Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

"Sniff attacks" - xmlrpc.php , horde

Discussion in 'General Discussion' started by GTFO, May 17, 2006.

  1. GTFO

    GTFO Active Member

    Joined:
    Aug 8, 2005
    Messages:
    35
    Likes Received:
    0
    Trophy Points:
    156
    I've this problem on a few of my cpanel servers where they are continually being sniffed for exploits from various IP's. They do it enough to cause noticeable load hikes, and we resort to finding their IP's in apache status, and blocking them. When this is occuring, for a long time, they seemed to favor sniffing all the domains in apache on a server looking for xmlrpc.php. Their sniff tacticts have since expanded to "horde3//README" and various other URLs.

    I've read that xmlrpc.php was once an exploitable file on older versions including various renditions of wordpress (which some of our clients use) . Finding the IP's and blocking them in apf temporarily solves the problem, but they do not come from a similar range so we've not found a permanent solution to this.

    Does anyone have any suggestions on how to tackle tihs problem ?
     
    #1 GTFO, May 17, 2006
  2. AndyReed

    AndyReed Well-Known Member PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    4
    Trophy Points:
    193
    Location:
    Minneapolis, MN
    Use Mod Security rule set written for XML. They should block/stop these attacks.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #2 AndyReed, May 17, 2006
  3. ramprage

    ramprage Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    655
    Likes Received:
    0
    Trophy Points:
    166
    Location:
    Canada
    If you can give me a sample of what the requests look like I can write a rule for it.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #3 ramprage, May 18, 2006
  4. GTFO

    GTFO Active Member

    Joined:
    Aug 8, 2005
    Messages:
    35
    Likes Received:
    0
    Trophy Points:
    156
    Do you have more information about this? We have Mod security running, yet I am unsure which rule set or perhaps, what variable you are referring too. Can you recommend a place for documentation?
     
    #4 GTFO, May 19, 2006
  5. GTFO

    GTFO Active Member

    Joined:
    Aug 8, 2005
    Messages:
    35
    Likes Received:
    0
    Trophy Points:
    156
    I'll grab a few from the next wave and post them.
     
    #5 GTFO, May 19, 2006
  6. mctDarren

    mctDarren Well-Known Member

    Joined:
    Jan 6, 2004
    Messages:
    664
    Likes Received:
    3
    Trophy Points:
    168
    Location:
    New Jersey
    cPanel Access Level:
    Root Administrator
    Check out gotroot.com for some great mod_sec rules. Examples that apply here:

    Code:
    #Experimental XML-RPC generic attack sigs
SecFilter "\'\,\'\'\)\)\;"
SecFilter "\<param\>\<name\>.*\'\)\;"

#XML-RPC generic attack sigs
SecFilterSelective POST_PAYLOAD "^Content-Type\: application/xml" chain
SecFilter "(\<xml|\<.*xml)" chain
SecFilter "(echo( |\(|\').*\;|chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate$
SecFilter "methodCall\>"

#Specific XML-RPC attacks on xmlrpc.php
SecFilterSelective THE_REQUEST "(/xmlrpc|.*xmlrpc_services)\.php" chain
SecFilter "(\<xml|\<.*xml)" chain
SecFilter "(echo( |\(|\').*\;|chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate$

#Too generic, unless you know you won't see this in any of the fields of an XMLRPC message on your system
SecFilterSelective THE_REQUEST "/xmlrpc\.php" chain
SecFilter "(cd|perl |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |id|uname |cvs |svn |(s|r)$

#XML-RPC SQL injection generic signature
SecFilterSelective THE_REQUEST "(/xmlrpc|.*xmlrpc_services)\.php" chain
SecFilter "<methodName>.*</methodName>.*<value><string>.*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|c$
     
    #6 mctDarren, May 19, 2006
(You must log in or sign up to post here.)
Loading...
Similar Threads - Sniff attacks xmlrpc
  1. CODE grunt

    AutoSSL inadvertently port sniffing on sub-domains

    CODE grunt, Aug 15, 2017, in forum: Security
    Replies:
    1
    Views:
    403
    cPanelMichael
    Aug 15, 2017
  2. kostianev

    Problems with server attacks on port 80

    kostianev, Dec 4, 2018, in forum: Security
    Replies:
    4
    Views:
    638
    cPanelLauren
    Dec 5, 2018
  3. Ianw5555

    Security Advisor warning about symlink ownership attacks

    Ianw5555, Sep 19, 2018, in forum: Security
    Replies:
    2
    Views:
    158
    cPanelLauren
    Sep 19, 2018
  4. Damlhen

    Increase in perl script attacks

    Damlhen, Jul 29, 2018, in forum: Security
    Replies:
    1
    Views:
    159
    cPanelMichael
    Aug 1, 2018
  5. Lillike

    SOLVED Kernel does not support the prevention of symlink ownership attacks

    Lillike, Jun 20, 2018, in forum: Security
    Replies:
    11
    Views:
    361
    cPanelLauren
    Aug 3, 2018

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...
    Dismiss Notice