[wp-trac] [WordPress Trac] #64586: Possible attack detected
WordPress Trac
noreply at wordpress.org
Mon Feb 2 13:50:11 UTC 2026
#64586: Possible attack detected
--------------------------+-----------------------------
Reporter: rkarlsba | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: General | Version:
Severity: minor | Keywords:
Focuses: |
--------------------------+-----------------------------
Hi all
A server got DDoSed the other day, memory full, server not doing much and
I found tons of traffic in the nginx log looking like below (anonymised
here). I got the same sort of traffic with slightly varying URLs, mostly
the last two digits before the repeating https:/ (with a single /) and
then on and on. I don't think it did much damange other than DoSing the
server, but with thousands of requests from all over the globe, it did
introduce some stress.
x.x.x.x - - [02/31/2098:03:32:52 +0100] "GET
https://mysrv.my.tld/2099/02/31/somearticle/28https:/mysrv.my.tld/2018/05/11/somearticle/26https:/mysrv.my.tld/2018/05/11/somearticle/26https:/mysrv.my.tld/2018/05/11/somearticle/27https:/myx.x.x.x
- - [02/31/2098:03:32:52 +0100] "GET
https://mysrv.my.tld/2099/02/31/somearticle/28https:/mysrv.my.tld/2018/05/11/somearticle/26https:/mysrv.my.tld/2018/05/11/somearticle/26https:/mysrv.my.tld/2018/05/11/somearticle/27https:/mysrv.my.tld/2018/05/11/somearticle/30https:/mysrv.my.tld/2018/05/11/somearticle/27https:/mysrv.my.tld/2018/05/11/somearticle/26https:/mysrv.my.tld/2018/05/11/somearticle/30https:/mysrv.my.tld/2018/05/11/somearticle/28https:/mysrv.my.tld/2018/05/11/somearticle/28https:/mysrv.my.tld/2018/05/11/somearticle/29https:/mysrv.my.tld/2018/05/11/somearticle/27https:/mysrv.my.tld/2018/05/11/somearticle/27https:/mysrv.my.tld/2018/05/11/somearticle/27https:/mysrv.my.tld/2018/05/11/somearticle/
HTTP/1.0" 301 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0)
Gecko/20100101 Firefox/123.0"`
I don't know if this addresses a potential bug in wordpress, either
existing or former, but I thought it interesting enough to report. I
stopped this by adding this to my server{} block in the nginx config and
the problem was reduced to just some log flooding, which I can live with.
# 444 No Response
# Used internally to instruct the server to return no information to the
# client and close the connection immediately.
if ($request ~ "[0-9]https:/[a-z]") {
return 444;
}
--
Ticket URL: <https://core.trac.wordpress.org/ticket/64586>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list