WordPress XMLRPC Attacks

WordPress XMLRPC Attacks

Fun going down today on the web. My webserver is being hit by multiple IP attempts to POST data to xmlrpc.php which comes as part of the WordPress installation and is used forĀ PingBack Vulnerability exploits to DDoS other WordPress sites. Thousands of individual IP addresses are attempting to ‘POST /xmlrpc.php HTTP/1.1’.

It’s been happening since around 0400 this morning (GMT).

A quick shell script to gather data from the access log shows 3741 unique IP addresses (and counting) attempting to send the following command to the webserver.

POST /xmlrpc.php HTTP/1.1

The shell script is as follows –

#!/bin/sh
cd /var/log/apache2/
cat access.log | grep "POST /xmlrpc.php HTTP/1.1" | ipsort -au | wc -l
cat access.log | grep "POST /xmlrpc.php HTTP/1.1" | ipsort -au > xmlrpc_attackers.txt
exit 0

I’m doing a count of the access log file after searching for the relevant line on line 3 of the script, and the same command (except exporting the output to a text file) on line 4 of the script. The line 4 command is for some forensic investigations later although it’s possible/likely a lot of the IP addresses attempting to connect are members (un-whitingly) of a Botnet. The ipsort command from JimSun’s website helps to filter and show unique IP addresses.

Nothing has managed to get in so far, fortunately.

The POST request contains the following data –

POST /xmlrpc.php HTTP/1.1
Connection: Close
Content-Length: 215
Host: andymillett.co.uk
<?xml version="1.0" encoding="iso-8859-1"?>
<methodCall>
<methodName>wp.getUsersBlogs</methodName>
<params>
<param><value>test</value></param>
<param><value>427900</value></param>
</params>
</methodCall>

The <value></value> changes with every connecting IP, but everything else remains the same.

Leave a Reply