Labet88 online casino,Saan laruin ang gate of olympus review.REGISTER NOW GET FREE 888 PESOS REWARDS!

deoren
(@deoren)

9 years, 10 months ago
Hi,

About a week ago I noticed odd connections from a local php5-fpm process to a remote server on port 80 and assumed it was related to a web tool I was using making calls back home to check for updates.

I saw the behavior again today for a different remote site and dug deeper.

lsof -i -a | grep php5-fpm

php5-fpm 10945 www-data 10u IPv4 5393385 0t0 TCP atlanta.whyaskwhy.org:36157->vm1345.vps.agava.net:http (ESTABLISHED)
php5-fpm 14714 www-data 10u IPv4 5457153 0t0 TCP atlanta.whyaskwhy.org:36839->vm1345.vps.agava.net:http (ESTABLISHED)
php5-fpm 14956 www-data 10u IPv4 5431902 0t0 TCP atlanta.whyaskwhy.org:36554->vm1345.vps.agava.net:http (ESTABLISHED)
php5-fpm 16393 www-data 10u IPv4 5466306 0t0 TCP atlanta.whyaskwhy.org:37063->vm1345.vps.agava.net:http (ESTABLISHED)
php5-fpm 18295 www-data 10u IPv4 5569756 0t0 TCP atlanta.whyaskwhy.org:38551->vm1345.vps.agava.net:http (ESTABLISHED)
php5-fpm 21333 www-data 10u IPv4 5569671 0t0 TCP atlanta.whyaskwhy.org:38550->vm1345.vps.agava.net:http (ESTABLISHED)

I ended up doing a packet capture using tshark to see what was going on.

tshark -S 'host 89.108.70.30' -w /tmp/tshark-remote-port-80.dump

I opened the capture file using Wireshark and used the Follow TCP Stream option to end up with this:

GET / HTTP/1.0
Host: https://www.ohrana43.ru
User-agent: WordPress/4.1; https://www.whyaskwhy.org/blog; verifying pingback from 94.102.52.185
X-Pingback-Forwarded-For: 94.102.52.185

HTTP/1.1 403 Forbidden
Server: nginx/0.7.67
Date: Tue, 03 Feb 2015 16:39:11 GMT
Content-Type: text/html
Content-Length: 169
Connection: close

Some pertinent details:
- My blog is hosted at https://www.whyaskwhy.org/blog/ (not used as much these days, but kept patched and all plugins updated)
- I’m running WordPress 4.1
- Under Discussion Settings I have Attempt to notify any blogs linked to from the article and Allow link notifications from other blogs (pingbacks and trackbacks) options disabled.
What exactly is happening here? Is my blog proxying pingback requests or is my blog claiming to be the https://www.ohrana43.ru host mentioned in the GET request?

I turned to Google and saw quite a bit of info from early 2014 where legit blogs were being tricked into attacking other sites. I’ve looked into possible workarounds/solutions to the problem and have seen suggestions ranging from directly modifying core code to remove functions, override functions or installing a plugin to disable XML-RPC.

I do use the mobile apps (iOS and Android), so I’d prefer to keep functionality enabled to use them, but if necessary I will switch to web-only edits.

Thanks in advance for your help! If there is any additional information I can provide to troubleshoot this please let me know.

The topic ‘Is my blog being used to abuse other sites?’ is closed to new replies.

Is my blog being used to abuse other sites?

Tags

Topics

Topics with no replies

Non-support topics

Resolved topics

Unresolved topics

All topics