Unable to stop large xmlrpc spam attack
I have been under a large spam attack against the xmlrpc.php file on multiple sites on a server and have tried everything I can think of to stop it but nothing is working.
So far I have tried the following:
Blocking the ips in iptables - doesnt work
Adding the following rule to .htaccess - doesnt work
Setup the following Fail2ban jail and filter - doesnt work Not all wp core and plugins are fully up to date on all sites but none are far behind updates and updating does nothing too. Right now multiple sites are just flooded with hundreds of POST requests to xmlrpc and the server is at something like 150% cpu and basically unusable. Finally the only solution I have found is to suspend a site in WHM, then the attack stops for that site but just continues for others and obviously I cant just suspend all the sites. Any help here would be appreciated :( EDIT: and I should add that I have Wordfence running on nearly all the sites which they claim they can block
# Block WordPress xmlrpc.php requests
order deny,allow
deny from all
Setup the following Fail2ban jail and filter - doesnt work Not all wp core and plugins are fully up to date on all sites but none are far behind updates and updating does nothing too. Right now multiple sites are just flooded with hundreds of POST requests to xmlrpc and the server is at something like 150% cpu and basically unusable. Finally the only solution I have found is to suspend a site in WHM, then the attack stops for that site but just continues for others and obviously I cant just suspend all the sites. Any help here would be appreciated :( EDIT: and I should add that I have Wordfence running on nearly all the sites which they claim they can block
-
Update: I looked closer at some of the CloudFlare settings for some of the affected sites and tried adding the set of ips where all the requests were coming from. Nothing seemed to change. I then tried adding these ips to iptables DROP rules again but this time using -I instead of -A eg iptables -I INPUT -s IP-ADDRESS -j DROP service iptables save
and this seems to work as all the attacks stop then. This is obviously not much use to me though as I cant be expected to manually enter ips to block. Also I checked again 2.5 hrs later and it had started again, it seemed that all the iptable rules that I had added had gone... I should add that I also have ModSecurity installed and setup with OWASP ModSecurity Core Rule Set V3.0 but that clearly seems to be ineffective here...0 -
Add xmlrpc deny in Apache Configuration - Pre VirtualHost Include - All versions. It should block all xmlrpc attacks. Order Allow,Deny deny from all 0 -
Hello, You may find the discussion on the following thread helpful: Thank you. 0 -
Add xmlrpc deny in Apache Configuration - Pre VirtualHost Include - All versions. It should block all xmlrpc attacks. Order Allow,Deny deny from all
thanks but already had that added0 -
Hello, It's possible the attack stopped temporarily, or one of the previous steps you took to block it is now working. You may want to consider reaching out to a qualified system administrator for help determining the source of the attack and implementing a solution to prevent it. We provide a list of companies offering system administration services at: Thank you. 0
Please sign in to leave a comment.
Comments
6 comments