My Wordpress installation is under xmlrpc attack! What can I do?


Example Logs:
105.156.217.220 - - [20/Jul/2016:08:21:39 -0400] "POST /xmlrpc.php HTTP/1.1" 302 - "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1" 105.156.217.220 - - [20/Jul/2016:08:21:42 -0400] "POST /xmlrpc.php HTTP/1.1" 302 - "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1" 104.221.53.131 - - [20/Jul/2016:08:30:28 -0400] "POST /xmlrpc.php HTTP/1.1" 302 - "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1" 104.221.53.131 - - [20/Jul/2016:08:30:30 -0400] "POST /xmlrpc.php HTTP/1.1" 302 - "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1" 185.67.177.62 - - [20/Jul/2016:09:28:35 -0400] "POST /xmlrpc.php HTTP/1.1" 302 - "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1" 185.67.177.62 - - [20/Jul/2016:09:28:37 -0400] "POST /xmlrpc.php HTTP/1.1" 302 - "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1" 187.133.71.145 - - [20/Jul/2016:13:09:48 -0400] "POST /xmlrpc.php HTTP/1.1" 302 - "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1" 187.133.71.145 - - [20/Jul/2016:13:09:51 -0400] "POST /xmlrpc.php HTTP/1.1" 302 - "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1" 105.154.210.243 - - [20/Jul/2016:15:51:50 -0400] "POST /xmlrpc.php HTTP/1.1" 302 - "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1" 105.154.210.243 - - [20/Jul/2016:15:52:03 -0400] "POST /xmlrpc.php HTTP/1.1" 302 - "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1" 99.243.17.39 - - [20/Jul/2016:18:31:39 -0400] "POST /xmlrpc.php HTTP/1.1" 302 - "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1" 99.243.17.39 - - [20/Jul/2016:18:31:41 -0400] "POST /xmlrpc.php HTTP/1.1" 302 - "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1" 125.165.78.123 - - [21/Jul/2016:03:01:22 -0400] "POST /xmlrpc.php HTTP/1.1" 302 - "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1" 39.50.134.220 - - [21/Jul/2016:08:16:20 -0400] "POST /xmlrpc.php HTTP/1.1" 302 - "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1" 39.50.134.220 - - [21/Jul/2016:08:16:23 -0400] "POST /xmlrpc.php HTTP/1.1" 302 - "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1" 212.204.161.116 - - [21/Jul/2016:08:42:11 -0400] "POST /xmlrpc.php HTTP/1.1" 302 - "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1" 212.204.161.116 - - [21/Jul/2016:08:42:11 -0400] "POST /xmlrpc.php HTTP/1.1" 302 - "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"

In root directory of Wordpress installation create new file with following content:
<?php function RandomString($strl=3) {
$characters = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
$randstring = '';
for ($i = 0; $i < $strl; $i++) {
$randstring = $randstring.$characters[rand(0, strlen($characters))];
}
return $randstring;
}


Also add couple lines to your "xmlrpc.php" file:
<?php include_once('./mytools.php');
header("Location: https://".RandomString(3).RandomString(3).".".RandomString(3)."/".RandomString(3).".php");
die();


You are all set. After mitigating attack remove additions from "xmlrpc.php" file.

Last update:
2016-07-24 18:40
Author:
Admin
Revision:
1.13
Average rating: 5 (1 Vote)

You cannot comment on this entry

Chuck Norris has counted to infinity. Twice.