Atomicorp

Posted: **Thu Jul 09, 2015 11:49 am**

Hi,

Seems like my server is subjected to a lot of abusive POST requests to xmlrpc.php:

[05/Jul/2015:13:13:51 -0400] "POST /xmlrpc.php HTTP/1.1" 200 370 "-" "Googlebot/2.1 (+http://www.google.com/bot.html)"

Google Bot is not the culprit, of course. According to what I found, this seems to be a distributed bruteforce attack. The attacks usually bring Apache to its knees.

ASL does not seem to react to these attacks. Are there any OSSEC rules I should be aware of? Is there any way to make ASL alleviate these attacks?

Thanks much.

Posted: **Thu Jul 09, 2015 12:12 pm**

We use the following in .htaccess on non-ASL machines. Can't say I've seen any attacks causing problems on non-ASL machines, but that doesn't mean they don't happen.

Code: Select all

RewriteRule ^xmlrpc\.php$ "http\:\/\/0\.0\.0\.0\/" [R=301,L]

Posted: **Thu Jul 09, 2015 12:37 pm**

Would it possible for us to log into the system to see whats going on?

Posted: **Sun Aug 16, 2015 7:47 am**

I just experienced the same on one of our shared servers running ASL. ASL isn't blocking the attacks, server load average was hitting 4 (which isn't much but it was effecting dns for some reason)

For the time being I've disabled access to xmlrpc.php by adding the following to the global apache conf.

Code: Select all

<Files xmlrpc.php>
Order allow,deny
Deny from all
</Files>

Would've loved to see ASL blocking these but I'm guessing this kind of attack may fall under legal usage of the file and because of the distributed nature of the attack, ASL doesn't see anything wrong with it.

Atomicorp

xmlrpc.php Wordpress abuse

xmlrpc.php Wordpress abuse

Re: xmlrpc.php Wordpress abuse

Re: xmlrpc.php Wordpress abuse

Re: xmlrpc.php Wordpress abuse