xmlrpc. php wp-login.php, admin-ajax.php & joomla administarator attack DDOS

i have enabled DDOS in cwaf but still many xmlrpc.php wp-login.php and admin-ajax.php requests caused high CPU usage

can you help me solve the problem

csf/lfd installed and enabled but not blocking IP wp-login.php attack : COMODO WAF: Multiple Username Violation: Too Many Usernames Submitted for Authentication.

regards

Does attacker get 403 response code or he gets 200? Just look into access.log to get the answer.

response code 200

i have 200+ WP on host and everyday attack to another

94.254.148.29 - - [22/Mar/2017:14:09:59 +0100] "POST /wp-admin/admin-ajax.php HTTP/1.1" 200 190722 "http://???????????????/wp-admin/plugin-install.php?s=defense&tab=search&type=term"; "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36 OPR/43.0.2442.1144" 94.254.148.29 - - [22/Mar/2017:14:10:08 +0100] "POST /wp-admin/admin-ajax.php HTTP/1.1" 200 237 "http://???????????????/wp-admin/plugin-install.php?s=defense&tab=search&type=term"; "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36 OPR/43.0.2442.1144" 94.254.148.29 - - [22/Mar/2017:14:11:46 +0100] "POST /wp-admin/admin-ajax.php HTTP/1.1" 200 47 "http://???????????????/wp-admin/plugins.php?plugin_status=all&paged=1&s"; "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36 OPR/43.0.2442.1144" 94.254.148.29 - - [22/Mar/2017:14:11:57 +0100] "POST /wp-admin/admin-ajax.php HTTP/1.1" 200 23 "http://???????????????/wp-admin/options.php?page=clef"; "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36 OPR/43.0.2442.1144" 94.254.148.29 - - [22/Mar/2017:14:13:47 +0100] "POST /wp-admin/admin-ajax.php HTTP/1.1" 200 47 "http://???????????????/wp-admin/plugins.php?plugin_status=all&paged=1&s"; "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36 OPR/43.0.2442.1144" 94.254.148.29 - - [22/Mar/2017:14:13:58 +0100] "POST /wp-admin/admin-ajax.php HTTP/1.1" 200 23 "http://???????????????/wp-admin/options.php?page=clef"; "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36 OPR/43.0.2442.1144" 94.254.148.29 - - [22/Mar/2017:14:15:48 +0100] "POST /wp-admin/admin-ajax.php HTTP/1.1" 200 47 "http://???????????????/wp-admin/plugins.php?plugin_status=all&paged=1&s"; "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36 OPR/43.0.2442.1144" 94.254.148.29 - - [22/Mar/2017:14:15:59 +0100] "POST /wp-admin/admin-ajax.php HTTP/1.1" 200 23 "http://???????????????/wp-admin/options.php?page=clef"; "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36 OPR/43.0.2442.1144" 94.254.148.29 - - [22/Mar/2017:14:17:49 +0100] "POST /wp-admin/admin-ajax.php HTTP/1.1" 200 47 "http://???????????????/wp-admin/plugins.php?plugin_status=all&paged=1&s"; "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/5

any sugestions

why bruteforce protection rules not working for thys login pages ?

userdata / Login Pages:

Put your login scripts and pathes here. All of them would be protected by bruteforce protection rules.

wp-login.php
login.php
admin.php
dologin.php
/administrator/index.php
/wp-admin/index.php
/wp-admin/admin-ajax.php

These rules only for login/password based scripts.

not working

Joomla

/administrator/index.php

We’ll check from our side.

Hi jarecki74,

Can you please verify that the Bruteforce rules are enabled?

You can check in the file

/usr/local/cwaf/etc/httpd/global/zzz_exclude_global.conf

and comment out the line that disables brute force protection, by adding a # symbol in front of the line,

e.g.,

# category: Bruteforce
# SecRuleRemoveById 230031 230021......

it’s my zzz_exclude_global.conf

i dont see this lines

root[at]masterhost [/var/cpanel/cwaf/etc/httpd/global]# vi zzz_exclude_global.conf

Created by CWAF management application

Note! This file may be modified and any manual changes may be lost!

Date: 19/03/17 11:37:34 UTC

category: Outgoing

SecRuleRemoveById 214610 214450 214630 214620 214420 217500 214570 214640 214580 214510 214590 214520 217501 214490 214680 214600 214650 214670 214470 214660 214540 214550 214530 214440 214430 214460 214400 214500 214410 214940 214920 214930 214910 214800 214900

category: Apps

SecRuleRemoveById 240334 240330 240336 240332 240333 240335 240331 222040

category: Global

SecRuleRemoveById 214300 214310

it’s info from whm/comodo waf/ catalog

Item IDDescription Status

230000COMODO WAF: Brute Force Attack IdentifiedON

230010COMODO WAF: Multiple Username Violation: Too Many Usernames Submitted for Authentication.ON

230020COMODO WAF: Multiple Username Violation: Too Many Usernames Submitted for Authentication.ON

230030COMODO WAF: Multiple Username Violation: Too Many Usernames Submitted for Authentication.ON

Hello Jarecki,

  Since the admin-ajax.php issue has been suggested a resolve.we are working on the issue that bruteforce rules not working on Joomla.

I am grateful for your commitment,

I am waiting impatiently

regards