How to find a PHP process that generate HTTP request

[bokan]

My server is flooded with wp-login.php queries. They are done from IP 127.0.0.1 to Server.hostname/wp-login.php (which does not even exists).

Looks like there is a malicious php file that is bruteforcing from inside.

Here is a part of Server-statuss
Srv PID Acc M CPU SS Req Conn Child Slot Client VHost Request
0-0 9665 7/262/170790 W 1.42 0 0 17.4 0.30 135.92 X.X.X.X www.xxx.com GET /server-statuss HTTP/1.1
1-0 27470 0/346/166277 _ 1.74 0 0 0.0 0.70 149.30 127.0.0.1 ***my server hostname*** POST /wp-login.php HTTP/1.0
2-0 27378 0/339/161725 _ 2.74 0 0 0.0 0.44 149.71 127.0.0.1 ***my server hostname*** POST /wp-login.php HTTP/1.0
3-0 - 0/0/171586 . 0.32 0 0 0.0 0.00 145.25 127.0.0.1 ***my server hostname*** POST /wp-login.php HTTP/1.0
4-0 10017 0/76/158214 _ 0.43 0 1295 0.0 0.04 135.97 X.X.X.X www.xxx.com GET /wp-login.php HTTP/1.1
5-0 - 0/0/149611 . 10.10 3 0 0.0 0.00 147.40 X.X.X.X shared.domain NULL
6-0 - 0/0/141375 . 0.16 5 0 0.0 0.00 135.72 127.0.0.1 ***my server hostname*** POST /wp-login.php HTTP/1.0
7-0 27380 0/404/144255 _ 2.57 0 0 0.0 0.49 139.80 127.0.0.1 ***my server hostname*** POST /wp-login.php HTTP/1.0
8-0 10135 0/11/121648 _ 0.51 0 0 0.0 0.02 125.41 127.0.0.1 ***my server hostname*** POST /wp-login.php HTTP/1.0
9-0 27381 0/395/129282 _ 1.97 0 0 0.0 0.40 121.80 127.0.0.1 ***my server hostname*** POST /wp-login.php HTTP/1.0
10-0 27382 3/407/117629 K 1.82 0 47 0.0 0.26 106.44 X.X.X.X www.xxx.com GET /fr/sitemap.html HTTP/1.1
11-0 10137 0/18/98164 _ 0.01 0 0 0.0 0.03 91.09 127.0.0.1 ***my server hostname*** POST /wp-login.php HTTP/1.0
12-0 10138 0/10/75175 _ 0.28 0 0 0.0 0.00 77.31 127.0.0.1 ***my server hostname*** POST /wp-login.php HTTP/1.0
13-0 27383 0/406/70228 _ 3.04 0 0 0.0 0.30 68.44 127.0.0.1 ***my server hostname*** POST /wp-login.php HTTP/1.0
14-0 - 0/0/61623 . 0.00 391 0 0.0 0.00 53.73 127.0.0.1 ***my server hostname*** POST /wp-login.php HTTP/1.0
15-0 - 0/0/25722 . 3.89 52 0 0.0 0.00 31.93 127.0.0.1 ***my server hostname*** POST /wp-login.php HTTP/1.0
16-0 - 0/0/35503 . 3.78 6 339 0.0 0.00 39.48 X.X.X.X shared.domain NULL
17-0 - 0/0/19838 . 0.00 392 0 0.0 0.00 18.23 127.0.0.1 ***my server hostname*** POST /wp-login.php HTTP/1.0
18-0 - 0/0/21292 . 0.00 2260 0 0.0 0.00 18.73 127.0.0.1 ***my server hostname*** POST /wp-login.php HTTP/1.0
19-0 - 0/0/11300 . 0.00 2262 0 0.0 0.00 18.79 127.0.0.1 ***my server hostname*** POST /wp-login.php HTTP/1.0
20-0 - 0/0/10211 . 0.00 2265 0 0.0 0.00 16.62 127.0.0.1 ***my server hostname*** POST /wp-login.php HTTP/1.0
21-0 - 0/0/13057 . 0.37 2097 0 0.0 0.00 9.89 X.X.X.X shared.domain NULL
22-0 - 0/0/3771 . 0.30 2226 0 0.0 0.00 7.60 127.0.0.1 ***my server hostname*** POST /wp-login.php HTTP/1.0
23-0 - 0/0/6574 . 1.44 2254 0 0.0 0.00 14.39 127.0.0.1 ***my server hostname*** POST /wp-login.php HTTP/1.0
24-0 - 0/0/5439 . 1.25 2232 148 0.0 0.00 8.50 X.X.X.X shared.domain NULL

How can I find the php file behind thoses requests ?

 

[nobaloney]

I think you'd have to search apache domain logs for unusual activity; perhaps cross-referencing timestamps.

Jeff