xmlrpc attacks-wp-login.php attacks

Free Modsecurity rules - Comodo Web Application Fi
61

It’s working fine on Apache servers. Rule 240335 is triggered and giving status 403.

62

Please take a look at ticket KSQ-336-49527.

63

Now we are able to reproduce this LiteSpeed issue at our side. I’ll answer here when we’ll have news.

64

Hi not sure i understand what you mean by exclude it ? the rule is enabled but still get xmlrpc attacks

65

We’ll try to fix it as soon as possible.

66

We have updated XML-RPC protection and LiteSpeed should handle it now.

67

Yes, saw that.
Have updated the rules and will check the logs to see if they are stopped correctly now. Thanks.

68

Maybee the update broke Apache servers.
xmlrpc rules are all active/on. Have tried disable them and enable but still:

37.187.253.182 - - [20/Dec/2015:22:50:05 +0100] “POST /xmlrpc.php HTTP/1.0” 200 405 “-” “wp-android”
31.154.95.11 - - [20/Dec/2015:22:50:07 +0100] “POST /xmlrpc.php HTTP/1.0” 200 405 “-” “wp-iphone”
31.154.95.11 - - [20/Dec/2015:22:50:10 +0100] “POST /xmlrpc.php HTTP/1.0” 404 - “-” “wp-windowsphone”
193.151.90.22 - - [20/Dec/2015:22:50:12 +0100] “POST /xmlrpc.php HTTP/1.0” 200 405 “-” “Windows Live Writer”
31.154.95.11 - - [20/Dec/2015:22:50:13 +0100] “POST /xmlrpc.php HTTP/1.0” 200 405 “-” “WordPress”
50.62.208.59 - - [20/Dec/2015:22:50:13 +0100] “POST /xmlrpc.php HTTP/1.0” 200 405 “-” “wp-android”
50.62.208.59 - - [20/Dec/2015:22:50:13 +0100] “POST /xmlrpc.php HTTP/1.0” 200 405 “-” “wp-android”
82.200.247.240 - - [20/Dec/2015:22:50:15 +0100] “POST /xmlrpc.php HTTP/1.0” 200 405 “-” “Windows Live Writer”
85.236.156.216 - - [20/Dec/2015:22:50:17 +0100] “POST /xmlrpc.php HTTP/1.1” 200 405 “-” “wp-windowsphone”
185.15.43.29 - - [20/Dec/2015:22:50:19 +0100] “POST /xmlrpc.php HTTP/1.1” 200 405 “-” “wp-iphone”
83.172.162.75 - - [20/Dec/2015:22:50:20 +0100] “POST /xmlrpc.php HTTP/1.0” 200 405 “-” “wp-iphone”
198.57.247.248 - - [20/Dec/2015:22:50:20 +0100] “POST /xmlrpc.php HTTP/1.0” 200 405 “-” “Windows Live Writer”
85.128.142.41 - - [20/Dec/2015:22:50:21 +0100] “POST /xmlrpc.php HTTP/1.0” 200 405 “-” “Windows Live Writer”
178.255.46.189 - - [20/Dec/2015:22:50:21 +0100] “POST /xmlrpc.php HTTP/1.0” 200 405 “-” “Windows Live Writer”
162.144.66.128 - - [20/Dec/2015:22:50:24 +0100] “POST /xmlrpc.php HTTP/1.0” 200 405 “-” “WordPress”
166.78.60.124 - - [20/Dec/2015:22:50:24 +0100] “POST /xmlrpc.php HTTP/1.0” 200 405 “-” “wp-windowsphone”
88.208.252.217 - - [20/Dec/2015:22:50:24 +0100] “POST /xmlrpc.php HTTP/1.0” 200 405 “-” “wp-iphone”
217.16.11.217 - - [20/Dec/2015:22:50:25 +0100] “POST /xmlrpc.php HTTP/1.0” 200 405 “-” “wp-android”
87.250.153.97 - - [20/Dec/2015:22:50:25 +0100] “POST /xmlrpc.php HTTP/1.0” 200 405 “-” “WordPress”
42.112.38.80 - - [20/Dec/2015:22:50:26 +0100] “POST /xmlrpc.php HTTP/1.0” 200 405 “-” “WordPress”
81.95.123.14 - - [20/Dec/2015:22:50:27 +0100] “POST /xmlrpc.php HTTP/1.0” 200 405 “-” “Windows Live Writer”
84.200.12.196 - - [20/Dec/2015:22:50:27 +0100] “POST /xmlrpc.php HTTP/1.0” 200 405 “-” “Windows Live Writer”
221.133.1.37 - - [20/Dec/2015:22:50:29 +0100] “POST /xmlrpc.php HTTP/1.0” 200 405 “-” “wp-android”
62.149.195.130 - - [20/Dec/2015:22:50:35 +0100] “POST /xmlrpc.php HTTP/1.0” 200 405 “-” “wp-android”
93.180.153.83 - - [20/Dec/2015:22:50:35 +0100] “POST /xmlrpc.php HTTP/1.0” 200 405 “-” “wp-android”
94.152.40.60 - - [20/Dec/2015:22:50:35 +0100] “POST /xmlrpc.php HTTP/1.0” 200 405 “-” “Windows Live Writer”
199.195.119.66 - - [20/Dec/2015:22:50:35 +0100] “POST /xmlrpc.php HTTP/1.0” 200 405 “-” “wp-iphone”
82.98.146.53 - - [20/Dec/2015:22:50:38 +0100] “POST /xmlrpc.php HTTP/1.0” 200 405 “-” “wp-windowsphone”
54.88.186.235 - - [20/Dec/2015:22:50:40 +0100] “POST /xmlrpc.php HTTP/1.0” 200 405 “-” “wp-android”
5.189.130.33 - - [20/Dec/2015:22:50:42 +0100] “POST /xmlrpc.php HTTP/1.1” 200 405 “-” “wp-windowsphone”
93.89.18.120 - - [20/Dec/2015:22:50:43 +0100] “POST /xmlrpc.php HTTP/1.0” 200 405 “-” “WordPress”
66.175.56.94 - - [20/Dec/2015:22:50:44 +0100] “POST /xmlrpc.php HTTP/1.0” 200 405 “-” “wp-iphone”
203.158.160.32 - - [20/Dec/2015:22:50:46 +0100] “POST /xmlrpc.php HTTP/1.0” 200 405 “-” “wp-android”
85.128.142.51 - - [20/Dec/2015:22:50:48 +0100] “POST /xmlrpc.php HTTP/1.0” 200 405 “-” “wp-android”
193.202.110.182 - - [20/Dec/2015:22:50:58 +0100] “POST /xmlrpc.php HTTP/1.0” 200 405 “-” “wp-windowsphone”
213.251.182.113 - - [20/Dec/2015:22:51:00 +0100] “POST /xmlrpc.php HTTP/1.0” 200 405 “-” “Poster”
46.28.105.114 - - [20/Dec/2015:22:51:01 +0100] “POST /xmlrpc.php HTTP/1.0” 200 405 “-” “Windows Live Writer”
212.224.118.198 - - [20/Dec/2015:22:51:01 +0100] “POST /xmlrpc.php HTTP/1.0” 200 405 “-” “wp-android”
207.210.217.222 - - [20/Dec/2015:22:51:02 +0100] “POST /xmlrpc.php HTTP/1.0” 200 405 “-” “wp-android”
50.62.208.156 - - [20/Dec/2015:22:51:05 +0100] “POST /xmlrpc.php HTTP/1.0” 200 405 “-” “Windows Live Writer”
31.154.95.11 - - [20/Dec/2015:22:51:06 +0100] “POST /xmlrpc.php HTTP/1.0” 404 - “-” “wp-iphone”
109.71.235.117 - - [20/Dec/2015:22:51:06 +0100] “POST /xmlrpc.php HTTP/1.0” 404 - “-” “wp-iphone”
217.160.131.25 - - [20/Dec/2015:22:51:06 +0100] “POST /xmlrpc.php HTTP/1.0” 200 405 “-” “wp-android”
109.71.235.117 - - [20/Dec/2015:22:51:06 +0100] “POST /xmlrpc.php HTTP/1.0” 200 405 “-” “Poster”
31.154.95.11 - - [20/Dec/2015:22:51:06 +0100] “POST /xmlrpc.php HTTP/1.0” 200 405 “-” “Poster”
109.71.235.117 - - [20/Dec/2015:22:51:07 +0100] “POST /xmlrpc.php HTTP/1.0” 200 405 “-” “wp-windowsphone”
31.154.95.11 - - [20/Dec/2015:22:51:08 +0100] “POST /xmlrpc.php HTTP/1.0” 404 - “-” “wp-windowsphone”
31.154.95.11 - - [20/Dec/2015:22:51:11 +0100] “POST /xmlrpc.php HTTP/1.0” 404 - “-” “wp-iphone”
213.246.62.239 - - [20/Dec/2015:22:51:14 +0100] “POST /xmlrpc.php HTTP/1.0” 200 405 “-” “wp-android”
85.236.156.216 - - [20/Dec/2015:22:51:15 +0100] “POST /xmlrpc.php HTTP/1.1” 200 405 “-” “WordPress”
69.175.41.102 - - [20/Dec/2015:22:51:15 +0100] “POST /xmlrpc.php HTTP/1.1” 200 405 “-” “WordPress”
213.251.182.103 - - [20/Dec/2015:22:51:16 +0100] “POST /xmlrpc.php HTTP/1.0” 200 405 “-” “Windows Live Writer”
122.155.10.139 - - [20/Dec/2015:22:51:17 +0100] “POST /xmlrpc.php HTTP/1.0” 200 405 “-” “wp-iphone”
123.30.136.102 - - [20/Dec/2015:22:51:21 +0100] “POST /xmlrpc.php HTTP/1.0” 200 405 “-” “wp-iphone”
85.128.142.41 - - [20/Dec/2015:22:51:23 +0100] “POST /xmlrpc.php HTTP/1.0” 200 405 “-” “WordPress”
185.15.43.29 - - [20/Dec/2015:22:51:23 +0100] “POST /xmlrpc.php HTTP/1.1” 200 405 “-” “wp-windowsphone”
198.57.247.248 - - [20/Dec/2015:22:51:23 +0100] “POST /xmlrpc.php HTTP/1.0” 200 405 “-” “wp-windowsphone”
178.255.46.189 - - [20/Dec/2015:22:51:25 +0100] “POST /xmlrpc.php HTTP/1.0” 200 405 “-” “wp-iphone”
162.144.66.128 - - [20/Dec/2015:22:51:26 +0100] “POST /xmlrpc.php HTTP/1.0” 200 405 “-” “wp-android”
217.16.11.217 - - [20/Dec/2015:22:51:26 +0100] “POST /xmlrpc.php HTTP/1.0” 200 405 “-” “Poster”
166.78.60.124 - - [20/Dec/2015:22:51:26 +0100] “POST /xmlrpc.php HTTP/1.0” 200 405 “-” “Windows Live Writer”
62.101.89.4 - - [20/Dec/2015:22:51:27 +0100] “POST /xmlrpc.php HTTP/1.0” 200 405 “-” “wp-windowsphone”
221.133.1.37 - - [20/Dec/2015:22:51:27 +0100] “POST /xmlrpc.php HTTP/1.0” 200 405 “-” “wp-iphone”
42.112.38.80 - - [20/Dec/2015:22:51:28 +0100] “POST /xmlrpc.php HTTP/1.0” 200 405 “-” “wp-windowsphone”
87.250.153.97 - - [20/Dec/2015:22:51:30 +0100] “POST /xmlrpc.php HTTP/1.0” 200 405 “-” “wp-windowsphone”
87.250.153.97 - - [20/Dec/2015:22:51:30 +0100] “POST /xmlrpc.php HTTP/1.0” 200 405 “-” “Poster”
81.95.123.14 - - [20/Dec/2015:22:51:30 +0100] “POST /xmlrpc.php HTTP/1.0” 200 405 “-” “wp-iphone”
94.152.40.60 - - [20/Dec/2015:22:51:32 +0100] “POST /xmlrpc.php HTTP/1.0” 200 405 “-” “Windows Live Writer”
37.187.253.182 - - [20/Dec/2015:22:51:33 +0100] “POST /xmlrpc.php HTTP/1.0” 200 405 “-” “wp-android”
199.195.119.66 - - [20/Dec/2015:22:51:34 +0100] “POST /xmlrpc.php HTTP/1.0” 200 405 “-” “wp-windowsphone”
173.254.28.88 - - [20/Dec/2015:22:51:34 +0100] “POST /xmlrpc.php HTTP/1.0” 200 405 “-” “WordPress”

69

Could you capture the content of that POST request?

70

Still get high server loads from xmlrpc attacks wish they would fix this

71

If it possible send us more detailed info on https://support.comodo.com/
May be we need ssh to your servers.

72

The current rules do not seem to block WordPress XMLRPC system.multicall brute force amplification attacks. All of my servers have been getting slammed with these since Christmas.

I’ve added the rules listed in this cPanel forums post which is helping keep load down:
https://forums.cpanel.net/threads/is-this-xmlrpc-brute-force-amplification-attack.507331/#post-2039221

Can we get this type of protection added? WordPress 4.4 fixes this but older versions are unprotected.

73

Thank you for your valuable assistance. We will discuss these rules and make decision.

74

I am getting this error when I use the Android Wordpress app to post or add sites…

Rule 240335

ecRule IP:XMLRPC_BLOCK “@eq 1”
“id:240335,chain,msg:‘COMODO WAF: XML-RPC Attack Identified (CVE-2013-0235)|Source %{tx.real_ip} (%{tx.xmlrpc_block_counter} hits since last alert)|%{tx.domain}|%{tx.mode}|2’,phase:2,block,log,t:‘none’,skip:1,rev:4,severity:2”
SecRule &IP:XMLRPC_BLOCK_FLAG “@eq 0”
“setvar:‘ip.xmlrpc_block_flag=1’,setvar:‘tx.xmlrpc_block_counter=%{ip.xmlrpc_block_counter}+1’,setvar:‘ip.xmlrpc_block_counter=0’,expirevar:‘ip.xmlrpc_block_flag=60’”

Thanks

75

Hello, what kind of error you are getting? Please provide audit log for this event.