WordPress XMLRPC Bruteforce & Spam

There’s an incredible amount of trolls/spammers/hackers on the internet and even if your site isn’t that popular, don’t underestimate the amount of bots and whatnot that’re about.

One of the most recent attempts has been from the IPs “185.188.204.2” and “185.188.204.5” (by the way; I would never disclose an IP address of someone whom I believed to be innocent, so if your computer has simply been hacked send me a message and I’ll remove this!) I’m quite often having trouble with IPs in the 185.*.*.* range, and it’s really amusing but also a bit worrisome you might think.

The quickest way I notice suspicious behaviour is when my website receives a lot of hits from a specific IP address.  If you’re not too tech savvy, I suggest installing the WP Statistics plugin. You’ll be faced with a list of IPs on the overview page and you’ll see the hits an IP has there:

Rank	Hits	Flag	Country	IP	Agent	Platform	Version
1	633	Unknown	Unknown	185.188.204.5	MSIE	Windows	7.0
2	278	Unknown	Unknown	185.188.204.2	MSIE	Windows	7.0

Accessing the access log will typically give you a rough idea as to what’s happening, for example they might be using an xmlrpc.php exploit. You can view the log using nano:

nano /var/log/httpd/access_log

Once in the log, search for the IP address and you’ll be faced with the user’s activity:

185.188.204.5 - - [01/Nov/2017:13:53:08 +0000] "POST /xmlrpc.php HTTP/1.0" 200 394 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
185.188.204.5 - - [01/Nov/2017:13:53:08 +0000] "POST /xmlrpc.php HTTP/1.0" 200 394 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
185.188.204.5 - - [01/Nov/2017:13:53:09 +0000] "POST /xmlrpc.php HTTP/1.0" 200 394 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"

 

The lazy way to deal with them using CentOS (or any operating system, but this won’t work with all operating systems) is to firewall them:

firewall-cmd --permanent --add-rich-rule="rule family=ipv4 source address=185.188.204.2/24 reject"
firewall-cmd --reload
firewall-cmd --zone=public --list-all

Unfortunately, this can be problematic if your site is extremely popular as someone else can use that IP address (if it’s dynamic) and you’ve blocked them from your site. They can also change IP address, but there are benefits to simple IP firewall bans (I’ll speak more about that soon.)

Another method is to add these lines to virtualhost:

<VirtualHost>
    <^><files xmlrpc.php>
      order allow,deny
      deny from all
    </files><^>
</VirtualHost>

I did something slightly more crafty though. Rename the xmlrpc.php file or make a backup of it and delete the old:

cp xmlrpc.php xmlrpc.php.backup
rm -rf xmlrpc.php
nano xmlrpc.php

Then in nano, add a redirect:

<?php
header("Location: http://127.0.0.1");

exit;
?>

With the XMLRPC exploit, people are using your website to send spam information and it becomes a bit like what’s called a “botnet.” Using this method, when something malicious connects to the xmlrpc.php page, it gets redirected to the home IP.

I said there’s benefits to simple IP firewall banning, and there is. If a user is targeting you specifically (attacks like these are very rarely personal, but trolls are another matter), then an IP firewall demonstrates you’ve attempted to ban the perpetrator. The ban doesn’t have to be perfect for you to prove you’ve made ample effort to get the perpetrator to leave you alone. Actions you take might also have an equal and opposite reaction. For example, editing the xmlrpc.php file in such a way means that plugins which rely on it might not function at all. Jetpack is one of these plugins for example. You should never reveal your hand, and you should always appear weak. A simple IP firewall might be easy to circumvent, but you can show an access log to an ISP and it’s proof enough.

The benefits of running your own webserver

Obviously it might be considered a hassle to have to worry about trolls, spammers, hackers, people trying to bruteforce you, etc. but the benefits outweigh the cons, for me.

For example, facebook or any popular site could have something negative happen to it to cause information to get lost. Correct me if I’m wrong, but I don’t believe they have a legal obligation to backup your data if you’re not paying and even if you do pay for a service e.g. squarespace, unless it’s specifically stated in the contract, I don’t believe they have to backup your data. Even if they do backup your data, it’s not necessarily easy to put that data into a usable format. With running your own MySQL server and whatnot, it’s relatively easy (it’s one command line) to save the database.

You also have access to log files and while this might be available for other services (I’m sure it is with some), it’s a lot easier to access if you own/manage everything. In the event you get targeted by a specific person, you have access to the logs–they give you more information than a simple IP address. Hosting is also a lot cheaper if you manage everything–as it should be, it’s costing you time. If you have a lot of time but not a lot of money, this method is better, in my opinion. If you’re experienced with computers, it might also cost you less time than if you signed up for a service like square space.

I don’t make much from this site after server costs and I’ve only received the one donation–thank you by the way–I put 100% of that towards a charity, but I like to keep costs down regardless :).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.