Wednesday, October 9, 2024

Join our community of SUBSCRIBERS and be part of the conversation.

To subscribe, simply enter your email address on our website or click the subscribe button below. Don't worry, we respect your privacy and won't spam your inbox. Your information is safe with us.

1,030FollowersFollow
1,000FollowersFollow
30,000FollowersFollow

WordPress protection against XML-RPC attack

XML-RPC attack: Some time ago monitoring showed increased load on the webserver. Traditionally I immediately went to check the log of the Nginx web server for suspicious activity. This activity was immediately noticed as requests to the file xmlrpc.php. I read on the Internet what kind of file it was and decided to forbid access to it since I do not need it.

A sign of increased interest in your website on WordPress will be the following lines in the log file:

178.159.37.114 - - [26 / Oct / 2017: 13: 01: 22 +0300] "POST //xmlrpc.php HTTP / 1.1" 200 16014 "-" "Mozilla / 5.0 (Windows NT 10.0; Win64; x64) AppleWebKit /537.36 (KHTML, like Gecko) Chrome / 61.0.3163.100 Safari / 537.36 "" - "

For example, we will assume that the webserver is configured for the article – setting up the webserver nginx, PHP-fpm, php7 on CentOS 7. There is such a rule at the end of the enumeration of locations in nginx:

location ~ /\.ht {
 deny all;
 }

We change it by adding the xmlrpc.php file lock and putting it on the list as the very first location.

location ~ * ^ / (\. ht | xmlrpc \ .php) $ {
 return 404;
}

Reread the nginx config:

# nginx -s reload

Check if the file xmlrpc.php actually works. To do this, first just follow the link, in my case such – https://cmsdaddy.com/xmlrpc.php We checked the GET request. To check the POST request, enter the following in the browser’s address bar:

data: text / html, <form action = https: //sprin.cloud/xmlrpc.php method = post> <input name = a> </ form>

Xmlrpc

In the form that appears, enter any value and press Enter on the keyboard.

Check the log file.

# cat ssl-access.log | grep 77.27.225.139
77.27.225.139 - - [18 / Dec / 2017: 15: 35: 07 +0300] "GET /xmlrpc.php HTTP / 2.0" 404 201 "-" "Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv: 57.0) Gecko / 20100101 Firefox / 57.0 "" 1.30 "
77.27.225.139 - - [18 / Dec / 2017: 15: 41: 44 +0300] "POST /xmlrpc.php HTTP / 2.0" 404 201 "-" "Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv: 57.0) Gecko / 20100101 Firefox / 57.0 "" 1.30 "

All right, the webserver issues an error 404. Closed access to the file xmlrpc.php, through which you can brute up accounting, or look for XML-RPC or any other vulnerabilities.

CmsDaddy
CmsDaddy
Hello Guys, Here we write about ultimate guides about content management system (CMS) and other software such as WordPress, Joomla, Drupal, Oxwall, Skadate, Prestashop, Magento, CSS, HTML, Linux, CentOS, Ubuntu, Windows, macOS, Android, iOS, iPadOS, etc...
Exit mobile version