Weird host log entries. Possible attack?

  • One of my WP 3.5 (now WP 3.5.1) sites recently got blocked by host’s automatic ‘anti exploit’ script. I’m still working on what happened exactly, but looking through the logs, I have noticed a LOT of entries like this:

    111.222.333.444 https://www.mysite.com – [30/Apr/2013:00:00:19 +0200] “POST /xmlrpc.php HTTP/1.1” 200 463 “-” “-“

    (ip and sitename changed)

    Something like 700,000 of them this this month. The bulk of them are from the same IP but, looking back over the logs, there have been other IP’s doing similar things (but not to the same volumes as far as I can see).

    The current culprit seems to be some hosted address located somewhere in the USA.

    Mine is a European site, hosted in France.

    I’m wondering if it’s a bute force attack trying to post minimal data to /xmlrpc.php until it gets success, indicating a successful password guess?

    Any ideas as to what this is, and what I should do about it?

    Many thanks

    Charlie King

Viewing 3 replies - 1 through 3 (of 3 total)

  • It’s possible. Do you post via email etc? Do you accept pingbacks? Have you read https://perishablepress.com/wordpress-xmlrpc-pingback-vulnerability/

    Thread Starter charleshking

    (@charleshking)

    Thank you esmi.

    I don’t post via email, but I kind of think that it is polite to accept pingbacks. I read that article with interest, and will probably disable xmlrpc at least for a little while.

    Mind you, if I’m mucking around in htaccess, the temptation will be strong to serve back something large and/or distasteful ??

    Cheers

    Charlie

    I am getting this exact same issue. It started for me around January, and I was notified by my host in February. It was pretty damn nuts.

    I even deleted my WordPress folder this week and removed all my PHP tables related to it and it’s still happening. Hundreds of times an hours. This is definitely not happening on my own site. Something service is going haywire or a worm someone wrote is broken.

    82.196.4.228 is the main IP.
    The others are:
    5.135.216.194
    192.81.223.147
    192.81.220.135

    My blog was at planetmew.com/blog/, and my access logs show it trying to hit “/blog//xmlrpc.php”

    Even when it gets THOUSANDS of 404s, it still keeps on going. I’m guessing it saw it in the past and the worm doesn’t know any better.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Weird host log entries. Possible attack?’ is closed to new replies.