0 14204 848 4 S 0.0 0.2 0:00.00 smtpd
1134 postfix 20 0 13180 656 4 S 0.0 0.1 0:00.00 cleanup
1138 root 20 0 2008 60 4 S 0.0 0.0 0:00.00 mingetty
1140 root 20 0 2008 56 4 S 0.0 0.0 0:00.00 mingetty
1142 root 20 0 2008 60 4 S 0.0 0.0 0:00.00 mingetty
1144 root 20 0 2008 64 4 S 0.0 0.0 0:00.00 mingetty
1146 root 20 0 2008 64 4 S 0.0 0.0 0:00.00 mingetty
1148 root 20 0 2008 64 4 S 0.0 0.0 0:00.00 mingetty
1150 postfix 20 0 13232 680 4 S 0.0 0.1 0:00.04 smtp
1151 postfix 20 0 13232 672 4 S 0.0 0.1 0:00.00 smtp
1159 root 20 0 11884 740 8 S 0.0 0.1 0:00.01 sshd
1160 robert 20 0 35172 5216 16 S 0.0 1.0 0:00.09 httpd
1164 robert 20 0 35172 5216 16 S 0.0 1.0 0:00.03 httpd
1165 robert 20 0 35172 5216 16 S 0.0 1.0 0:00.03 httpd
1172 robert 20 0 35172 5216 16 S 0.0 1.0 0:00.05 httpd
1174 robert 20 0 35172 5216 16 S 0.0 1.0 0:00.07 httpd
1175 robert 20 0 35172 5216 16 S 0.0 1.0 0:00.07 httpd
1184 robert 20 0 35172 5216 16 S 0.0 1.0 0:00.04 httpd
1185 robert 20 0 35172 5216 16 S 0.0 1.0 0:00.09 httpd
1187 robert 20 0 35172 5216 16 S 0.0 1.0 0:00.05 httpd
1188 robert 20 0 35600 5412 16 S 0.0 1.1 0:00.10 httpd
1189 robert 20 0 35172 5264 16 S 0.0 1.0 0:00.03 httpd
1190 robert 20 0 35172 5216 16 S 0.0 1.0 0:00.02 httpd
1191 robert 20 0 35172 5216 16 S 0.0 1.0 0:00.11 httpd
1196 robert 20 0 11884 748 4 S 0.0 0.1 0:00.00 sshd
1201 robert 20 0 8220 448 4 S 0.0 0.1 0:00.00 sftp-server
1208 robert 20 0 35172 5268 16 S 0.0 1.0 0:00.12 httpd
1214 robert 20 0 35172 5216 16 S 0.0 1.0 0:00.04 httpd
1220 robert 20 0 35172 5216 16 S 0.0 1.0 0:00.02 httpd
1221 robert 20 0 35172 5216 16 S 0.0 1.0 0:00.04 httpd
1222 robert 20 0 35172 5216 16 S 0.0 1.0 0:00.05 httpd
1223 robert 20 0 35172 5216 16 S 0.0 1.0 0:00.02 httpd
1229 robert 20 0 35172 5216 16 S 0.0 1.0 0:00.07 httpd
1238 root 20 0 11884 736 8 S 0.0 0.1 0:00.01 sshd
1260 robert 20 0 12020 752 4 S 0.0 0.1 0:00.59 sshd
1265 robert 20 0 3180 308 4 S 0.0 0.1 0:00.14 bash
1266 robert 20 0 35172 5216 16 S 0.0 1.0 0:00.07 httpd
1286 robert 20 0 35172 5216 16 S 0.0 1.0 0:00.10 httpd
1287 robert 20 0 35172 5216 16 S 0.0 1.0 0:00.02 httpd
1294 robert 20 0 35172 5216 16 S 0.0 1.0 0:00.01 httpd
1295 robert 20 0 35172 5224 16 S 0.0 1.0 0:00.06 httpd
1296 robert 20 0 35172 5216 16 S 0.0 1.0 0:00.02 httpd
1332 robert 20 0 35172 5216 16 S 0.0 1.0 0:00.09 httpd
1509 root 20 0 4324 668 4 S 0.0 0.1 0:00.00 crond
1510 root 20 0 4324 668 4 S 0.0 0.1 0:00.00 crond
1512 robert 20 0 6572 380 4 S 0.0 0.1 0:00.02 wget
1513 robert 20 0 6572 376 4 S 0.0 0.1 0:00.02 wget
1545 robert 20 0 53412 28m 1636 S 0.0 5.6 0:00.76 php-cgi
1547 robert 20 0 53412 28m 1632 S 0.0 5.6 0:00.74 php-cgi
你们能看一下吗?谢谢
编辑:
我有很多这样的条目access_logs
104.245.97.218 - - [14/Apr/2015:07:54:18 +0000] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
104.245.97.218 - - [14/Apr/2015:07:54:18 +0000] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
104.245.97.218 - - [14/Apr/2015:07:54:19 +0000] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
104.245.97.218 - - [14/Apr/2015:07:54:19 +0000] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
104.245.97.218 - - [14/Apr/2015:07:54:20 +0000] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
104.245.97.218 - - [14/Apr/2015:07:54:20 +0000] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
104.245.97.218 - - [14/Apr/2015:07:54:21 +0000] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
104.245.97.218 - - [14/Apr/2015:07:54:21 +0000] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
104.245.97.218 - - [14/Apr/2015:07:54:21 +0000] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
104.245.97.218 - - [14/Apr/2015:07:54:22 +0000] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
104.245.97.218 - - [14/Apr/2015:07:54:22 +0000] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
104.245.97.218 - - [14/Apr/2015:07:54:23 +0000] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
104.245.97.218 - - [14/Apr/2015:07:54:23 +0000] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
104.245.97.218 - - [14/Apr/2015:07:54:24 +0000] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
104.245.97.218 - - [14/Apr/2015:07:54:24 +0000] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
104.245.97.218 - - [14/Apr/2015:07:54:24 +0000] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
104.245.97.218 - - [14/Apr/2015:07:54:25 +0000] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
104.245.97.218 - - [14/Apr/2015:07:54:25 +0000] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
104.245.97.218 - - [14/Apr/2015:07:54:26 +0000] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
104.245.97.218 - - [14/Apr/2015:07:54:26 +0000] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
104.245.97.218 - - [14/Apr/2015:07:54:26 +0000] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
104.245.97.218 - - [14/Apr/2015:07:54:27 +0000] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
104.245.97.218 - - [14/Apr/2015:07:54:27 +0000] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
104.245.97.218 - - [14/Apr/2015:07:54:28 +0000] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
104.245.97.218 - - [14/Apr/2015:07:54:28 +0000] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
104.245.97.218 - - [14/Apr/2015:07:54:29 +0000] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
104.245.97.218 - - [14/Apr/2015:07:54:29 +0000] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
104.245.97.218 - - [14/Apr/2015:07:54:29 +0000] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
104.245.97.218 - - [14/Apr/2015:07:54:30 +0000] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
104.245.97.218 - - [14/Apr/2015:07:54:30 +0000] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
104.245.97.218 - - [14/Apr/2015:07:54:31 +0000] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
答案1
你好像被击中了针对 Wordpress 的相当标准的暴力密码猜测攻击.正如链接文章所说,
阻止暴力攻击的方法有很多。如果您有专用服务器,您可以在其上安装 OSSEC(开源),并让它自动阻止错过太多密码的 IP 地址[...]
显然,许多人会推荐在 WordPress 生态系统中使用许多应用程序级工具(即插件)来帮助应对暴力攻击。但问题是,我们尝试过的所有工具都无法保护您免受 XMLRPC 调用的攻击,包括我们自己的插件。这可能是我们看到攻击方法转变的原因。在问题得到解决之前,在边缘进行阻止将是您的首选方法。
因此,看起来,一个响应式的 IP 特定拦截工具fail2ban可能是可行的方法。如果做不到这一点,这个科幻问题建议重新配置 apache 以拒绝访问该脚本,该脚本至少会返回 403 Forbidden 而不是执行该脚本 - 从计算角度来看,这比为每个请求运行该脚本要便宜得多,并且可以减少服务器负载。
编辑:恭喜您已fail2ban安装。遗憾的是,它不是可以自动阻止所有恶意行为的魔法精灵粉尘,而是一个高度可配置的框架,用于通过 响应日志文件中某些类别的条目,并针对特定 IP 进行禁止iptables。您必须先配置适当的 jail,然后它才能帮助您。
如果这听起来不太好玩,你可以禁止这个特定的 IP,看看是否有帮助,
iptables -I INPUT 1 -p tcp --dport 80 -s 104.245.97.218 -j REJECT
(假设您的服务器在端口 80)。
答案2
阻止对 xmlrpc.php 的访问将降低 CPU 使用率。我经历过同样的攻击,尽管攻击者正在攻击其他页面,但阻止他们对 xmlrpc.php 的访问使该网站再次可用。
如果您正在运行 apache,则可以将以下内容放入 WordPress 的 .htaccess 中:
<Files xmlrpc.php>
Order Deny,Allow
Deny from all
</Files>
如果您这样做,您可以始终允许来自已知良好 IP 地址的访问以进行博客目的,但我假设您的意图是先恢复网站。