xmlrpc attacks-wp-login.php attacks

Hi i use Web Application Firewall | Free ModSecurity Rules from Comodo

i use the wordpress and joomla in protection wizard but still see attacks on these below.

wp-login.php

xmlrpc attacks

Please provide any additional details: request headers or any kind of logs.

Hello,

there are logs as:

185.62.190.204 - - [23/Jul/2015:10:35:44 +0200] “POST /xmlrpc.php HTTP/1.0” 404 556 “-” “Mozilla/5.0 (compatible; Googlebot/2.1; Сведения о роботе Googlebot | Центр Google Поиска  |  Документация  |  Google Developers)”

Yep, they simply just need to come up with a rule to rate limit connections to it in my opinion. Its badly needed though. Im surprised it hasn’t already gotten attention.

Need more from the logs?
This should have been implemented a long time ago!

The bots are causing servers to go slow and they should be getting blocked after 5 attempts within a couple of minutes for example.

Hi started getting xmlrpc attacks after an update to the rules, can anyone tell me how to stop this please.

I have most rules enabled but can’t stop them.

2015-08-23 11:32:24 domain.co.uk 000.000.00.000 CRITICAL 200
210230: COMODO WAF: The request body could not be parsed. Possibility of an impedance mismatch attack. This is not a false positive. Hide
Request: POST /xmlrpc.php
Action Description: Warning.
Justification: Match of “eq 0” against “REQBODY_ERROR” required.

Hi

You can revert to previous version of rules until we find solution:
In “Main” tab in plugin, press button “Restore Rules”

or in console type following command:

/var/cpanel/cwaf/scripts/updater.pl --restore

(for cPanel installation)

/usr/local/cwaf/scripts/updater.pl --restore

(for other web panels)

Regards, Oleg

Hi so is this something you know about then ? or just me that’s got the problem.

I have restored them back to 1.42 but still seeing xmlrpc attacks

Hi

So seems this attack activity is not rules update problem.
I will report about this issue to our rule-writers team.
Unfortunately they will be only available at Tuesday due Independence Day here in Ukraine :frowning:
Can you please send logs for analysis to CWAF Support (Submit a ticket - Powered by Kayako Help Desk Software department ‘WAF Support’).
Please mark this ticket as ‘XMLRPC Attacks’.
We will investigate ASAP.

Regards, Oleg

Hi which logs do you want the one i posted above.

Hi

We need mod_security audit log. I think this is one you posted before.

Regards, Oleg

If you know you aren’t using the XML-RPC functionality for anything then you can disable it. There are several ways how to do that, please see the link for details:

That’s means i would have to do all the sites on all our servers which would take ages.

We shouldn’t simply disable it with default WAF rules, because someone can use functionality of that script.

So does this mean it will not get fixed in your next update.

I was told by Andrey Kabakov We’ll try to fix this issue in the next update, probably the next week.

Why not give 403 error if the same ip hits the xmlrpc.php 10 times in 5 minutes interval for example?

How would i set this up with your rules ?

How can you be sure that it will not break any kind of functionality? Generally we can make such rule but disable it in default configuration.

Because most tracebacks are done 1-2 times max within 1 hour.
So a rule for this would greatly reduce load on many servers hosting wordpress installations. And xmlrpc.php for old versions of Wordpress have been used in DDoS attacks also and would reduce the attacks on old versions of Wordpress!

Few rules for XML-RPC would be released during nearest updates. I hope this would help.