apache error log
tail /var/log/apache2/error.log
mysql error log
tail /var/log/mysql/error.log
user authentications, including possible attacks
tail /var/log/auth.log
look up where an IP address is coming from
geoiplookup THE.IP.ADD.RE.SS
check existing iptables filters
iptables -L
use iptables to filter IP addresses
iptables -A INPUT -s THE.IP.ADD.RE.SS -j DROP
remove comments from a wordpress site
mysql>USE database; mysql>DELETE FROM wp_comments WHERE comment_approved = '0';
mysql running out of memory in minutes http://brunzino.github.io/blog/2016/05/21/solution-how-to-debug-intermittent-error-establishing-database-connection/ https://www.linode.com/docs/websites/apache-tips-and-tricks/tuning-your-apache-server
added the following lines
#trying to fix mysql memory leak, which is possibly linked to an attack ? <files xmlrpc.php> order allow,deny deny from all </files>
to all /etc/apache2/sites-available/domain.com configuration files which host a WordPress, to block possible xmlrpc attack. In /etc/apache2/access.log grep for this
POST /xmlrpc.php HTTP/1.1
installed lynx and added the following lines:
<Location /server-status> SetHandler server-status Order Deny,Allow Deny from all Allow from localhost </Location>
to all /etc/apache2/sites-available/domain.com configuration files which host a WordPress, to enable lynx analytics report, which clearly showed many xmlrpc requests in seconds.
run
lynx http://localhost/server-status
to see statistics
Solved the memory issue by blocking the ip that was sending xmlrpc requests (iptables drop) after geoiplocating it in lithuania
consider also this: http://www.blogtips.org/block-wordpress-brute-force-attacks-via-xmlrpc-php/
also, dataclub.biz domain appears in other brute-force attacks