The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

"Sniff attacks" - xmlrpc.php , horde

Discussion in 'General Discussion' started by GTFO, May 17, 2006.

  1. GTFO

    GTFO Active Member

    Joined:
    Aug 8, 2005
    Messages:
    35
    Likes Received:
    0
    Trophy Points:
    6
    I've this problem on a few of my cpanel servers where they are continually being sniffed for exploits from various IP's. They do it enough to cause noticeable load hikes, and we resort to finding their IP's in apache status, and blocking them. When this is occuring, for a long time, they seemed to favor sniffing all the domains in apache on a server looking for xmlrpc.php. Their sniff tacticts have since expanded to "horde3//README" and various other URLs.

    I've read that xmlrpc.php was once an exploitable file on older versions including various renditions of wordpress (which some of our clients use) . Finding the IP's and blocking them in apf temporarily solves the problem, but they do not come from a similar range so we've not found a permanent solution to this.

    Does anyone have any suggestions on how to tackle tihs problem ?
     
  2. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
    Use Mod Security rule set written for XML. They should block/stop these attacks.
     
  3. ramprage

    ramprage Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    667
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    If you can give me a sample of what the requests look like I can write a rule for it.
     
  4. GTFO

    GTFO Active Member

    Joined:
    Aug 8, 2005
    Messages:
    35
    Likes Received:
    0
    Trophy Points:
    6
    Do you have more information about this? We have Mod security running, yet I am unsure which rule set or perhaps, what variable you are referring too. Can you recommend a place for documentation?
     
  5. GTFO

    GTFO Active Member

    Joined:
    Aug 8, 2005
    Messages:
    35
    Likes Received:
    0
    Trophy Points:
    6
    I'll grab a few from the next wave and post them.
     
  6. mctDarren

    mctDarren Well-Known Member

    Joined:
    Jan 6, 2004
    Messages:
    664
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    New Jersey
    cPanel Access Level:
    Root Administrator
    Check out gotroot.com for some great mod_sec rules. Examples that apply here:

    Code:
    #Experimental XML-RPC generic attack sigs
    SecFilter "\'\,\'\'\)\)\;"
    SecFilter "\<param\>\<name\>.*\'\)\;"
    
    #XML-RPC generic attack sigs
    SecFilterSelective POST_PAYLOAD "^Content-Type\: application/xml" chain
    SecFilter "(\<xml|\<.*xml)" chain
    SecFilter "(echo( |\(|\').*\;|chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate$
    SecFilter "methodCall\>"
    
    #Specific XML-RPC attacks on xmlrpc.php
    SecFilterSelective THE_REQUEST "(/xmlrpc|.*xmlrpc_services)\.php" chain
    SecFilter "(\<xml|\<.*xml)" chain
    SecFilter "(echo( |\(|\').*\;|chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate$
    
    #Too generic, unless you know you won't see this in any of the fields of an XMLRPC message on your system
    SecFilterSelective THE_REQUEST "/xmlrpc\.php" chain
    SecFilter "(cd|perl |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |id|uname |cvs |svn |(s|r)$
    
    #XML-RPC SQL injection generic signature
    SecFilterSelective THE_REQUEST "(/xmlrpc|.*xmlrpc_services)\.php" chain
    SecFilter "<methodName>.*</methodName>.*<value><string>.*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|c$
    
     
Loading...
Similar Threads - Sniff attacks xmlrpc
  1. ApparentMedia
    Replies:
    1
    Views:
    428

Share This Page