I've this problem on a few of my cpanel servers where they are continually being sniffed for exploits from various IP's. They do it enough to cause noticeable load hikes, and we resort to finding their IP's in apache status, and blocking them. When this is occuring, for a long time, they seemed to favor sniffing all the domains in apache on a server looking for xmlrpc.php. Their sniff tacticts have since expanded to "horde3//README" and various other URLs. I've read that xmlrpc.php was once an exploitable file on older versions including various renditions of wordpress (which some of our clients use) . Finding the IP's and blocking them in apf temporarily solves the problem, but they do not come from a similar range so we've not found a permanent solution to this. Does anyone have any suggestions on how to tackle tihs problem ?