VacantServer WordPress sites are getting hammered with bad logins and probes.
We’ve implemented a plugin to log failed login attempts to syslog, and a Fail2Ban filter for the same. If you run these on RedHat, you’ll need some additional configuration info… here it is:
^%(__prefix_line)sAuthentication failure for .* from <HOST>$
Apache nohome regex (error_log):
[client <HOST>] File does not exist: .*/~.*
PHP noscript regex (/home/*/logs/error_log,/var/log/httpd/error_log):
[client <HOST>] (File does not exist|script not found or unable to stat): /\S*(\.php|\.asp|\.exe|\.pl) [client <HOST>] script '/\S*(\.php|\.asp|\.exe|\.pl)\S*' not found or unable to stat *$
XMLRPC flood attacks — DDoS and probing (/home/*/logs/access_log):
Please also enable the generic apache-nohome, apache-noscript. Install wp fail2ban plugin (and configure it for your server) on your high traffic blogs. These all are helping during the current onslaught, which also includes probing for wp-admin directories, probing for /wp-admin/login.php, plus comment spam.
A new XMLRPC exploit has the script kiddies doing DDoS and probing for vulnerable services, and possibly doing remote code execution on vulnerable services.