XML-RPC attack: Some time ago monitoring showed increased load on the webserver. Traditionally I immediately went to check the log of the Nginx web server for suspicious activity. This activity was immediately noticed as requests to the file xmlrpc.php. I read on the Internet what kind of file it was and decided to forbid access to it since I do not need it.

A sign of increased interest in your website on WordPress will be the following lines in the log file:

178.159.37.114 - - [26 / Oct / 2017: 13: 01: 22 +0300] "POST //xmlrpc.php HTTP / 1.1" 200 16014 "-" "Mozilla / 5.0 (Windows NT 10.0; Win64; x64) AppleWebKit /537.36 (KHTML, like Gecko) Chrome / 61.0.3163.100 Safari / 537.36 "" - "

For example, we will assume that the webserver is configured for the article – setting up the webserver nginx, PHP-fpm, php7 on CentOS 7. There is such a rule at the end of the enumeration of locations in nginx:

location ~ /\.ht {
 deny all;
 }

We change it by adding the xmlrpc.php file lock and putting it on the list as the very first location.

location ~ * ^ / (\. ht | xmlrpc \ .php) $ {
 return 404;
}

Reread the nginx config:

# nginx -s reload

Check if the file xmlrpc.php actually works. To do this, first just follow the link, in my case such – https://cmsdaddy.com/xmlrpc.php We checked the GET request. To check the POST request, enter the following in the browser’s address bar:

data: text / html, <form action = https: //sprin.cloud/xmlrpc.php method = post> <input name = a> </ form>

Xmlrpc

In the form that appears, enter any value and press Enter on the keyboard.

Check the log file.

# cat ssl-access.log | grep 77.27.225.139
77.27.225.139 - - [18 / Dec / 2017: 15: 35: 07 +0300] "GET /xmlrpc.php HTTP / 2.0" 404 201 "-" "Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv: 57.0) Gecko / 20100101 Firefox / 57.0 "" 1.30 "
77.27.225.139 - - [18 / Dec / 2017: 15: 41: 44 +0300] "POST /xmlrpc.php HTTP / 2.0" 404 201 "-" "Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv: 57.0) Gecko / 20100101 Firefox / 57.0 "" 1.30 "

All right, the webserver issues an error 404. Closed access to the file xmlrpc.php, through which you can brute up accounting, or look for XML-RPC or any other vulnerabilities.

Shares:
Show Comments (0)

Leave a Reply

Your email address will not be published. Required fields are marked *

17 − 11 =