Wordpress One-Click CPU & Memory overloading

April 29, 2019 350 views
MySQL Apache WordPress One-Click Install Apps Ubuntu 18.04

Hi guys!

A few weeks ago I have created a new Wordpress one-click install droplet and connected it to my domain.
In the last few days I am getting an "Error establishing database connection" error.
I logged into the console via SSH, launched htop and noticed that my CPU is running at 100%, the www-data is taking about 40-60% of CPU constantly, MySQL is killing the RAM (maxing it out) and my website is not even loading.

I tried rebooting the server, I tried restarting the apache2, tried restarting mysql, but no luck.
When I stop mysql, the website becomes responsive again (although CPU still peaks at 100%).

I tried disabling my Wordpress to the minimum (no plugins, just the original theme) but nothing works.

I also thought maybe I'm getting an XMLC attack, so I tried DO's tutorial on how to block that (all options) but nothing actually works.

Also, it might be important to say that my Wordpress installation is very minimal and barely has content in it (no one worked on it yet).

Specs (Droplet):
1 GB Memory / 25 GB Disk / FRA1 - Ubuntu WordPress on 18.04.1.
PHP 7.2.17
MySQL 5.7.26

Screenshots (htop):
https://imgur.com/a/JCdhjO3

Thank you very much!

1 Answer

Greetings!

I'm sorry about the trouble this is causing. I appreciate your attention to detail here, you clearly know well what you are doing with this. Hopefully I can offer some helpful thoughts.

If you've reverted to no plugins and default theme, and this continues, my thoughts are leaning toward two possibilities:

  • Unfortunate and hidden IP reputation. Something existed on that IP in the past that successfully received attacks, causing the IP to be circulated in some secret list, and now it receives more attacks than normal by default. Those could be brute force or scanning for vulnerable web applications. You might see this behavior by tailing the log like this:
tail -f /var/log/apache2/access.log
  • Wordpress has been compromised. Through a theme or plugin most likely, and the impact may remain after disabling them. Often these compromises involve exploiting a PHP script that allows them to upload a script to the site, then they make POST requests to that script from the public facing web server, for whatever malicious purpose may be relevant to that case. Sometimes the file they write to will be an existing Wordpress site file, so you may not see a weird PHP file hanging out anywhere but instead have a default script with some extra goodies added to it. Should this be the case, you may see weird POST requests to an unexpected PHP file in your logs:
grep "POST" /var/log/apache2/access.log

I really like this blog article about finding compromised PHP scripts: http://www.gregfreeman.io/2013/how-to-tell-if-your-php-site-has-been-compromised/

I can't imagine what else it might be, but I'd love to know if you find out.

Jarland

  • Hi @jarland, thank you for your reply!

    I am not sure how to recognize if these are actually attacks. But it does seem like unknown addresses are trying to access.

    This is the log (some of it at least) I am getting from tail -f /var/log/apache2/access.log

    127.0.0.1 - - [30/Apr/2019:07:48:54 +0000] "POST /xmlrpc.php HTTP/1.1" 301 3586 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
    139.59.151.34 - - [30/Apr/2019:07:48:56 +0000] "GET / HTTP/1.1" 500 3588 "https://blog.03884.top/xmlrpc.php" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
    127.0.0.1 - - [30/Apr/2019:07:49:03 +0000] "GET / HTTP/1.1" 301 534 "http://toowoonsurfclub.com.au/xmlrpc.php" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
    139.59.151.34 - - [30/Apr/2019:07:49:03 +0000] "GET / HTTP/1.1" 500 3588 "http://127.0.0.1" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
    139.59.151.34 - - [30/Apr/2019:07:49:09 +0000] "GET /wp-login.php HTTP/1.1" 301 558 "http://mooniecrossroads.com.au/wp-login.php" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
    139.59.151.34 - - [30/Apr/2019:07:49:11 +0000] "GET /wp-login.php HTTP/1.1" 500 3587 "http://139.59.151.34/wp-login.php" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
    127.0.0.1 - - [30/Apr/2019:07:49:14 +0000] "GET / HTTP/1.1" 301 534 "http://tuciudadalternativa.com/xmlrpc.php" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
    139.59.151.34 - - [30/Apr/2019:07:49:14 +0000] "GET / HTTP/1.1" 500 3588 "http://127.0.0.1" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
    127.0.0.1 - - [30/Apr/2019:07:49:18 +0000] "POST /xmlrpc.php HTTP/1.1" 301 3586 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
    139.59.151.34 - - [30/Apr/2019:07:49:18 +0000] "GET / HTTP/1.1" 500 3588 "https://blog.028xsjs.com/xmlrpc.php" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
    

    And some of the logs from grep "POST" /var/log/apache2/access.log

    127.0.0.1 - - [29/Apr/2019:11:56:59 +0000] "POST /wp-login.php HTTP/1.1" 500 3583 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
    127.0.0.1 - - [29/Apr/2019:11:56:59 +0000] "POST /xmlrpc.php HTTP/1.1" 301 554 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
    127.0.0.1 - - [29/Apr/2019:11:56:59 +0000] "POST /xmlrpc.php HTTP/1.1" 301 554 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
    127.0.0.1 - - [29/Apr/2019:11:56:59 +0000] "POST /wp-login.php HTTP/1.1" 500 3583 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
    127.0.0.1 - - [29/Apr/2019:11:56:59 +0000] "POST /wp-login.php HTTP/1.1" 500 3583 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
    127.0.0.1 - - [29/Apr/2019:11:57:00 +0000] "POST /xmlrpc.php HTTP/1.1" 301 554 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
    127.0.0.1 - - [29/Apr/2019:11:57:00 +0000] "POST /wp-login.php HTTP/1.1" 500 3583 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
    127.0.0.1 - - [29/Apr/2019:11:57:00 +0000] "POST /xmlrpc.php HTTP/1.1" 301 554 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
    127.0.0.1 - - [29/Apr/2019:11:57:00 +0000] "POST /wp-login.php HTTP/1.1" 500 3583 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
    127.0.0.1 - - [29/Apr/2019:11:57:00 +0000] "POST /wp-login.php HTTP/1.1" 500 3583 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
    127.0.0.1 - - [29/Apr/2019:11:57:01 +0000] "POST /wp-login.php HTTP/1.1" 500 3583 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
    127.0.0.1 - - [29/Apr/2019:11:57:01 +0000] "POST /wp-login.php HTTP/1.1" 500 3583 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
    127.0.0.1 - - [29/Apr/2019:11:57:02 +0000] "POST /wp-login.php HTTP/1.1" 500 3583 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
    127.0.0.1 - - [29/Apr/2019:11:57:02 +0000] "POST /wp-login.php HTTP/1.1" 500 3583 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
    127.0.0.1 - - [29/Apr/2019:11:57:03 +0000] "POST /wp-login.php HTTP/1.1" 500 3583 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
    127.0.0.1 - - [29/Apr/2019:11:57:03 +0000] "POST /wp-login.php HTTP/1.1" 500 3583 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
    127.0.0.1 - - [29/Apr/2019:11:57:04 +0000] "POST /xmlrpc.php HTTP/1.1" 301 554 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
    127.0.0.1 - - [29/Apr/2019:11:57:04 +0000] "POST /wp-login.php HTTP/1.1" 500 3583 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
    127.0.0.1 - - [29/Apr/2019:11:57:04 +0000] "POST /wp-login.php HTTP/1.1" 500 3583 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
    127.0.0.1 - - [29/Apr/2019:11:57:04 +0000] "POST /wp-login.php HTTP/1.1" 500 3583 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
    127.0.0.1 - - [29/Apr/2019:11:57:05 +0000] "POST /wp-login.php HTTP/1.1" 500 3583 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
    127.0.0.1 - - [29/Apr/2019:11:57:05 +0000] "POST /wp-login.php HTTP/1.1" 500 3583 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
    127.0.0.1 - - [29/Apr/2019:11:57:05 +0000] "POST /wp-login.php HTTP/1.1" 500 3583 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
    127.0.0.1 - - [29/Apr/2019:11:57:05 +0000] "POST /xmlrpc.php HTTP/1.1" 301 3586 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
    127.0.0.1 - - [29/Apr/2019:11:57:05 +0000] "POST /wp-login.php HTTP/1.1" 500 3583 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
    127.0.0.1 - - [29/Apr/2019:11:57:05 +0000] "POST /wp-login.php HTTP/1.1" 500 3583 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
    127.0.0.1 - - [29/Apr/2019:11:57:05 +0000] "POST /xmlrpc.php HTTP/1.1" 301 554 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
    127.0.0.1 - - [29/Apr/2019:11:57:06 +0000] "POST /xmlrpc.php HTTP/1.1" 301 554 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
    127.0.0.1 - - [29/Apr/2019:11:57:07 +0000] "POST /wp-login.php HTTP/1.1" 500 3583 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
    127.0.0.1 - - [29/Apr/2019:11:57:07 +0000] "POST /wp-login.php HTTP/1.1" 500 3583 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
    127.0.0.1 - - [29/Apr/2019:11:57:07 +0000] "POST /wp-login.php HTTP/1.1" 500 3583 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
    127.0.0.1 - - [29/Apr/2019:11:57:08 +0000] "POST /wp-login.php HTTP/1.1" 500 3583 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
    127.0.0.1 - - [29/Apr/2019:11:57:08 +0000] "POST /wp-login.php HTTP/1.1" 500 3583 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
    127.0.0.1 - - [29/Apr/2019:11:57:09 +0000] "POST /xmlrpc.php HTTP/1.1" 301 3586 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
    127.0.0.1 - - [29/Apr/2019:11:57:09 +0000] "POST /wp-login.php HTTP/1.1" 500 3583 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
    127.0.0.1 - - [29/Apr/2019:11:57:09 +0000] "POST /wp-login.php HTTP/1.1" 500 3583 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
    127.0.0.1 - - [29/Apr/2019:11:57:10 +0000] "POST /wp-login.php HTTP/1.1" 500 3583 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
    127.0.0.1 - - [29/Apr/2019:11:57:11 +0000] "POST /xmlrpc.php HTTP/1.1" 301 554 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
    127.0.0.1 - - [29/Apr/2019:11:57:13 +0000] "POST /wp-login.php HTTP/1.1" 500 3583 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
    127.0.0.1 - - [29/Apr/2019:11:57:13 +0000] "POST /wp-login.php HTTP/1.1" 500 3583 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
    127.0.0.1 - - [29/Apr/2019:11:57:14 +0000] "POST /wp-login.php HTTP/1.1" 500 3583 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
    127.0.0.1 - - [29/Apr/2019:11:57:15 +0000] "POST /wp-login.php HTTP/1.1" 500 3583 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
    127.0.0.1 - - [29/Apr/2019:11:57:16 +0000] "POST /xmlrpc.php HTTP/1.1" 301 554 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
    127.0.0.1 - - [29/Apr/2019:11:57:17 +0000] "POST /xmlrpc.php HTTP/1.1" 301 554 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
    127.0.0.1 - - [29/Apr/2019:11:57:18 +0000] "POST /wp-login.php HTTP/1.1" 500 3583 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
    Binary file /var/log/apache2/access.log matches
    

    What would you assume this to be according to this data?

    Thanks!

  • @jarland So in the end I figured out it actually was an XML-RPC & DDoS attacks.
    I have activated Cloudflare on my website and now everything runs smoothly :)

    Thanks for the help!

    • It's interesting that it caused such load when most of the requests failed. It speaks to the severity of the malicious efforts. Glad you got it under control!

Have another answer? Share your knowledge.