Weird host log entries. Possible attack? (4 posts)

  1. charleshking
    Posted 2 years ago #

    One of my WP 3.5 (now WP 3.5.1) sites recently got blocked by host's automatic 'anti exploit' script. I'm still working on what happened exactly, but looking through the logs, I have noticed a LOT of entries like this:

    111.222.333.444 http://www.mysite.com - [30/Apr/2013:00:00:19 +0200] "POST /xmlrpc.php HTTP/1.1" 200 463 "-" "-"

    (ip and sitename changed)

    Something like 700,000 of them this this month. The bulk of them are from the same IP but, looking back over the logs, there have been other IP's doing similar things (but not to the same volumes as far as I can see).

    The current culprit seems to be some hosted address located somewhere in the USA.

    Mine is a European site, hosted in France.

    I'm wondering if it's a bute force attack trying to post minimal data to /xmlrpc.php until it gets success, indicating a successful password guess?

    Any ideas as to what this is, and what I should do about it?

    Many thanks

    Charlie King

  2. esmi
    Forum Moderator
    Posted 2 years ago #

    It's possible. Do you post via email etc? Do you accept pingbacks? Have you read http://perishablepress.com/wordpress-xmlrpc-pingback-vulnerability/

  3. charleshking
    Posted 2 years ago #

    Thank you esmi.

    I don't post via email, but I kind of think that it is polite to accept pingbacks. I read that article with interest, and will probably disable xmlrpc at least for a little while.

    Mind you, if I'm mucking around in htaccess, the temptation will be strong to serve back something large and/or distasteful :)



  4. TheChrisGlass
    Posted 2 years ago #

    I am getting this exact same issue. It started for me around January, and I was notified by my host in February. It was pretty damn nuts.

    I even deleted my WordPress folder this week and removed all my PHP tables related to it and it's still happening. Hundreds of times an hours. This is definitely not happening on my own site. Something service is going haywire or a worm someone wrote is broken. is the main IP.
    The others are:

    My blog was at planetmew.com/blog/, and my access logs show it trying to hit "/blog//xmlrpc.php"

    Even when it gets THOUSANDS of 404s, it still keeps on going. I'm guessing it saw it in the past and the worm doesn't know any better.

Topic Closed

This topic has been closed to new replies.

About this Topic