Wordpress site with almost no plugins and no traffic eats 100 % CPU

Discussion in 'ISPConfig 3 Priority Support' started by Honza, Dec 21, 2016.

  1. Honza

    Honza Member HowtoForge Supporter

    Hi,
    I've got a Wordpress site with almost no plugins eats 100 % CPU top shows following (just web2 user - that's the site):
    Code:
      PID USER  PR  NI  VIRT  RES  SHR S  %CPU %MEM  TIME+ COMMAND
     4892 web2  20  0  539444  64876  50216 S  16.6  1.6  0:13.18 php5-fpm
     4804 web2  20  0  539320  67296  52760 S  16.0  1.7  0:45.59 php5-fpm
     4532 web2  20  0  538684  63952  50056 S  14.0  1.6  0:46.45 php5-fpm
     4885 web2  20  0  539272  64700  50216 S  13.0  1.6  0:17.83 php5-fpm
     4894 web2  20  0  539460  64892  50216 S  12.3  1.6  0:11.02 php5-fpm
     4912 web2  20  0  539240  64668  50216 S  11.6  1.6  0:01.24 php5-fpm
     4088 mysql  20  0 1348228  81204  10980 S  1.3  2.0  0:04.33 mysqld
    The site is very low traffic (50 visitors a day), there is almost no traffic on eth0, Wordpress is updated to the latest version, I ran P3 plugin to determine what is using most resources and still can't figure it out. I tried to reboot Apache service and even the whole server.
    Opinions?

    Thank you in advance.
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    It is possible that the site is hacked and it runs a spam bot or similra software now. Check the access.log for unusual activity, e.g. POST requests to files that you won't expect to be accessed by users, scan the website folder for malware and check the mailqueue of the server (command: postqueue -p) to ensure that there are not many spam mails in there.
     
  3. Honza

    Honza Member HowtoForge Supporter

    ok if I do: # tail -n 20 access.log
    I get following:
    The IP: 163.172.190.132 reverse DNS: 132-190-172-163.rev.cloud.scaleway.com

    The contents of /xmlrpc.php is following:
    Code:
    <?php
    /**
    * XML-RPC protocol support for WordPress
    *
    * @package WordPress
    */
    
    /**
    * Whether this is an XML-RPC Request
    *
    * @var bool
    */
    define('XMLRPC_REQUEST', true);
    
    // Some browser-embedded clients send cookies. We don't want them.
    $_COOKIE = array();
    
    // A bug in PHP < 5.2.2 makes $HTTP_RAW_POST_DATA not set by default,
    // but we can do it ourself.
    if ( !isset( $HTTP_RAW_POST_DATA ) ) {
            $HTTP_RAW_POST_DATA = file_get_contents( 'php://input' );
    }
    
    // fix for mozBlog and other cases where '<?xml' isn't on the very first line
    if ( isset($HTTP_RAW_POST_DATA) )
            $HTTP_RAW_POST_DATA = trim($HTTP_RAW_POST_DATA);
    
    /** Include the bootstrap for setting up WordPress environment */
    include( dirname( __FILE__ ) . '/wp-load.php' );
    
    if ( isset( $_GET['rsd'] ) ) { // http://cyber.law.harvard.edu/blogs/gems/tech/rsd.html
    header('Content-Type: text/xml; charset=' . get_option('blog_charset'), true);
    ?>
    <?php echo '<?xml version="1.0" encoding="'.get_option('blog_charset').'"?'.'>'; ?>
    <rsd version="1.0" xmlns="http://archipelago.phrasewise.com/rsd">
      <service>
        <engineName>WordPress</engineName>
        <engineLink>https://wordpress.org/</engineLink>
        <homePageLink><?php bloginfo_rss('url') ?></homePageLink>
        <apis>
          <api name="WordPress" blogID="1" preferred="true" apiLink="<?php echo site_url('xmlrpc.php', 'rpc') ?>" />
          <api name="Movable Type" blogID="1" preferred="false" apiLink="<?php echo site_url('xmlrpc.php', 'rpc') ?>" />
          <api name="MetaWeblog" blogID="1" preferred="false" apiLink="<?php echo site_url('xmlrpc.php', 'rpc') ?>" />
          <api name="Blogger" blogID="1" preferred="false" apiLink="<?php echo site_url('xmlrpc.php', 'rpc') ?>" />
          <?php
          /**
           * Add additional APIs to the Really Simple Discovery (RSD) endpoint.
           *
           * @link http://cyber.law.harvard.edu/blogs/gems/tech/rsd.html
               *
           * @since 3.5.0
           */
          do_action( 'xmlrpc_rsd_apis' );
          ?>
        </apis>
      </service>
    </rsd>
    <?php
    exit;
    }
    
    include_once(ABSPATH . 'wp-admin/includes/admin.php');
    include_once(ABSPATH . WPINC . '/class-IXR.php');
    include_once(ABSPATH . WPINC . '/class-wp-xmlrpc-server.php');
    
    /**
    * Posts submitted via the XML-RPC interface get that title
    * @name post_default_title
    * @var string
    */
    $post_default_title = "";
    
    /**
    * Filters the class used for handling XML-RPC requests.
    *
    * @since 3.1.0
    *
    * @param string $class The name of the XML-RPC server class.
    */
    $wp_xmlrpc_server_class = apply_filters( 'wp_xmlrpc_server_class', 'wp_xmlrpc_server' );
    $wp_xmlrpc_server = new $wp_xmlrpc_server_class;
    
    // Fire off the request
    $wp_xmlrpc_server->serve_request();
    
    exit;
    
    /**
    * logIO() - Writes logging info to a file.
    *
    * @deprecated 3.4.0 Use error_log()
    * @see error_log()
    *
    * @param string $io Whether input or output
    * @param string $msg Information describing logging reason.
    */
    function logIO( $io, $msg ) {
            _deprecated_function( __FUNCTION__, '3.4.0', 'error_log()' );
            if ( ! empty( $GLOBALS['xmlrpc_logging'] ) )
                    error_log( $io . ' - ' . $msg );
    No obfuscated code - doesn't seem hacked.

    As a temporary workaround I edited .htaccess and added:
    Code:
    Order Deny,Allow
    Deny from 163.172.190.132
    Restarted Apache - service apache2 restart
    And the problem is gone, but what was the root cause? I have the feeling that this was only a workaround.
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    That was a brute force attack against the WordPress xmlrpc function. If you do not use any apps to post in wordpress like mobile apps or other software that uses the xmlrpc functions, then better disable it (there are wp plugins for that) or deny access to this file in the .htaccess file.
     
  5. Honza

    Honza Member HowtoForge Supporter

    Thank you till it worked

    for others - just place inside .htaccess the following (at the very top):
    Code:
    <Files "xmlrpc.php">
    Order Allow,Deny
    Deny from all
    </Files>
    
    # BEGIN WordPress
     

Share This Page