WordPress :: xmlrpc.php Attack!

WordPress is the most targeted CMS nowadays and needs to be updated regularly. Recently I have seen attacks on wordpress xmlrpc.php using POST requests and the attack is large enough to take down / freeze the server.

The top or ps aufxw shows most of the xmlrpc.php requests as below :

==========
linuxbabu 4414 1.3 0.4 85512 35544 ? R 20:57 0:00 | \_ /usr/bin/php /home/linuxbabu/public_html/wordpress/xmlrpc.php
nobody 3876 0.0 0.1 25936 10852 ? S 20:52 0:00 \_ /usr/local/apache/bin/httpd -k start -DSSL
linuxbabu 4413 1.3 0.4 85512 35672 ? R 20:57 0:00 | \_ /usr/bin/php /home/linuxbabu/public_html/wordpress/xmlrpc.php
nobody 3877 0.0 0.1 25936 10852 ? S 20:52 0:00 \_ /usr/local/apache/bin/httpd -k start -DSSL
linuxbabu 4418 1.3 0.3 82936 33472 ? R 20:57 0:00 | \_ /usr/bin/php /home/linuxbabu/public_html/wordpress/xmlrpc.php
nobody 3878 0.0 0.1 25936 10764 ? S 20:52 0:00 \_ /usr/local/apache/bin/httpd -k start -DSSL
linuxbabu 4381 1.3 0.5 91580 42368 ? R 20:56 0:01 | \_ /usr/bin/php /home/linuxbabu/public_html/wordpress/xmlrpc.php
nobody 3879 0.0 0.1 25936 10768 ? S 20:52 0:00 \_ /usr/local/apache/bin/httpd -k start -DSSL

89.248.168.164 - - [30/Jul/2014:16:51:27 -0500] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
89.248.174.101 - - [30/Jul/2014:17:03:11 -0500] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
89.248.168.164 - - [30/Jul/2014:17:03:09 -0500] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
89.248.168.164 - - [30/Jul/2014:17:06:38 -0500] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
89.248.174.101 - - [30/Jul/2014:17:09:30 -0500] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
89.248.174.101 - - [30/Jul/2014:17:16:27 -0500] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
89.248.168.164 - - [30/Jul/2014:17:16:26 -0500] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
89.248.174.101 - - [30/Jul/2014:17:35:03 -0500] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
89.248.168.164 - - [30/Jul/2014:17:37:30 -0500] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)
==========

First thing you would think is why not delete xmlrpc.php, NO that will generate 404 error and all attack will process the 404 page that too wont help reduce the load.

Here is a quick way to get control of the server :

Add below to .htaccess :

#redirect xmlrpc.php attack to attacking servers
Redirect 301 /xmlrpc.php http://127.0.0.1

You would see a drastic load change and load back to normal and get back your smile 🙂

Leave a Comment