我的 Apache 似乎正在连接到其他服务器?

tag-icon tag-icon apache-2.4 wordpress
我的 Apache 似乎正在连接到其他服务器?

我遇到过这样的问题:我的 Apache 网络服务器内存耗尽,导致服务器瘫痪。我增加了可用内存,但现在它已达到连接限制。

查看日志后,我发现一个 IP 地址不断发送 POST 请求/xmlrpc.php(我正在运行 Wordpress)。我发现这是一个相当常见的情况,我尝试使用 来阻止它iptables,但我显然做错了什么,因为我仍然看到这些请求。

更令人困惑的是,我的服务器似乎正在通过端口 80 连接到另一台服务器。

tcp        0    189 197.242.150.83:41201    45.34.6.25:80           ESTABLISHED 10296/apache2   
tcp        0    189 197.242.150.83:40870    45.34.6.25:80           ESTABLISHED 10183/apache2   
tcp        0    189 197.242.150.83:40816    45.34.6.25:80           ESTABLISHED 10127/apache2   
tcp        0    189 197.242.150.83:41035    45.34.6.25:80           ESTABLISHED 10172/apache2   
tcp        0    189 197.242.150.83:40912    45.34.6.25:80           ESTABLISHED 10201/apache2   
tcp        0    189 197.242.150.83:40820    45.34.6.25:80           ESTABLISHED 10161/apache2   
tcp        0    189 197.242.150.83:41047    45.34.6.25:80           ESTABLISHED 10237/apache2   
tcp        0    189 197.242.150.83:40888    45.34.6.25:80           ESTABLISHED 10143/apache2   
tcp        0    189 197.242.150.83:40983    45.34.6.25:80           ESTABLISHED 10225/apache2   
tcp        0    189 197.242.150.83:40900    45.34.6.25:80           ESTABLISHED 10186/apache2   
tcp        0    189 197.242.150.83:41309    45.34.6.25:80           ESTABLISHED 10301/apache2   
tcp        0    189 197.242.150.83:40881    45.34.6.25:80           ESTABLISHED 10114/apache2   
tcp        0    189 197.242.150.83:40929    45.34.6.25:80           ESTABLISHED 10196/apache2   
tcp        0    189 197.242.150.83:41226    45.34.6.25:80           ESTABLISHED 10281/apache2   
tcp        0    189 197.242.150.83:41086    45.34.6.25:80           ESTABLISHED 10213/apache2   
tcp        0    189 197.242.150.83:40965    45.34.6.25:80           ESTABLISHED 10177/apache2   
tcp        0    189 197.242.150.83:41062    45.34.6.25:80           ESTABLISHED 10219/apache2   
tcp        0    189 197.242.150.83:41299    45.34.6.25:80           ESTABLISHED 10283/apache2   
tcp        0    189 197.242.150.83:40992    45.34.6.25:80           ESTABLISHED 10241/apache2   
tcp        0    189 197.242.150.83:40809    45.34.6.25:80           ESTABLISHED 10153/apache2   
tcp        0    189 197.242.150.83:40830    45.34.6.25:80           ESTABLISHED 10134/apache2   
tcp        0    189 197.242.150.83:40972    45.34.6.25:80           ESTABLISHED 10206/apache2   
tcp        0    189 197.242.150.83:41232    45.34.6.25:80           ESTABLISHED 10291/apache2   
tcp        0    189 197.242.150.83:41253    45.34.6.25:80           ESTABLISHED 10270/apache2   
tcp        0    189 197.242.150.83:41150    45.34.6.25:80           ESTABLISHED 10284/apache2   
tcp        0    189 197.242.150.83:40942    45.34.6.25:80           ESTABLISHED 10220/apache2   
tcp        0    189 197.242.150.83:41054    45.34.6.25:80           ESTABLISHED 10248/apache2   
tcp        0    189 197.242.150.83:41002    45.34.6.25:80           ESTABLISHED 10169/apache2   
tcp        0    189 197.242.150.83:40835    45.34.6.25:80           ESTABLISHED 10115/apache2   
tcp        0    175 197.242.150.83:35562    51.254.203.153:80       ESTABLISHED 10230/apache2   
tcp        0    189 197.242.150.83:40750    45.34.6.25:80           ESTABLISHED 10110/apache2

知道可能发生什么事吗?

答案1

经过一番调查,似乎我的服务器被用于Wordpress pingback DDoS 攻击,这都是我所看到的职位xmlrpc.php

由于 URL 对于 Wordpress 的标准操作是必需的,我将遵循 SANS 建议并添加过滤器以删除该pingback功能:

add_filter( ‘xmlrpc_methods’, function( $methods ) {
   unset( $methods['pingback.ping'] );
   return $methods;
} );

相关内容