WordPress.org

Ready to get started?Download WordPress

Forums

Weird host log entries. Possible attack? (4 posts)

  1. charleshking
    Member
    Posted 1 year ago #

    One of my WP 3.5 (now WP 3.5.1) sites recently got blocked by host's automatic 'anti exploit' script. I'm still working on what happened exactly, but looking through the logs, I have noticed a LOT of entries like this:

    111.222.333.444 http://www.mysite.com - [30/Apr/2013:00:00:19 +0200] "POST /xmlrpc.php HTTP/1.1" 200 463 "-" "-"

    (ip and sitename changed)

    Something like 700,000 of them this this month. The bulk of them are from the same IP but, looking back over the logs, there have been other IP's doing similar things (but not to the same volumes as far as I can see).

    The current culprit seems to be some hosted address located somewhere in the USA.

    Mine is a European site, hosted in France.

    I'm wondering if it's a bute force attack trying to post minimal data to /xmlrpc.php until it gets success, indicating a successful password guess?

    Any ideas as to what this is, and what I should do about it?

    Many thanks

    Charlie King

  2. esmi
    Forum Moderator
    Posted 1 year ago #

    It's possible. Do you post via email etc? Do you accept pingbacks? Have you read http://perishablepress.com/wordpress-xmlrpc-pingback-vulnerability/

  3. charleshking
    Member
    Posted 1 year ago #

    Thank you esmi.

    I don't post via email, but I kind of think that it is polite to accept pingbacks. I read that article with interest, and will probably disable xmlrpc at least for a little while.

    Mind you, if I'm mucking around in htaccess, the temptation will be strong to serve back something large and/or distasteful :)

    Cheers

    Charlie

  4. TheChrisGlass
    Member
    Posted 1 year ago #

    I am getting this exact same issue. It started for me around January, and I was notified by my host in February. It was pretty damn nuts.

    I even deleted my WordPress folder this week and removed all my PHP tables related to it and it's still happening. Hundreds of times an hours. This is definitely not happening on my own site. Something service is going haywire or a worm someone wrote is broken.

    82.196.4.228 is the main IP.
    The others are:
    5.135.216.194
    192.81.223.147
    192.81.220.135

    My blog was at planetmew.com/blog/, and my access logs show it trying to hit "/blog//xmlrpc.php"

    Even when it gets THOUSANDS of 404s, it still keeps on going. I'm guessing it saw it in the past and the worm doesn't know any better.

Topic Closed

This topic has been closed to new replies.

About this Topic