How to recover & prevent (Apache web server) from XMLRPC attacks

Posted on by samama

High server load is sometimes reported in cPanel, Plesk, and DirectAdmin servers with WordPress websites, with “xmlrpc.php” showing up as the top CPU. xmlrpc.php is a file used for remote publishing and ping-back tracking on WordPress websites. Botnets target this file in order to launch brute force assaults on the targeted website. This puts a lot of strain on the server.

We assist web hosts, VPS providers, and cloud providers in preventing such assaults and ensuring high service availability. Our web server management services include server load mitigation and attack mitigation. We’ll go through how to recover from an xmlrpc.php attack and how to avoid it in this article.

How do you recover from a heavy load?

When the server is overloaded, the first concern is to get everything back to normal. You’ll need to block access to xmlrpc.php at the Apache connection level to accomplish this. By adding the following directive to the Apache configuration file and restarting the server, you may achieve this:

Files ~ "xmlrpc.php"
  Order allow,deny
  Deny from all
Files

How can you prevent xmlrpc.php from being abused?

Disabling xmlrpc.php access is only a temporary fix, as many websites rely on it to track blog ping-backs and do remote posting. As a result, the approach is to stop attacks based on a shared signature. The following is an example of an xmlrpc.php attack log:

37.203.208.49 - - [21/Jan/2015:15:37:54 -0500] "POST /xmlrpc.php HTTP/1.0" 503 4859
37.203.208.49 - - [21/Jan/2015:15:37:55 -0500] "POST /xmlrpc.php HTTP/1.0" 503 4859
37.203.208.49 - - [21/Jan/2015:15:37:57 -0500] "POST /xmlrpc.php HTTP/1.0" 503 4859
37.203.208.49 - - [21/Jan/2015:15:38:02 -0500] "POST /xmlrpc.php HTTP/1.0" 503 4859
37.203.208.49 - - [21/Jan/2015:15:38:11 -0500] "POST /xmlrpc.php HTTP/1.0" 503 4861
37.203.208.49 - - [21/Jan/2015:15:38:13 -0500] "POST /xmlrpc.php HTTP/1.0" 503 4861
37.203.208.49 - - [21/Jan/2015:15:38:18 -0500] "POST /xmlrpc.php HTTP/1.0" 503 4861

A genuine request will have a referrer field, whereas assaults will typically not have one. As a result, such requests can be blocked using a firewall rule. This is when Mod security comes in helpful. To the mod security rule set, add the following:

#Block requests to xmlrpc.php with no referring URL
SecRule REQUEST_METHOD "POST" "deny,status:401,id:5000900,chain,msg:'xmlrpc request blocked, no referer'"
SecRule &HTTP_REFERER "@eq 0" "chain"
SecRule REQUEST_URI "xmlrpc.php"

Installing a plugin like “xmlrpc assaults blocker” on dedicated servers with a small number of WordPress sites may be easier and more versatile.