xmlrpc attacks-wp-login.php attacks

Free Modsecurity rules - Comodo Web Application Fi
41

No how do i turn it on ? why did they turn it off

42

Hi

Rules turned off by default to not ruin other users apps

This rules can be turned on with CWAF Plugin (Open ‘Catalog’ tab, search for rule 240330, turn it ON, apply changes)

Or with command line tool:

/var/cpanel/cwaf/scripts/cwaf-cli.pl -xd 240330

Regards, Oleg

43

Thanks turned it on now. so every time there is an update do i need to enable it.

44

Hi

No, once enabled/disabled rules state will persist.

Regards, Oleg

45

Did enable this rule on Litespeed server and right after it worked for some seconds but then again:
104.238.177.113 - - [30/Nov/2015:14:28:33 +0100] “POST /xmlrpc.php HTTP/1.1” 200 370 “-” “Googlebot/2.1 (+http://www.google.com/bot.html)”
104.238.177.113 - - [30/Nov/2015:14:28:33 +0100] “POST /xmlrpc.php HTTP/1.1” 503 1159 “-” “Googlebot/2.1 (+http://www.google.com/bot.html)”
104.238.177.113 - - [30/Nov/2015:14:28:33 +0100] “POST /xmlrpc.php HTTP/1.1” 503 1159 “-” “Googlebot/2.1 (+http://www.google.com/bot.html)”
104.238.177.113 - - [30/Nov/2015:14:28:33 +0100] “POST /xmlrpc.php HTTP/1.1” 503 1159 “-” “Googlebot/2.1 (+http://www.google.com/bot.html)”
104.238.177.113 - - [30/Nov/2015:14:28:33 +0100] “POST /xmlrpc.php HTTP/1.1” 503 1159 “-” “Googlebot/2.1 (+http://www.google.com/bot.html)”
104.238.177.113 - - [30/Nov/2015:14:28:33 +0100] “POST /xmlrpc.php HTTP/1.1” 503 1159 “-” “Googlebot/2.1 (+http://www.google.com/bot.html)”
104.238.177.113 - - [30/Nov/2015:14:28:33 +0100] “POST /xmlrpc.php HTTP/1.1” 503 1159 “-” “Googlebot/2.1 (+http://www.google.com/bot.html)”
104.238.177.113 - - [30/Nov/2015:14:28:33 +0100] “POST /xmlrpc.php HTTP/1.1” 503 1159 “-” “Googlebot/2.1 (+http://www.google.com/bot.html)”
104.238.177.113 - - [30/Nov/2015:14:28:33 +0100] “POST /xmlrpc.php HTTP/1.1” 503 1159 “-” “Googlebot/2.1 (+http://www.google.com/bot.html)”
104.238.177.113 - - [30/Nov/2015:14:28:33 +0100] “POST /xmlrpc.php HTTP/1.1” 503 1159 “-” “Googlebot/2.1 (+http://www.google.com/bot.html)”
104.238.177.113 - - [30/Nov/2015:14:28:33 +0100] “POST /xmlrpc.php HTTP/1.1” 200 0 “-” “Googlebot/2.1 (+http://www.google.com/bot.html)”
104.238.177.113 - - [30/Nov/2015:14:28:33 +0100] “POST /xmlrpc.php HTTP/1.1” 200 0 “-” “Googlebot/2.1 (+http://www.google.com/bot.html)”
104.238.177.113 - - [30/Nov/2015:14:28:33 +0100] “POST /xmlrpc.php HTTP/1.1” 200 0 “-” “Googlebot/2.1 (+http://www.google.com/bot.html)”
104.238.177.113 - - [30/Nov/2015:14:28:34 +0100] “POST /xmlrpc.php HTTP/1.1” 200 0 “-” “Googlebot/2.1 (+http://www.google.com/bot.html)”
104.238.177.113 - - [30/Nov/2015:14:28:34 +0100] “POST /xmlrpc.php HTTP/1.1” 200 0 “-” “Googlebot/2.1 (+http://www.google.com/bot.html)”
104.238.177.113 - - [30/Nov/2015:14:28:34 +0100] “POST /xmlrpc.php HTTP/1.1” 200 0 “-” “Googlebot/2.1 (+http://www.google.com/bot.html)”

Why is that?

46

The protection doe not stop xmlrpc support told me to remove the xmlrpc files if i want to stop them, so not much use having rules that don’t work.

47

Our rules do not produce 503 response in most cases. So that part of your log is not related to Comodo WAF. Have you enabled rules group 240330 XML-RPC protection (CVE-2013-0235) ?

48

One of the ways to avoid this issue is to block such IP’s with network firewall.

49

This rule 240330 does not stop XML-RPC attacks

50

Any logs?

51

I opened a support ticket a while back about it with logs, they told me to remove the file easy to say but when you have servers full of sites it takes to long.

52

Logs you attached in ticket are concerned rule 214560, I’ve recommended to exclude it for all domains.

53

You must have the wrong ticket

54

Sorry for misunderstanding.
I found another ticket, but we discussed the rule 210230.
Could you remind me the ticket number?

55

Rules group 240330-240336 should block this attack. Make sure that these rules are enabled.

56

Ticket: #KIK-725-42293

57

Logs you attached in this ticket are concerned to rule 214560 and PCRE limits exceeded, I’ve recommended to exclude it for all domains.

58

Both rules are enabled.
But this is a Litespeed webserver and I cannot say your rules are working as they should, even if you say it does. Also trough tickets you say that it works, but it does not!

59

Removed the block trough CSF now and the ip starts hammering again:
45.63.117.157 - - [01/Dec/2015:11:41:52 +0100] “POST /xmlrpc.php HTTP/1.1” 200 0 “-” “Googlebot/2.1 (+http://www.google.com/bot.html)”
45.63.117.157 - - [01/Dec/2015:11:41:41 +0100] “POST /xmlrpc.php HTTP/1.1” 200 0 “-” “Googlebot/2.1 (+http://www.google.com/bot.html)”
45.63.117.157 - - [01/Dec/2015:11:41:41 +0100] “POST /xmlrpc.php HTTP/1.1” 200 0 “-” “Googlebot/2.1 (+http://www.google.com/bot.html)”
45.63.117.157 - - [01/Dec/2015:11:41:52 +0100] “POST /xmlrpc.php HTTP/1.1” 200 0 “-” “Googlebot/2.1 (+http://www.google.com/bot.html)”
45.63.117.157 - - [01/Dec/2015:11:41:41 +0100] “POST /xmlrpc.php HTTP/1.1” 200 0 “-” “Googlebot/2.1 (+http://www.google.com/bot.html)”
45.63.117.157 - - [01/Dec/2015:11:41:41 +0100] “POST /xmlrpc.php HTTP/1.1” 200 0 “-” “Googlebot/2.1 (+http://www.google.com/bot.html)”
45.63.117.157 - - [01/Dec/2015:11:41:42 +0100] “POST /xmlrpc.php HTTP/1.1” 200 0 “-” “Googlebot/2.1 (+http://www.google.com/bot.html)”

60

We can’t reproduce that on your side, if you wish you can make ticket at https://support.comodo.com/ and I hope specialists will help you to resolve this issue remotely.