All the attacker does is to send simple HTTPS POST requests to /admin , without any query strings. On average 5 requests per second. The raw access log typically contains entries like these:
Code: Select all
....
xxx.xxx.xxx.xxx - - [27/Sep/2021:16:51:14 +0100] "POST /admin/ HTTP/1.1" 200 4016 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
....
We are now repelling these malicious requests with 0 bytes responses and status 403 Forbidden, with this script at the beginning of the admin/index.php:
Code: Select all
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
if (empty($_GET)) {
header('HTTP/1.0 403 Forbidden');
exit;
}
}