On March 12, 2016, Eastwind Networks detected a DDOS attack targeting WordPress Web servers. The attack targets a specific WordPress theme—agritourismo-theme, and is malicious enough to cause failures. Web servers are seeing requests for files under the agritourismo theme even if that theme is not installed. You may see entries in your http logs similar to the following:
- - [14/Mar/2016:07:52:50 +0000] "GET /wp-content/themes/agritourismo-theme/functions/plugins/socks4/plugins/fg/link.php HTTP/1.1" 404 29117
- - [14/Mar/2016:07:53:05 +0000] "GET /wp-content/themes/agritourismo-theme/functions/plugins/socks4/plugins/index.php HTTP/1.1" 301 -
- - [14/Mar/2016:07:53:05 +0000] "GET /wp-content/themes/agritourismo-theme/functions/plugins/socks4/plugins/ HTTP/1.1" 404 29117
- - [14/Mar/2016:07:53:14 +0000] "GET /wp-content/themes/agritourismo-theme/functions/plugins/socks4/plugins/socks4/gate.php HTTP/1.1" 404 29117
- - [14/Mar/2016:07:53:45 +0000] "GET /wp-content/themes/agritourismo-theme/functions/plugins/socks4/plugins/socks4/link.php HTTP/1.1" 404 29117
Hundreds of thousands of requests for these files are being seen from thousands of different IP addresses from around the world, but mainly concentrated from the US, France, and Russia.
Systems receiving these requests may see delayed response times and even failures.
The volume of requests could be high enough to cause web servers with constrained memory to exhaust their memory and cause your website to go down.
Even though the requests are being seen from thousands if unique IP address, half of the requests come from the following 16 IP addresses.
We suggest blocking these IPs at the firewall. Many of these IPs are known TOR exit nodes or proxy servers.