Resource Limit Reached error due to targetted attacks

  • My site began to be targeted with requests that shut down my site due to CPU and memory use at 100%. Looking at error log, there were frequent errors with all-in-one event calendar. I uninstalled it, and yet my site is continuing to be bombarded with multiple attempts a second to the /calendar file directory. An example of the connection requests that are shutting down my site are:

    159.138.154.40 – – [26/Sep/2019:23:35:08 -0400] “GET /?plugin=all-in-one-event-calendar&controller=ai1ec_exporter_controller&action=export_events&ai1ec_cat_ids=44&ai1ec_tag_ids=54,82,185,269&xml=true HTTP/1.1” 301 396 “” “Mozilla/5.0(Linux;Android 5.1.1;OPPO A33 Build/LMY47V;wv) AppleWebKit/537.36(KHTML,link Gecko) Version/4.0 Chrome/42.0.2311.138 Mobile Safari/537.36 Mb2345Browser/9.0”
    159.138.154.247 – – [26/Sep/2019:23:35:10 -0400] “GET /?plugin=all-in-one-event-calendar&controller=ai1ec_exporter_controller&action=export_events&ai1ec_cat_ids=44&ai1ec_tag_ids=81,287,162,196 HTTP/1.1” 301 384 “” “Mozilla/5.0(Linux;Android 5.1.1;OPPO A33 Build/LMY47V;wv) AppleWebKit/537.36(KHTML,link Gecko) Version/4.0 Chrome/42.0.2311.138 Mobile Safari/537.36 Mb2345Browser/9.0”
    159.138.152.103 – – [26/Sep/2019:23:35:11 -0400] “GET /?plugin=all-in-one-event-calendar&controller=ai1ec_exporter_controller&action=export_events&ai1ec_cat_ids=53&ai1ec_tag_ids=60,40&xml=true HTTP/1.1” 301 388 “” “Mozilla/5.0(Linux;Android 5.1.1;OPPO A33 Build/LMY47V;wv) AppleWebKit/537.36(KHTML,link Gecko) Version/4.0 Chrome/42.0.2311.138 Mobile Safari/537.36 Mb2345Browser/9.0”

    Does anyone have any thoughts on the situation? I really liked All-in-one event calendar, and I am sad to have had to uninstall it, perplexed why our site is being targeted even though it is uninstalled, and also perplexed how such requests are shutting down my site.

Viewing 12 replies - 1 through 12 (of 12 total)

  • I’m in the same situation. Calendar URLs are getting absolutely hammered by bad bots from China and Singapore (that ignore robots.txt).

    I’ve blocked User-agents, IP ranges, etc…with Wordfence and .htaccess and the server is still suffering badly.

    159.138.155.25 – – [01/Oct/2019:17:11:35 +0000] “GET /calendar/action%7Eagenda/time_limit%7E1562558400/cat_ids%7E23/tag_ids%7E284,61,310,146/request_format%7Ehtml/ HTTP/1.0” 403 859
    159.138.154.104 – – [01/Oct/2019:17:11:35 +0000] “GET /calendar/action%7Eagenda/time_limit%7E1567396800/cat_ids%7E23/tag_ids%7E280,227,114,197,199/request_format%7Ehtml HTTP/1.0” 403 859
    119.179.42.178 – – [01/Oct/2019:17:11:35 +0000] “GET /calendar/action%7Eagenda/time_limit%7E1562558400/cat_ids%7E27/tag_ids%7E94,147,29,89,215/request_format%7Ehtml/ HTTP/1.0” 301 523
    159.138.128.246 – – [01/Oct/2019:17:11:35 +0000] “GET /calendar/action%7Eagenda/time_limit%7E1562558400/cat_ids%7E23,24/tag_ids%7E47,139,112,228/request_format%7Ehtml/ HTTP/1.0” 403 859
    159.138.152.95 – – [01/Oct/2019:17:11:35 +0000] “GET /calendar/action~agenda/time_limit~1562558400/tag_ids~307,221,298,250,263,260,283/request_format~html/ HTTP/1.0” 403 859
    159.138.157.35 – – [01/Oct/2019:17:11:35 +0000] “GET /calendar/action%7Eagenda/time_limit%7E1562558400/tag_ids%7E307,36,133,314,31,177,264/request_format%7Ehtml/ HTTP/1.0” 301 521
    159.138.150.255 – – [01/Oct/2019:17:11:35 +0000] “GET /calendar/action%7Eagenda/time_limit%7E1562558400/tag_ids%7E307,196,187,198,147,315/request_format%7Ehtml/ HTTP/1.0” 301 519
    159.138.155.229 – – [01/Oct/2019:17:11:35 +0000] “GET /calendar/action~oneday/exact_date~1568174400/tag_ids~284,135,296,242/request_format~html/ HTTP/1.0” 403 859
    159.138.158.84 – – [01/Oct/2019:17:11:35 +0000] “GET /calendar/action%7Eagenda/time_limit%7E1562558400/cat_ids%7E23,285/tag_ids%7E206,178,253,281/request_format%7Ehtml/ HTTP/1.0” 403 859
    159.138.156.170 – – [01/Oct/2019:17:11:35 +0000] “GET /calendar/action~agenda/time_limit~1562558400/tag_ids~94,111,34,220,217,226,238/request_format~html/ HTTP/1.0” 403 859
    159.138.154.63 – – [01/Oct/2019:17:11:35 +0000] “GET /calendar/action~agenda/time_limit~1562558400/cat_ids~50/tag_ids~307,268,202,257,61/request_format~html/ HTTP/1.0” 403 859

    Thread Starter kemoen

    (@kemoen)

    It seems like the problem started about 3 to 4 weeks ago after the last update. The strangest thing, is even after I uninstalled All-in-one plugin, the problem continues with thousands of hits on the non-existent /calendar directory, and that is enough to shut down the site. The solution we came up with is to create an empty calendar folder, and then protected the directory with an apache login page. CPU usage dropped immediately from 100% shut down level to 20-50%.

    We’re having the same issue. We blocked access to the plugin via htaccess which stopped the resource usage error, but now we don’t have a calendar.

    Any ideas for a fix?

    @elliottbenzle still no real fix for me. The following in my .htaccess is helping with server load, but I’d prefer to have a real fix from time.ly

    <RequireAll>
Require all granted
Require not ip 159.138
Require not ip 117.78
Require not ip 114.215
Require not ip 188.166
Require not ip 193.106
</RequireAll>

BrowserMatchNoCase "LieBaoFast" bad_bot
BrowserMatchNoCase "Mb2345Browser" bad_bot
BrowserMatchNoCase "zh-CN" bad_bot
BrowserMatchNoCase "MicroMessenger" bad_bot
BrowserMatchNoCase "zh_CN" bad_bot
BrowserMatchNoCase "Kinza" bad_bot
BrowserMatchNoCase "Bytespider" bad_bot
BrowserMatchNoCase "Baiduspider" bad_bot
BrowserMatchNoCase "Sogou" bad_bot
BrowserMatchNoCase "undefined" bad_bot
Deny from env=bad_bot

RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} ^.(Mb2345Browser|LieBaoFast|zh-CN|MicroMessenger|zh_CN|Kinza|Bytespider|Baiduspider|Sogou).$ [NC]
RewriteRule .* - [F,L]

    Thanks for the code.

    I heard back from time.ly and they suggested I purchase a different piece of software from them that does something similar. I don’t think they are concerned about fixing the issue.

    Will update here if I come up with anything.

    elliottbenzle

    (@elliottbenzle)

    Hi all. I’ve made some progress with this and our calendar has been live for a few hours without taking the site offline. My solution was:

    – Install Suruci Firewall
    – Add Geo blocking
    – Under ‘Block User-Agent’ I added:
    SQWatcher/201906
    SQWatcher
    – Blocked all crawlers to the calendar directory through robots.txt

    So far this has done the trick. If there are other crawlers that ignore robots.txt those will likely need to be blocked as well. walkingpaper above had some in his list that would be useful to add as well.

    linkup

    (@linkup)

    Though I wrote a reply here but it is gone? Thanks to Elliott for the solution but my free sites can’t afford $200/yr/site.

    I can implement the .htaccess commands and I can block CN and SG through CSF. I looked at Wordfence which is half the price to see if I was able to do something with their free version, but didn’t find what I think I need there.

    Thanks again!

    Same probem here. Looking for a solution now.. ??

    This is getting bad. I just found this post, so I will try @walkingpaper’s code.

    What is it that these bots want in the calendar??

    They keep taking my site offline and causing database disconnects.

    There’s nothing timely can do?

    I stopped using this calendar because of this. Does anyone know if it has been fixed so I can use it again?

    Darn, I came back here in hopes a solution had been discovered. Wasn’t someone in actual discussion with Timely? I have two sites that depended on this product so in effect are down due to a lack of updates.

    Not sure if there’s been a fix from Timely for this.

    I haven’t had any server load issues from these bots since I implemented the above .htaccess rules ~ 9 months ago.

    Wordfence reports that the last time those User Agents accessed the site was in October 2019, which tracks with that.

Viewing 12 replies - 1 through 12 (of 12 total)
  • The topic ‘Resource Limit Reached error due to targetted attacks’ is closed to new replies.