Symptoms
There are times where your domain may not respond quickly or not responding. While investigating the Apache error_log, you find a domain with a lot of these messages about 'xmlrpc.php' in a short period of time. This may be a symptom that someone is to brute-force the file, as it will try to respond with pingbacks and trackbacks.
Description
When investigating a potential brute-force attack, you find a lot of errors like this in the Apache error_log:
/etc/apache/logs/error_log
[Mon Feb 1 06:32:06.275256 2021] [access_compat:error] [pid 59779] [client x.x.x.x:0] AH01797: client denied by server configuration: /home/cptest/public_html/xmlrpc.php
[Mon Feb 1 06:32:06.275256 2021] [access_compat:error] [pid 59779] [client x.x.x.x:0] AH01797: client denied by server configuration: /home/cptest/public_html/xmlrpc.php
[Mon Feb 1 06:33:06.275256 2021] [access_compat:error] [pid 59779] [client x.x.x.x:0] AH01797: client denied by server configuration: /home/cptest/public_html/xmlrpc.php
...
You may wish to protect xmlrpc.php, stop it from being used per domain or server-wide, or remove it from the server. Depending on your server's configuration, one of these options can be useful.
Workaround
One: To protect 'xmlrpc.php', we recommend installing and enabling ModSecurity on the server. This will allow 'xmlrpc.php' to remain on the server, while ModSecurity looks out for certain connections behaviors. To enable ModSecurity, use this support article: How to enable ModSecurity™ Domain Manager
---
Two: To stop 'xmlrpc.php' from being used on a per-domain basis, you can disable it through .htaccess. This support article shows how: How to disable xmlrpc.php via .htaccess
---
Three: To stop 'xmlrpc.php' from being used server-wide, add the following code to the Apache Includes on the server. This code will function if Apache Module 'mod_alias' is installed.
Code to add:
<IfModule mod_alias.c>
RedirectMatch 301 /xmlrpc.php http://127.0.0.1/
</IfModule>
Location to add Code:
WHM: Home »Service Configuration »Apache Configuration »Include Editor --> Pre Main Include
---
Fourth, if you wish to remove 'xmlrpc.php' completely, you can remove the RPM that controls it.
How to remove RPM, use this support article: How to remove an RPM package
List of RPMs for 'xmlrpc.php':
CloudLinux:
# rpm -qa | grep -i xmlrpc
alt-php71-xmlrpc-7.1.33-27.el7.x86_64
alt-php70-xmlrpc-7.0.33-59.el7.x86_64
alt-php73-xmlrpc-7.3.30-1.el7.x86_64
alt-php72-xmlrpc-7.2.34-12.el7.x86_64
alt-php56-xmlrpc-5.6.40-57.el7.x86_64
alt-php74-xmlrpc-7.4.23-1.el7.x86_64
CentOS / AlmaLinux:
# yum list | grep -i xmlrpc
ea-php54-php-xmlrpc.x86_64 5.4.45-74.76.14.cpanel EA4
ea-php55-php-xmlrpc.x86_64 5.5.38-57.59.14.cpanel EA4
ea-php56-php-xmlrpc.x86_64 5.6.40-19.21.14.cpanel EA4
ea-php70-php-xmlrpc.x86_64 7.0.33-21.23.12.cpanel EA4
ea-php71-php-xmlrpc.x86_64 7.1.33-12.14.12.cpanel EA4
ea-php72-php-xmlrpc.x86_64 7.2.34-6.8.12.cpanel EA4
ea-php73-php-xmlrpc.x86_64 7.3.30-1.3.1.cpanel EA4
ea-php74-php-xmlrpc.x86_64 7.4.23-1.3.1.cpanel EA4
Comments
0 comments
Article is closed for comments.