Jump to content
Slate Blackcurrant Watermelon Strawberry Orange Banana Apple Emerald Chocolate Marble
Slate Blackcurrant Watermelon Strawberry Orange Banana Apple Emerald Chocolate Marble
NickTheGreek

Abuse on xmlrpc.php

Recommended Posts

εχει τύχει πολλές φορες σε daily usage reports να βλέπουμε το xmlrpc.php ως πρώτη αιτία φόρτου, ο λόγος αναλύεται εδώ:


https://bobcares.com/blog/xmlrpc-php-causing-high-load-in-server-how-to-recover-and-prevent-this-issue-in-cpanel-plesk-and-directadmin-apache-servers/

"In cPanel, Plesk and DirectAdmin servers that have WordPress websites, high server load is sometimes reported with “xmlrpc.php” showing up as the top CPU hog. xmlrpc.php is a file in WordPress websites used for remote publishing and ping-back tracking. Botnets target this file to initiate brute force attacks to gain control of the targeted website. This causes high load in the server."

 

όπως και κάποιες λύσεις βελτιστοποίησης και αντιμετώπισης του φαινομένου:

How to recover from high load

When the server is under high load, your first priority is to restore normalcy. For this, you’ll need to prevent access to xmlrpc.php at the Apache connection level. You can do this by adding the below directive to Apache configuration file, and restarting the server.

Files ~ "xmlrpc.php"
  Order allow,deny
  Deny from all
Files

How to prevent xmlrpc.php abuse

Disabling access to xmlrpc.php is only a temporary solution as many websites would need it to track blog ping-backs or do remote publishing. So, the solution is to block the attacks based on a common attack signature. Here’s a sample of xmlrpc.php attack log:

37.203.208.49 - - [21/Jan/2015:15:37:54 -0500] "POST /xmlrpc.php HTTP/1.0" 503 4859
37.203.208.49 - - [21/Jan/2015:15:37:55 -0500] "POST /xmlrpc.php HTTP/1.0" 503 4859
37.203.208.49 - - [21/Jan/2015:15:37:57 -0500] "POST /xmlrpc.php HTTP/1.0" 503 4859
37.203.208.49 - - [21/Jan/2015:15:38:02 -0500] "POST /xmlrpc.php HTTP/1.0" 503 4859
37.203.208.49 - - [21/Jan/2015:15:38:11 -0500] "POST /xmlrpc.php HTTP/1.0" 503 4861
37.203.208.49 - - [21/Jan/2015:15:38:13 -0500] "POST /xmlrpc.php HTTP/1.0" 503 4861
37.203.208.49 - - [21/Jan/2015:15:38:18 -0500] "POST /xmlrpc.php HTTP/1.0" 503 4861

A valid request will have a referrer field, while the attacks wont usually have a referrer field. So, a firewall rule can be used to block such requests. Mod_security can come in very handy for this. Add the following to the mod_security rule set.

 

#Block requests to xmlrpc.php with no referring URL
SecRule REQUEST_METHOD "POST" "deny,status:401,id:5000900,chain,msg:'xmlrpc request blocked, no referer'"
SecRule &HTTP_REFERER "@eq 0" "chain"
SecRule REQUEST_URI "xmlrpc.php"

For dedicated servers with a limited set of WordPress sites, it might be easier and more flexible to install a plugin like “xmlrpc attacks blocker“.

https://srd.wordpress.org/plugins/xmlrpc-attacks-blocker/

 

 

 

Edited by NickTheGreek
  • Like 1

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×