xmlrpc.php Wordpress abuse

[kontiki]

Hi,

Seems like my server is subjected to a lot of abusive POST requests to xmlrpc.php:

[05/Jul/2015:13:13:51 -0400] "POST /xmlrpc.php HTTP/1.1" 200 370 "-" "Googlebot/2.1 (+http://www.google.com/bot.html)"

Google Bot is not the culprit, of course. According to what I found, this seems to be a distributed bruteforce attack. The attacks usually bring Apache to its knees.

ASL does not seem to react to these attacks. Are there any OSSEC rules I should be aware of? Is there any way to make ASL alleviate these attacks?

Thanks much.

[faris]

We use the following in .htaccess on non-ASL machines. Can't say I've seen any attacks causing problems on non-ASL machines, but that doesn't mean they don't happen.

Code: Select all

RewriteRule ^xmlrpc\.php$ "http\:\/\/0\.0\.0\.0\/" [R=301,L]

[mikeshinn]

Would it possible for us to log into the system to see whats going on?

[imadsani]

I just experienced the same on one of our shared servers running ASL. ASL isn't blocking the attacks, server load average was hitting 4 (which isn't much but it was effecting dns for some reason)

For the time being I've disabled access to xmlrpc.php by adding the following to the global apache conf.

Code: Select all

<Files xmlrpc.php>
Order allow,deny
Deny from all
</Files>

Would've loved to see ASL blocking these but I'm guessing this kind of attack may fall under legal usage of the file and because of the distributed nature of the attack, ASL doesn't see anything wrong with it.