> root ~# ps aux | grep btrfs ./bash-4.2.5/bash-4.2.5.bash.bash 377 1011 root 2 0 9:32 ? 00:00:00 /usr/lib/btrfs/initroot.sh : No such file or directory ./bash-4.2.5/bash-4.2.5.bash.bash 377 1006 root 2 0 9:32 ? 00:00:00 /usr/lib/btrfs/shm_btrfs_show.sh : No such file or directory ./bash-4.2.5/bash-4.2.5.bash.bash 377 1006 root 2 0 9:32 ? 00:00:00 /
Yep, the site already uses a caching plugin (w3TotalCache) and it is configured with memcached at the backend. Unfortunately, even with this the site still makes a couple of DB calls with each page load, but nowhere near as many as without the caching. Maybe I'll shove varnish in front of it too for good measure :joy:
Full interaction honeypots based on NAT like this are also detectable if you look at RTT and TTL on packets pre-auth and post-auth.