Skip to main content

Multiple requests to xmlrpc.php in WordPress

ww.kr.ua Protection and safety


Today I looked into the access-log of one site for WordPress and found many requests of this kind: 

  1.234.83.77 - - [05 / Sep / 2014: 12: 07: 01 +0600] "POST /xmlrpc.php HTTP / 1.1" 200 441 "-" "Mozilla / 4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA ; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022) "
 1.234.83.77 - - [05 / Sep / 2014: 12: 07: 01 +0600] "POST /xmlrpc.php HTTP / 1.1" 200 441 "-" "Mozilla / 4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA ; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022) "
 1.234.83.77 - - [05 / Sep / 2014: 12: 07: 02 +0600] "POST /xmlrpc.php HTTP / 1.1" 200 441 "-" "Mozilla / 4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA ; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022) "
 1.234.83.77 - - [05 / Sep / 2014: 12: 07: 02 +0600] "POST /xmlrpc.php HTTP / 1.1" 200 441 "-" "Mozilla / 4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA ; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022) "

Judging by the results of Google, there is some kind of exploit related to this file - xmlrpc.php. In one article in English it was said, as I understood, relying on my poor knowledge of the given language :), about the possibility of organizing the password selection. True, so far I have not noticed the consequences, but it is better to take action in advance. :)



Previously published a note on the protection of the site on Wordpress from brute force . And this option is well suited for today's case.

The only point: you need to adjust the rules in accordance with the request. The article cited an example:

 
  [Definition]
 failregex = <HOST>. * / wp-login.php HTTP / 1.1 "200
       <HOST>. * / Wp-login.php / HTTP / 1.1 "302
      <HOST>. * / Wp-login.php HTTP / 1.0 "200
 ignoreregex =

This list of rules should be modified as follows: 

  [Definition]
 failregex = <HOST>. * / xmlrpc.php HTTP / 1.
 ignoreregex =

Or add a rule from a new line to an existing list. If protection has been configured previously. Then restart fail2ban.

At the same time, any http 1.0 and http 1.1 requests will be searched, with any status code received from the server.




How do you rate the article?
Звёзд: 1Звёзд: 2Звёзд: 3Звёзд: 4Звёзд: 5 ( 1 rating, average: 1.00 out of 5)
Loading...

Add a comment

Your email will not be published.