WordPress protection against XML-RPC attack

1 min


Xml-Rpc

XML-RPC attack: Some time ago monitoring showed increased load on the webserver. Traditionally I immediately went to check the log of the Nginx web server for suspicious activity. This activity was immediately noticed as requests to the file xmlrpc.php. I read on the Internet what kind of file it was and decided to forbid access to it since I do not need it.

A sign of increased interest in your website on WordPress will be the following lines in the log file:

178.159.37.114 - - [26 / Oct / 2017: 13: 01: 22 +0300] "POST //xmlrpc.php HTTP / 1.1" 200 16014 "-" "Mozilla / 5.0 (Windows NT 10.0; Win64; x64) AppleWebKit /537.36 (KHTML, like Gecko) Chrome / 61.0.3163.100 Safari / 537.36 "" - "

For example, we will assume that the webserver is configured for the article – setting up the webserver nginx, PHP-fpm, php7 on CentOS 7. There is such a rule at the end of the enumeration of locations in nginx:

location ~ /\.ht {
 deny all;
 }

We change it by adding the xmlrpc.php file lock and putting it on the list as the very first location.

location ~ * ^ / (\. ht | xmlrpc \ .php) $ {
 return 404;
}

Reread the nginx config:

# nginx -s reload

Check if the file xmlrpc.php actually works. To do this, first just follow the link, in my case such – https://cmsdaddy.com/xmlrpc.php We checked the GET request. To check the POST request, enter the following in the browser’s address bar:

data: text / html, <form action = https: //sprin.cloud/xmlrpc.php method = post> <input name = a> </ form>

Xmlrpc

In the form that appears, enter any value and press Enter on the keyboard.

Check the log file.

# cat ssl-access.log | grep 77.27.225.139
77.27.225.139 - - [18 / Dec / 2017: 15: 35: 07 +0300] "GET /xmlrpc.php HTTP / 2.0" 404 201 "-" "Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv: 57.0) Gecko / 20100101 Firefox / 57.0 "" 1.30 "
77.27.225.139 - - [18 / Dec / 2017: 15: 41: 44 +0300] "POST /xmlrpc.php HTTP / 2.0" 404 201 "-" "Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv: 57.0) Gecko / 20100101 Firefox / 57.0 "" 1.30 "

All right, the webserver issues an error 404. Closed access to the file xmlrpc.php, through which you can brute up accounting, or look for XML-RPC or any other vulnerabilities.


Like it? Share with your friends!

What's Your Reaction?

cute cute
240
cute
lol lol
60
lol
love love
30
love
scary scary
240
scary
hate hate
90
hate
geeky geeky
120
geeky
omg omg
270
omg
CmsDaddy

Hello Guys, Here we write about ultimate guides about content management system (CMS) and other software such as WordPress, Joomla, Drupal, Oxwall, Skadate, Prestashop, Magento, CSS, HTML, Linux, CentOS, Ubuntu, Windows, macOS, Android, iOS, iPadOS, etc...

0 Comments

Your email address will not be published. Required fields are marked *

13 + seven =

Choose A Format
Story
Formatted Text with Embeds and Visuals
Poll
Voting to make decisions or determine opinions
List
The Classic Internet Listicles
Personality quiz
Series of questions that intends to reveal something about the personality
Trivia quiz
Series of questions with right and wrong answers that intends to check knowledge
Ranked List
Upvote or downvote to decide the best list item
Open List
Submit your own item and vote up for the best submission
Countdown
The Classic Internet Countdowns
Video
Youtube, Vimeo or Vine Embeds