xmlrpc questions - Page 1

Sulli

Asked: 2019-02-04 03:56:12 +0800 CST

How to block xmlrpc.php POST requests

2

I noticed my apache server was down today, and going to my hosting dashboard I see a spike in disk throughput and IOPS. At the same time, my log is full of these lines:

108.162.215.47 - - [03/Feb/2019:06:25:01 +0100] "POST /xmlrpc.php HTTP/1.1" 403 426 "-" "python-requests/2.21.0"
108.162.215.47 - - [03/Feb/2019:06:25:02 +0100] "POST /xmlrpc.php HTTP/1.1" 403 426 "-" "python-requests/2.21.0"
108.162.215.47 - - [03/Feb/2019:06:25:04 +0100] "POST /xmlrpc.php HTTP/1.1" 403 426 "-" "python-requests/2.21.0"
172.69.33.204 - - [03/Feb/2019:06:25:04 +0100] "POST /xmlrpc.php HTTP/1.1" 403 2471 "-" "python-requests/2.21.0"

xmlrpc.php is a file used by Wordpress to communicate with a remote server. It is known to be the source of many attacks and it's often recommended to block access to it (see https://www.hostinger.com/tutorials/xmlrpc-wordpress for instance)

So am I right that these xmlrpc attacks can be the cause of the disk throughput spike, even though I don't see any CPU spike at the same time?
The log shows that these requests have been blocked (403), so why would my apache server go down?
What should I do so that this does not happen again in the future? I have fail2ban installed on my server but maybe I need a special configuration for xmlrpc (I'm still a noob regarding server administration)

Gus

Asked: 2017-03-15 05:36:56 +0800 CST

Fail 2 ban seems to block ip but requests still get through

2

I have a rule for blocking excessive calls to wordpress xml-rpc:

Filter:

failregex = ^<HOST> .*POST .*xmlrpc\.php.*
ignoreregex =

Jail:

enabled  = true
port     = http,https
filter   = php-xmlrpc
logpath  = /var/log/httpd/access_log
maxretry = 6
bantime  = 3600
action   = iptables[name=PHP_XMLRPC, port=http, protocol=tcp]

This seems to be working because I got the following iptables rule during a recent xml-rpc spamming attack:

Chain INPUT (policy ACCEPT)
target               prot opt source               destination         
MANUAL_BANS          all  --  0.0.0.0/0            0.0.0.0/0           
fail2ban-PHP_XMLRPC  tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80

Chain MANUAL_BANS (1 references)
target     prot opt source               destination         
DROP       tcp  --  221.194.47.0/24      0.0.0.0/0           
DROP       tcp  --  121.18.238.0/24      0.0.0.0/0           
DROP       tcp  --  221.194.44.0/24      0.0.0.0/0           
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

Chain fail2ban-PHP_XMLRPC (1 references)
target     prot opt source               destination         
REJECT     all  --  191.96.249.54        0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  191.96.249.53        0.0.0.0/0            reject-with icmp-port-unreachable
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

BUT... somehow my apache server continued to see requests:

191.96.249.53 - - [14/Mar/2017:11:51:07 +0000] "POST /xmlrpc.php HTTP/1.0" 200 372 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.53 - - [14/Mar/2017:11:51:04 +0000] "POST /xmlrpc.php HTTP/1.0" 200 372 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.53 - - [14/Mar/2017:11:51:16 +0000] "POST /xmlrpc.php HTTP/1.0" 200 372 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.53 - - [14/Mar/2017:11:51:15 +0000] "POST /xmlrpc.php HTTP/1.0" 200 372 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.54 - - [14/Mar/2017:11:51:13 +0000] "POST /xmlrpc.php HTTP/1.0" 200 372 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.54 - - [14/Mar/2017:11:51:21 +0000] "POST /xmlrpc.php HTTP/1.0" 200 372 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.54 - - [14/Mar/2017:11:51:18 +0000] "POST /xmlrpc.php HTTP/1.0" 200 372 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.54 - - [14/Mar/2017:11:51:26 +0000] "POST /xmlrpc.php HTTP/1.0" 200 372 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.54 - - [14/Mar/2017:11:51:32 +0000] "POST /xmlrpc.php HTTP/1.0" 200 372 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.54 - - [14/Mar/2017:11:51:25 +0000] "POST /xmlrpc.php HTTP/1.0" 200 372 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.54 - - [14/Mar/2017:11:51:25 +0000] "POST /xmlrpc.php HTTP/1.0" 200 372 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.54 - - [14/Mar/2017:11:51:35 +0000] "POST /xmlrpc.php HTTP/1.0" 200 372 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.54 - - [14/Mar/2017:11:51:36 +0000] "POST /xmlrpc.php HTTP/1.0" 200 372 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.54 - - [14/Mar/2017:11:51:42 +0000] "POST /xmlrpc.php HTTP/1.0" 200 372 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.54 - - [14/Mar/2017:11:51:33 +0000] "POST /xmlrpc.php HTTP/1.0" 200 372 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.54 - - [14/Mar/2017:11:51:43 +0000] "POST /xmlrpc.php HTTP/1.0" 200 372 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.54 - - [14/Mar/2017:11:51:43 +0000] "POST /xmlrpc.php HTTP/1.0" 200 372 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.54 - - [14/Mar/2017:11:51:44 +0000] "POST /xmlrpc.php HTTP/1.0" 200 372 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.54 - - [14/Mar/2017:11:51:45 +0000] "POST /xmlrpc.php HTTP/1.0" 200 372 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"

The online manual for fail2ban says bantime is in seconds, but the above looks like they actually implemented milliseconds (i.e. 3.6 seconds, not 60 minutes)? Have I missed something? How else could httpd still see requests?

I am using

Name        : fail2ban
Arch        : noarch
Version     : 0.8.10
Release     : 3.6.amzn1

user568021

Asked: 2016-07-05 22:40:00 +0800 CST

How to properly debug XMLRPC fails

1

I have an Odoo instance runing on Ubuntu server and I want to query the XMLRPC api from a Windows machine in the same subnet. The two can normally communicate and it all works ok, but if I set the client script to run every 5 minutes in Windows Scheduler it starts to experience problems.

socket.error: [Errno 10061] No connection could be made because the target machine actively refused it

If I wait for some short time, disable the Scheduled Task and I don't touch the script it starts working again, but only for a few calls, then the error comes back.

So for some reason the Ubuntu machine is denying if there are too many calls. I just can find out on which level these rules are. I don't use firewall.

root@oddo9:~$ ufw status
Status: inactive 
root@oddo9:~$

Also no iptables

root@oddo9:~$ iptables -L
Chain INPUT (policy ACCEPT) target     prot opt source    
destination

Chain FORWARD (policy ACCEPT) target     prot opt source              
destination

Chain OUTPUT (policy ACCEPT) target     prot opt source               
destination

There's also no output from Odoo, so I have no idea how to debug this problem.

Jack BeNimble

Asked: 2016-04-14 06:29:03 +0800 CST

How to prevent DOS attack on xmlrpc.php

0

We've been having trouble recently with a DOS attack on our main website, which is run using Apache httpd 2.2.9 and Drupal 6.35. The attack is a post to Dupal's xmlrpc.php, which is a known exploit which has been patched in recent versions of Drupal. Because it's an older version, however, the fix for the exploit isn't in our Drupal installation - and won't be because we're migrating to a hosted platform within three months.

I initially tried to counteract the DOS by renaming xmlrpc.php, which returns a 404, but that's still enough to create an apache thread for each post The result is the multiple threads combined consume a lot of memory, so there's still a problem.

So, based on some more googling, I've just modified .htaccess with the following:

<Files "xmlrpc.php">
Order Allow,Deny
deny from all
</Files>

From here on, presumably, there will no longer be an httpd thread created for each call.

Is this sufficient, do you think? I could go one step further by enabling the capability to track traffic on the VPC and find and block the originating IP address/es, but I don't know if that will be effective, because thee attacks may be coming from a bunch of hijacked systems. Although I am curious to find out. Any thoughts?

Lily Chavez

Asked: 2012-07-17 11:04:39 +0800 CST

XenCenter can't connect to server; missing methodResponse element

1

I'm trying to connect to the server (which I can ping successfully) in XenCenter but I keep getting an error that states "Response XML not valid XML-RPC - missing methodResponse element" . I tried looking up the error, but all I figured out is that I should check the file that the parts <methodResponse> .... </methodResponse> is at/ should be at. I'm really not sure where to look for that file though. I'm using Xencenter in Windows 7 if that helps.

Thanks!

How to block xmlrpc.php POST requests

Fail 2 ban seems to block ip but requests still get through

How to properly debug XMLRPC fails

How to prevent DOS attack on xmlrpc.php

XenCenter can't connect to server; missing methodResponse element

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?

Questions[xmlrpc](server)