Unable to stop large xmlrpc spam attack

David_spm

Well-Known Member
May 28, 2017
57
0
6
Thailand
cPanel Access Level
Root Administrator
I have been under a large spam attack against the xmlrpc.php file on multiple sites on a server and have tried everything I can think of to stop it but nothing is working.

So far I have tried the following:

Blocking the ips in iptables - doesnt work

Adding the following rule to .htaccess - doesnt work

Code:
# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
</Files>
Setup the following Fail2ban jail and filter - doesnt work

https://rbgeek.wordpress.com/2014/09/11/block-wordpress-xmlprc-php-ddos-attacks-using-fail2ban/

Tried renaming or deleting the xmlrpc.php file - doesnt work

Installed this WP plugin - doesnt work

https://wordpress.org/plugins/disable-xml-rpc/

Not all wp core and plugins are fully up to date on all sites but none are far behind updates and updating does nothing too.

Right now multiple sites are just flooded with hundreds of POST requests to xmlrpc and the server is at something like 150% cpu and basically unusable.

Finally the only solution I have found is to suspend a site in WHM, then the attack stops for that site but just continues for others and obviously I cant just suspend all the sites.

Any help here would be appreciated :(

EDIT: and I should add that I have Wordfence running on nearly all the sites which they claim they can block

https://www.wordfence.com/blog/2015/10/should-you-disable-xml-rpc-on-wordpress/
 
Last edited:

David_spm

Well-Known Member
May 28, 2017
57
0
6
Thailand
cPanel Access Level
Root Administrator
Update: I looked closer at some of the CloudFlare settings for some of the affected sites and tried adding the set of ips where all the requests were coming from. Nothing seemed to change. I then tried adding these ips to iptables DROP rules again but this time using -I instead of -A eg

Code:
iptables -I INPUT -s IP-ADDRESS -j DROP
service iptables save
and this seems to work as all the attacks stop then.

This is obviously not much use to me though as I cant be expected to manually enter ips to block.

Also I checked again 2.5 hrs later and it had started again, it seemed that all the iptable rules that I had added had gone...

I should add that I also have ModSecurity installed and setup with OWASP ModSecurity Core Rule Set V3.0 but that clearly seems to be ineffective here...
 

Tiberiu

Member
Oct 18, 2016
5
0
1
Bistrita
cPanel Access Level
Root Administrator
Add xmlrpc deny in Apache Configuration - Pre VirtualHost Include - All versions. It should block all xmlrpc attacks.

<Files "xmlrpc.php">
Order Allow,Deny
deny from all
</Files>
 

David_spm

Well-Known Member
May 28, 2017
57
0
6
Thailand
cPanel Access Level
Root Administrator
ok
Hello,

You may find the discussion on the following thread helpful:

wp-login.php and mod security

Thank you.
thanks, I added some of those rules, nothing seemed to change. Then I looked closer at fail2ban and it seemed the sqlite DB was corrupt so I guess not even working properly so I deleted it and restarted it and seems ok now.

Im not sure if fail2ban is logging correctly though? I have a jail/rule for xmlrpc and wordpress setup along with filters and this is all the fail2ban.log shows

Code:
[email protected] [/etc/fail2ban]# tail -f /var/log/fail2ban.log
2018-07-27 00:07:09,267 fail2ban.jail           [10931]: INFO    Creating new jail 'xmlrpc'
2018-07-27 00:07:09,268 fail2ban.jail           [10931]: INFO    Jail 'xmlrpc' uses pyinotify {}
2018-07-27 00:07:09,269 fail2ban.jail           [10931]: INFO    Initiated 'pyinotify' backend
2018-07-27 00:07:09,270 fail2ban.filter         [10931]: INFO    Added logfile = /var/log/fail2ban.log
2018-07-27 00:07:09,271 fail2ban.filter         [10931]: INFO    Set maxRetry = 2
2018-07-27 00:07:09,272 fail2ban.filter         [10931]: INFO    Set jail log file encoding to UTF-8
2018-07-27 00:07:09,273 fail2ban.actions        [10931]: INFO    Set banTime = 43600
2018-07-27 00:07:09,273 fail2ban.filter         [10931]: INFO    Set findtime = 600
2018-07-27 00:07:09,288 fail2ban.jail           [10931]: INFO    Jail 'wordpress' started
2018-07-27 00:07:09,297 fail2ban.jail           [10931]: INFO    Jail 'xmlrpc' started
that was about 18 hrs ago now and I havent seen any incidents since then so maybe nothing to report?

Its hard to know out of all the rules and tools being used what is and isnt working here tbh...
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,203
363
Hello,

It's possible the attack stopped temporarily, or one of the previous steps you took to block it is now working. You may want to consider reaching out to a qualified system administrator for help determining the source of the attack and implementing a solution to prevent it. We provide a list of companies offering system administration services at:

System Administration Services | cPanel Forums

Thank you.