WordPress :: xmlrpc.php Attack!

WordPress is the most targeted CMS nowadays and needs to be updated regularly. Recently I have seen attacks on wordpress xmlrpc.php using POST requests and the attack is large enough to take down / freeze the server.

The top or ps aufxw shows most of the xmlrpc.php requests as below :

==========
linuxbabu 4414 1.3 0.4 85512 35544 ? R 20:57 0:00 | \_ /usr/bin/php /home/linuxbabu/public_html/wordpress/xmlrpc.php
nobody 3876 0.0 0.1 25936 10852 ? S 20:52 0:00 \_ /usr/local/apache/bin/httpd -k start -DSSL
linuxbabu 4413 1.3 0.4 85512 35672 ? R 20:57 0:00 | \_ /usr/bin/php /home/linuxbabu/public_html/wordpress/xmlrpc.php
nobody 3877 0.0 0.1 25936 10852 ? S 20:52 0:00 \_ /usr/local/apache/bin/httpd -k start -DSSL
linuxbabu 4418 1.3 0.3 82936 33472 ? R 20:57 0:00 | \_ /usr/bin/php /home/linuxbabu/public_html/wordpress/xmlrpc.php
nobody 3878 0.0 0.1 25936 10764 ? S 20:52 0:00 \_ /usr/local/apache/bin/httpd -k start -DSSL
linuxbabu 4381 1.3 0.5 91580 42368 ? R 20:56 0:01 | \_ /usr/bin/php /home/linuxbabu/public_html/wordpress/xmlrpc.php
nobody 3879 0.0 0.1 25936 10768 ? S 20:52 0:00 \_ /usr/local/apache/bin/httpd -k start -DSSL

89.248.168.164 - - [30/Jul/2014:16:51:27 -0500] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
89.248.174.101 - - [30/Jul/2014:17:03:11 -0500] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
89.248.168.164 - - [30/Jul/2014:17:03:09 -0500] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
89.248.168.164 - - [30/Jul/2014:17:06:38 -0500] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
89.248.174.101 - - [30/Jul/2014:17:09:30 -0500] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
89.248.174.101 - - [30/Jul/2014:17:16:27 -0500] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
89.248.168.164 - - [30/Jul/2014:17:16:26 -0500] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
89.248.174.101 - - [30/Jul/2014:17:35:03 -0500] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
89.248.168.164 - - [30/Jul/2014:17:37:30 -0500] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)
==========

First thing you would think is why not delete xmlrpc.php, NO that will generate 404 error and all attack will process the 404 page that too wont help reduce the load.

Here is a quick way to get control of the server :

Add below to .htaccess :

#redirect xmlrpc.php attack to attacking servers
Redirect 301 /xmlrpc.php http://127.0.0.1

You would see a drastic load change and load back to normal and get back your smile 🙂

5 Replies to “WordPress :: xmlrpc.php Attack!”

    1. This not a solution but a way to avoid our server being overloaded due to tons of requests. The IP 127.0.0.1 will act as local IP for the attacking IP’s / servers so it would somewhat act as reverse attack on the attacking server. Here is the log after modifying the .htaccess :

      115.77.156.171 - - [05/Aug/2014:22:14:30 -0500] "POST /xmlrpc.php HTTP/1.1" 301 224 "-" "-"
      73.32.214.34 - - [05/Aug/2014:22:14:30 -0500] "POST /xmlrpc.php HTTP/1.1" 301 224 "-" "-"
      2.38.65.94 - - [05/Aug/2014:22:14:31 -0500] "POST /xmlrpc.php HTTP/1.1" 301 224 "-" "-"
      98.219.11.73 - - [05/Aug/2014:22:14:31 -0500] "POST /xmlrpc.php HTTP/1.1" 301 224 "-" "-"

  1. Thanks dino for the help.
    I had tried various solutions posted on other websites but none of these worked and as soon as the site was turned back on the attack continued.
    However your solution worked straight away with the added bonus that the attackers are now attacking themselves.
    It seems this attack is still possible with the latest version of WordPress.

    Thanks
    Robin

  2. i think this is nice trick, i used it, but why is index.php is getting high cpu usage now, attack is being redirected to thier localhost, is this trick effect on our post seo ?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.