Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Unable to stop large xmlrpc spam attack

Discussion in 'Security' started by David_spm, Jul 24, 2018.

  1. David_spm

    David_spm Active Member

    Joined:
    May 28, 2017
    Messages:
    42
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Thailand
    cPanel Access Level:
    Root Administrator
    I have been under a large spam attack against the xmlrpc.php file on multiple sites on a server and have tried everything I can think of to stop it but nothing is working.

    So far I have tried the following:

    Blocking the ips in iptables - doesnt work

    Adding the following rule to .htaccess - doesnt work

    Code:
    # Block WordPress xmlrpc.php requests
    <Files xmlrpc.php>
    order deny,allow
    deny from all
    </Files>
    
    Setup the following Fail2ban jail and filter - doesnt work

    https://rbgeek.wordpress.com/2014/09/11/block-wordpress-xmlprc-php-ddos-attacks-using-fail2ban/

    Tried renaming or deleting the xmlrpc.php file - doesnt work

    Installed this WP plugin - doesnt work

    https://wordpress.org/plugins/disable-xml-rpc/

    Not all wp core and plugins are fully up to date on all sites but none are far behind updates and updating does nothing too.

    Right now multiple sites are just flooded with hundreds of POST requests to xmlrpc and the server is at something like 150% cpu and basically unusable.

    Finally the only solution I have found is to suspend a site in WHM, then the attack stops for that site but just continues for others and obviously I cant just suspend all the sites.

    Any help here would be appreciated :(

    EDIT: and I should add that I have Wordfence running on nearly all the sites which they claim they can block

    https://www.wordfence.com/blog/2015/10/should-you-disable-xml-rpc-on-wordpress/
     
    #1 David_spm, Jul 24, 2018
    Last edited: Jul 24, 2018
  2. David_spm

    David_spm Active Member

    Joined:
    May 28, 2017
    Messages:
    42
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Thailand
    cPanel Access Level:
    Root Administrator
    Update: I looked closer at some of the CloudFlare settings for some of the affected sites and tried adding the set of ips where all the requests were coming from. Nothing seemed to change. I then tried adding these ips to iptables DROP rules again but this time using -I instead of -A eg

    Code:
    iptables -I INPUT -s IP-ADDRESS -j DROP
    service iptables save
    and this seems to work as all the attacks stop then.

    This is obviously not much use to me though as I cant be expected to manually enter ips to block.

    Also I checked again 2.5 hrs later and it had started again, it seemed that all the iptable rules that I had added had gone...

    I should add that I also have ModSecurity installed and setup with OWASP ModSecurity Core Rule Set V3.0 but that clearly seems to be ineffective here...
     
  3. Tiberiu

    Tiberiu Registered

    Joined:
    Oct 18, 2016
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Bistrita
    cPanel Access Level:
    Root Administrator
    Add xmlrpc deny in Apache Configuration - Pre VirtualHost Include - All versions. It should block all xmlrpc attacks.

    <Files "xmlrpc.php">
    Order Allow,Deny
    deny from all
    </Files>
     
  4. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,827
    Likes Received:
    1,898
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. David_spm

    David_spm Active Member

    Joined:
    May 28, 2017
    Messages:
    42
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Thailand
    cPanel Access Level:
    Root Administrator

    thanks but already had that added
     
  6. David_spm

    David_spm Active Member

    Joined:
    May 28, 2017
    Messages:
    42
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Thailand
    cPanel Access Level:
    Root Administrator
    ok
    thanks, I added some of those rules, nothing seemed to change. Then I looked closer at fail2ban and it seemed the sqlite DB was corrupt so I guess not even working properly so I deleted it and restarted it and seems ok now.

    Im not sure if fail2ban is logging correctly though? I have a jail/rule for xmlrpc and wordpress setup along with filters and this is all the fail2ban.log shows

    Code:
    root@server [/etc/fail2ban]# tail -f /var/log/fail2ban.log
    2018-07-27 00:07:09,267 fail2ban.jail           [10931]: INFO    Creating new jail 'xmlrpc'
    2018-07-27 00:07:09,268 fail2ban.jail           [10931]: INFO    Jail 'xmlrpc' uses pyinotify {}
    2018-07-27 00:07:09,269 fail2ban.jail           [10931]: INFO    Initiated 'pyinotify' backend
    2018-07-27 00:07:09,270 fail2ban.filter         [10931]: INFO    Added logfile = /var/log/fail2ban.log
    2018-07-27 00:07:09,271 fail2ban.filter         [10931]: INFO    Set maxRetry = 2
    2018-07-27 00:07:09,272 fail2ban.filter         [10931]: INFO    Set jail log file encoding to UTF-8
    2018-07-27 00:07:09,273 fail2ban.actions        [10931]: INFO    Set banTime = 43600
    2018-07-27 00:07:09,273 fail2ban.filter         [10931]: INFO    Set findtime = 600
    2018-07-27 00:07:09,288 fail2ban.jail           [10931]: INFO    Jail 'wordpress' started
    2018-07-27 00:07:09,297 fail2ban.jail           [10931]: INFO    Jail 'xmlrpc' started
    that was about 18 hrs ago now and I havent seen any incidents since then so maybe nothing to report?

    Its hard to know out of all the rules and tools being used what is and isnt working here tbh...
     
  7. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,827
    Likes Received:
    1,898
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello,

    It's possible the attack stopped temporarily, or one of the previous steps you took to block it is now working. You may want to consider reaching out to a qualified system administrator for help determining the source of the attack and implementing a solution to prevent it. We provide a list of companies offering system administration services at:

    System Administration Services | cPanel Forums

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice