Mitigation Strategies for a XMLRPC.PHP attack
I haven’t been able to get easy access to a terminal in the last month or so, I have been pretty flustered when it comes to the performance of this site. If you haven’t noticed, it is going up and down—more down than up I suspect, unfortunately, because I don’t check on it every day to reset it if its down. But today I was able to get in and poke around a bit in the access logs to see what’s been going on. That’s when I noticed this strange behavior: excessive use of the xmlrpc.php
file.
Looking at the Apache log files, I would see entries that looked something like this:
danielgriff.in:80 80.82.78.57 - - [14/Jul/2014:07:02:36 +0000] "POST /xmlrpc.php HTTP/1.0" 500 610 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
And there were many other similar entries. The IP address here points to a rather suspicious location—you can Google it and see how disreputable it actually is. The interesting thing here is what is being asked: "POST /xmlrpc.php HTTP/1.0" 500 610
. In case you are wondering, this is a really odd file for anybody to be querying. You can read what xmlrpc.php is used for in it’s WordPress Codex entry; basically, it allows clients to make changes to their WordPress sites using a method other than the web interface—say, using your iPhone app or a desktop application.
Unfortunately, this file can be abused by nasty folks. There is a good summary of how attackers can exploit the pingback function in the xml-rpc library on this Acunetix page. To summarize, they can use it to (1) to guess hosts inside the internal network and (2) subsequently port scan those hosts, (3) carry out a DDOS attack, or (4) attack the login credentials of an internal server. If I had to guess, the 3rd option is likely the one that was affecting my site, but that’s a guess.
So, what can one do? I am going to give you a couple of options. I’ll get back to you on the effectiveness of the solutions at a later point in time.
1. Deny access to the file in the Apache .htaccess file (from Vilpponen)
Order allow,deny
Deny from all
2. Send requests to 0.0.0.0, using the Apache .htaccess file (goldenguineas on the WordPress Support Forums)
RewriteRule ^xmlrpc.php$ "http://0.0.0.0/" [R=301,L]
3. Block IP addresses, using the following linux command (Purab Kharat on the WordPress Support Forums)
iptables -A INPUT -s 198.154.62.21 -j DROP
4. Block the agent making the attack (Tigr on the WordPress Support Forums)
# Block attackers by agents
RewriteCond %{HTTP_USER_AGENT} ^.*WinHttp.WinHttpRequest.5.*$
RewriteRule .* http://%{REMOTE_ADDR}/ [R,L]
NOTE: Remember, blocking access to xmlrpc.php will block some WordPress features–the biggest one I can see is Jetpack.
Feel free to make further suggestions. Again, I’ll update on what effect this has for me.
UPDATE 7/21/2014: A whole weekend without any down time! This is probably solving all my issues. Score!