NickTheGreek 160 Report post Posted November 15, 2016 (edited) εχει τύχει πολλές φορες σε daily usage reports να βλέπουμε το xmlrpc.php ως πρώτη αιτία φόρτου, ο λόγος αναλύεται εδώ: https://bobcares.com/blog/xmlrpc-php-causing-high-load-in-server-how-to-recover-and-prevent-this-issue-in-cpanel-plesk-and-directadmin-apache-servers/ "In cPanel, Plesk and DirectAdmin servers that have WordPress websites, high server load is sometimes reported with “xmlrpc.php” showing up as the top CPU hog. xmlrpc.php is a file in WordPress websites used for remote publishing and ping-back tracking. Botnets target this file to initiate brute force attacks to gain control of the targeted website. This causes high load in the server." όπως και κάποιες λύσεις βελτιστοποίησης και αντιμετώπισης του φαινομένου: How to recover from high load When the server is under high load, your first priority is to restore normalcy. For this, you’ll need to prevent access to xmlrpc.php at the Apache connection level. You can do this by adding the below directive to Apache configuration file, and restarting the server. Files ~ "xmlrpc.php" Order allow,deny Deny from all Files How to prevent xmlrpc.php abuse Disabling access to xmlrpc.php is only a temporary solution as many websites would need it to track blog ping-backs or do remote publishing. So, the solution is to block the attacks based on a common attack signature. Here’s a sample of xmlrpc.php attack log: 37.203.208.49 - - [21/Jan/2015:15:37:54 -0500] "POST /xmlrpc.php HTTP/1.0" 503 4859 37.203.208.49 - - [21/Jan/2015:15:37:55 -0500] "POST /xmlrpc.php HTTP/1.0" 503 4859 37.203.208.49 - - [21/Jan/2015:15:37:57 -0500] "POST /xmlrpc.php HTTP/1.0" 503 4859 37.203.208.49 - - [21/Jan/2015:15:38:02 -0500] "POST /xmlrpc.php HTTP/1.0" 503 4859 37.203.208.49 - - [21/Jan/2015:15:38:11 -0500] "POST /xmlrpc.php HTTP/1.0" 503 4861 37.203.208.49 - - [21/Jan/2015:15:38:13 -0500] "POST /xmlrpc.php HTTP/1.0" 503 4861 37.203.208.49 - - [21/Jan/2015:15:38:18 -0500] "POST /xmlrpc.php HTTP/1.0" 503 4861 A valid request will have a referrer field, while the attacks wont usually have a referrer field. So, a firewall rule can be used to block such requests. Mod_security can come in very handy for this. Add the following to the mod_security rule set. #Block requests to xmlrpc.php with no referring URL SecRule REQUEST_METHOD "POST" "deny,status:401,id:5000900,chain,msg:'xmlrpc request blocked, no referer'" SecRule &HTTP_REFERER "@eq 0" "chain" SecRule REQUEST_URI "xmlrpc.php" For dedicated servers with a limited set of WordPress sites, it might be easier and more flexible to install a plugin like “xmlrpc attacks blocker“. https://srd.wordpress.org/plugins/xmlrpc-attacks-blocker/ Edited November 15, 2016 by NickTheGreek 1 Quote Share this post Link to post Share on other sites
