What to do if you suspect xmlrpc.php files are being exploited?

Question

 What to do if you suspect xmlrpc.php files are being exploited?

Answer

There are times where your domain may not respond quickly or not responding. While investigating the Apache error_log, you find a domain with a lot of these messages about xmlrpc.php in a short period of time. This may be a symptom that someone is to brute-force the file, as it will try to respond with pingbacks and trackbacks.

When investigating a potential brute-force attack, you find a lot of errors like this in the Apache error_log:

CONFIG_TEXT: /etc/apache/logs/error_log
[Mon Feb 1 06:32:06.275256 2021] [access_compat:error] [pid 59779] [client x.x.x.x:0] AH01797: client denied by server configuration: /home/cptest/public_html/xmlrpc.php
[Mon Feb 1 06:32:06.275256 2021] [access_compat:error] [pid 59779] [client x.x.x.x:0] AH01797: client denied by server configuration: /home/cptest/public_html/xmlrpc.php
[Mon Feb 1 06:33:06.275256 2021] [access_compat:error] [pid 59779] [client x.x.x.x:0] AH01797: client denied by server configuration: /home/cptest/public_html/xmlrpc.php

You may wish to protect xmlrpc.php, stop it from being used per domain or server-wide, or remove it from the server. Depending on your server's configuration, one of these options can be useful.

1. To protect xmlrpc.php, we recommend installing and enabling ModSecurity on the server. This will allow xmlrpc.php to remain on the server, while ModSecurity looks out for certain connections behaviors. To enable ModSecurity, use this support article: How to enable ModSecurity™ Domain Manager
    
2. To stop xmlrpc.php from being used on a per-domain basis, you can disable it through .htaccess. This support article shows how: How to disable xmlrpc.php via .htaccess
    

3. To stop xmlrpc.php from being used server-wide, add the following code to the Apache Includes on the server. This code will function if Apache Module 'mod_alias' is installed.
   Code to add:

   CONFIG_TEXT: <IfModule mod_alias.c>
   RedirectMatch 301 /xmlrpc.php http://127.0.0.1/
   </IfModule>

   Location to add Code:

   WHM / Home / Service Configuration / Apache Configuration / Include Editor / Pre Main Include

   

4. If you wish to remove xmlrpc.php completely, you can remove the RPM that controls it.

   How to remove RPM, use this support article: How to remove an RPM package

   List of RPMs for xmlrpc.php:

   CloudLinux:

   CONFIG_TEXT: # rpm -qa | grep -i xmlrpc
   alt-php71-xmlrpc-7.1.33-27.el7.x86_64
   alt-php70-xmlrpc-7.0.33-59.el7.x86_64
   alt-php73-xmlrpc-7.3.30-1.el7.x86_64
   alt-php72-xmlrpc-7.2.34-12.el7.x86_64
   alt-php56-xmlrpc-5.6.40-57.el7.x86_64
   alt-php74-xmlrpc-7.4.23-1.el7.x86_64 

   CentOS / AlmaLinux:

   CONFIG_TEXT: # yum list | grep -i xmlrpc
   ea-php54-php-xmlrpc.x86_64 5.4.45-74.76.14.cpanel EA4
   ea-php55-php-xmlrpc.x86_64 5.5.38-57.59.14.cpanel EA4
   ea-php56-php-xmlrpc.x86_64 5.6.40-19.21.14.cpanel EA4
   ea-php70-php-xmlrpc.x86_64 7.0.33-21.23.12.cpanel EA4
   ea-php71-php-xmlrpc.x86_64 7.1.33-12.14.12.cpanel EA4
   ea-php72-php-xmlrpc.x86_64 7.2.34-6.8.12.cpanel EA4
   ea-php73-php-xmlrpc.x86_64 7.3.30-1.3.1.cpanel EA4
   ea-php74-php-xmlrpc.x86_64 7.4.23-1.3.1.cpanel EA4