Hi,
Seems like my server is subjected to a lot of abusive POST requests to xmlrpc.php:
[05/Jul/2015:13:13:51 -0400] "POST /xmlrpc.php HTTP/1.1" 200 370 "-" "Googlebot/2.1 (+http://www.google.com/bot.html)"
Google Bot is not the culprit, of course. According to what I found, this seems to be a distributed bruteforce attack. The attacks usually bring Apache to its knees.
ASL does not seem to react to these attacks. Are there any OSSEC rules I should be aware of? Is there any way to make ASL alleviate these attacks?
Thanks much.
xmlrpc.php Wordpress abuse
Re: xmlrpc.php Wordpress abuse
We use the following in .htaccess on non-ASL machines. Can't say I've seen any attacks causing problems on non-ASL machines, but that doesn't mean they don't happen.
Code: Select all
RewriteRule ^xmlrpc\.php$ "http\:\/\/0\.0\.0\.0\/" [R=301,L]
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: xmlrpc.php Wordpress abuse
Would it possible for us to log into the system to see whats going on?
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
Re: xmlrpc.php Wordpress abuse
I just experienced the same on one of our shared servers running ASL. ASL isn't blocking the attacks, server load average was hitting 4 (which isn't much but it was effecting dns for some reason)
For the time being I've disabled access to xmlrpc.php by adding the following to the global apache conf.
Would've loved to see ASL blocking these but I'm guessing this kind of attack may fall under legal usage of the file and because of the distributed nature of the attack, ASL doesn't see anything wrong with it.
For the time being I've disabled access to xmlrpc.php by adding the following to the global apache conf.
Code: Select all
<Files xmlrpc.php>
Order allow,deny
Deny from all
</Files>