Active breach detection is the only way to protect your network beyond the firewall.

Paul Kraus

Subscribe to Paul Kraus: eMailAlertsEmail Alerts
Get Paul Kraus: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn


Article

Be on alert – Agrotourismo WordPress DDOS could impact you!

On March 12, 2016, Eastwind Networks detected a DDOS attack targeting WordPress Web servers

. The attack targets a specific WordPress theme-agritourismo-theme, and is malicious enough to cause failures. Web servers are seeing requests for files under the agritourismo theme even if that theme is not installed. You may see entries in your http logs similar to the following:

- - [14/Mar/2016:07:52:50 +0000] "GET /wp-content/themes/agritourismo-theme/functions/plugins/socks4/plugins/fg/link.php HTTP/1.1" 404 29117

- - [14/Mar/2016:07:53:05 +0000] "GET /wp-content/themes/agritourismo-theme/functions/plugins/socks4/plugins/index.php HTTP/1.1" 301 -

- - [14/Mar/2016:07:53:05 +0000] "GET /wp-content/themes/agritourismo-theme/functions/plugins/socks4/plugins/ HTTP/1.1" 404 29117

- - [14/Mar/2016:07:53:14 +0000] "GET /wp-content/themes/agritourismo-theme/functions/plugins/socks4/plugins/socks4/gate.php HTTP/1.1" 404 29117

- - [14/Mar/2016:07:53:45 +0000] "GET /wp-content/themes/agritourismo-theme/functions/plugins/socks4/plugins/socks4/link.php HTTP/1.1" 404 29117

Hundreds of thousands of requests for these files are being seen from thousands of different IP addresses from around the world, but mainly concentrated from the US, France, and Russia.

Network Map

 

Impact:

Systems receiving these requests may see delayed response times and even failures.

The volume of requests could be high enough to cause web servers with constrained memory to exhaust their memory and cause your website to go down.

Mitigation:

Even though the requests are being seen from thousands if unique IP address, half of the requests come from the following 16 IP addresses.

We suggest blocking these IPs at the firewall. Many of these IPs are known TOR exit nodes or proxy servers.

163.172.129.161
37.146.83.105
73.219.221.183
212.47.247.88
212.47.233.68
69.195.159.138
212.47.251.79
45.32.148.58
212.47.234.85
67.55.115.100
148.251.255.92
5.9.158.75
65.19.167.130
207.244.70.35
176.56.230.162
65.19.167.131

More Stories By Paul Kraus

Paul has more than 25 years of experience in security, including VP Engineering at Blue Coat Systems and Solera Networks, and Director of Engineering roles at Adobe, VERITAS and Symantec.

In his current role as President and CEO for Eastwind, Paul is helping define and execute the company’s mission of providing enterprise-grade network security to SMBs.