I recently setup a Ubuntu 18 testing server on a cloud VPS host and installed the latest Wordpress. Today I went to log in and the site will not load - I get an error Error establishing a database connection
I went through some troubleshooting - added a swap file and blocked XML RPC requests in my .htaccess
file, but still I cannot get the site to load. Looking at the apache2/access.log
file, I noticed the following:
sudo tail -f /var/log/apache2/access.log
127.0.0.1 - - [06/Nov/2019:21:02:31 +0000] "GET /code.php HTTP/1.0" 404 23644 "-" "-"
127.0.0.1 - - [06/Nov/2019:21:02:31 +0000] "GET /code.php HTTP/1.0" 404 23644 "-" "-"
127.0.0.1 - - [06/Nov/2019:21:02:36 +0000] "GET /code.php HTTP/1.0" 404 23644 "-" "-"
127.0.0.1 - - [06/Nov/2019:21:02:37 +0000] "GET /code.php HTTP/1.0" 404 23644 "-" "-"
127.0.0.1 - - [06/Nov/2019:21:02:34 +0000] "GET /code.php HTTP/1.0" 404 23644 "-" "-"
127.0.0.1 - - [06/Nov/2019:21:02:36 +0000] "GET /code.php HTTP/1.0" 404 23644 "-" "-"
There are thousands of these requests...also, some POST
requests:
127.0.0.1 - - [06/Nov/2019:20:48:19 +0000] "POST /wp-cron.php?doing_wp_cron=1573073189.0748620033264160156250 HTTP/1.1" 200 166 "http://DOMAIN-REDACTED/wp-cron.php?doing_wp_cron=1573073189.0748620033
264160156250" "WordPress/5.2.4; http://DOMAIN REDACTED"
Can anyone help me track down the source of these connections? I ran several rootkit scanners on the server and didn't find anything. I've been combing through the web directory looking for anything strange but haven't found anything yet. Googling for code.php
is useless. I currently have shut down the Apache service until I can figure out what is up.
PS: This is a test server, I can easily blow it away and create a new one, but I'd really like to do some troubleshooting here and see if I can figure out what the issue is...thanks!