Jun 22 2016

xmlrpc attacks and how to handle them

Category: TechnicalIuliana @ 23:05

Here I am managing my own blog. Last week the blog crashed. Which made no sense because everything was brand new and the setup on my Amazon instance was pristine. So when I got home I started investigating. And the only hint as to what happened were a lot of entries in /var/log/httpd/access_log, entries that looked like this:

64.137.235.207 - - [22/Jun/2016:18:19:44 +0000] "POST /xmlrpc.php HTTP/1.0" 500 251 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
64.137.235.218 - - [22/Jun/2016:18:19:45 +0000] "POST /xmlrpc.php HTTP/1.0" 500 251 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
64.137.235.218 - - [22/Jun/2016:18:19:48 +0000] "POST /xmlrpc.php HTTP/1.0" 500 251 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
64.137.235.207 - - [22/Jun/2016:18:19:50 +0000] "POST /xmlrpc.php HTTP/1.0" 500 251 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"

I had no idea what these were and what to do about them, so the first thing I did was to ask my dear friend Google. And I found this guy. I did everything he recommended and this week it happened again.

So I did what every person that manages a blog and the machine it is on. I asked the previous administrator if he knew what to do about it. And he said that these kind of attacks on my blog happened all the time when he was administering it, but he manually took the ip classes and added them to iptables with DROP. Plus, the previous server was more powerful and the effect of the attack was not visible. My micro Amazon machine is quite a defenseless victim.
So I did what could be done at this point, modify the iptables settings to be more restrictive.

#This will reject connections above 15 from one source IP.
iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 15 --connlimit-mask 32 -j REJECT --reject-with tcp-reset
#In this 160 new connections (packets really) are allowed before the limit of 150 NEW connections (packets) per second is applied.
iptables -A INPUT -m state --state RELATED,ESTABLISHED -m limit --limit 150/second --limit-burst 160 -j ACCEPT

But this is not enough, I want to shame the organizations allowing this to happen, so I created a java program to analyze the access_log file and extract ip families and organizations they match to. So below, you can see the full list of culprits:

AT&T Internet Services; Richardson
African Network Information Center; Ebene
Amazon Technologies Inc.; Seattle
Asia Pacific Network Information Centre; South Brisbane ;
CLGW; Kennett
KW Datacenter; Petersburg; 104.233.88.236
Latin American and Caribbean IP address Regional Registry; Montevideo
MCI Communications Services, Inc. d/b/a Verizon Business; Ashburn
Qwest Communications Company, LLC; Monroe
RIPE Network Coordination Centre; Amsterdam
Shaw Communications Inc.; Calgary
Time Warner Cable Internet LLC; Herndon

The requests spamming this blog came from 401 ips, I could write a script to block connections from all of them to this blog, but I don’t have the time. So I’ll just lease the rues above for iptables and I’ll see if there is need for anything else more drastic. But I really hope it won’t be for a while.
Below is the ip list, in case somebody is interested.

1.186.77.25
1.65.169.67
101.108.41.105
101.63.143.143
103.203.173.254
103.21.44.26
103.210.40.164
103.215.54.181
103.217.243.126
103.229.111.13
103.232.129.166
103.242.190.131
103.242.218.148
103.245.196.163
103.245.205.206
103.44.51.25
103.49.232.194
104.233.88.236
104.34.94.241
105.100.46.125
105.101.27.141
105.102.15.89
105.106.135.89
105.155.12.142
105.156.110.221
105.158.119.123
105.158.166.219
105.225.147.241
109.100.247.237
109.148.2.247
109.163.165.198
109.196.0.1
109.205.117.20
109.51.90.160
109.65.149.90
109.65.151.247
109.77.225.178
109.97.189.144
109.98.152.82
110.137.87.34
110.34.20.131
110.5.77.194
111.125.208.230
111.94.112.45
111.95.236.151
112.134.207.97
112.134.34.120
112.134.35.169
112.198.118.188
112.198.118.197
112.198.118.226
112.198.64.29
112.198.75.140
112.198.75.180
112.200.212.174
112.200.239.226
112.205.92.24
112.209.46.216
112.209.94.172
112.211.164.195
112.215.63.12
113.163.41.98
114.145.239.20
115.133.234.127
116.103.242.244
116.90.100.171
116.90.105.139
117.193.112.17
117.194.110.157
117.197.53.51
117.197.54.165
117.198.90.26
117.20.113.20
117.203.114.88
117.203.119.253
117.204.179.76
117.217.22.244
117.217.64.49
117.223.212.34
117.247.90.101
119.154.98.82
120.164.44.176
122.160.51.251
122.169.88.42
122.177.168.146
122.2.17.196
122.53.41.186
122.53.42.233
123.236.204.131
124.107.127.179
125.60.237.98
130.25.190.69
136.169.225.249
139.193.141.136
139.5.217.233
14.184.100.90
14.192.154.147
140.0.46.16
146.196.37.68
150.107.182.29
150.107.215.8
151.73.145.211
151.73.159.88
156.17.93.1
156.194.150.19
156.210.108.121
163.157.254.25
164.126.233.238
168.167.249.234
171.6.243.190
171.96.177.24
173.70.134.172
175.136.169.197
175.137.7.57
175.140.102.29
175.143.49.197
175.156.152.157
175.157.123.214
176.223.3.68
176.40.205.178
177.137.203.77
177.148.169.148
177.222.190.131
177.41.234.63
178.119.43.51
178.132.45.179
178.149.181.198
178.149.185.54
178.158.106.151
178.158.83.227
178.206.212.184
178.215.112.93
178.221.59.138
178.90.199.83
179.187.44.245
179.55.201.139
179.99.173.130
180.191.131.199
180.193.72.218
180.251.89.200
180.253.82.112
180.254.212.54
182.161.28.145
182.182.7.79
182.185.171.208
183.83.229.82
184.152.43.95
186.39.8.243
186.6.170.82
186.6.224.231
186.6.227.24
186.92.45.15
186.95.241.192
187.175.28.243
187.175.43.21
187.234.209.131
187.6.24.170
188.117.193.23
188.169.161.51
188.241.204.49
188.255.197.12
188.4.21.84
188.7.146.38
188.71.236.164
189.152.238.15
189.202.39.204
189.83.197.246
190.12.7.118
190.138.37.165
190.142.169.209
190.16.117.214
190.183.62.170
190.212.63.95
190.79.243.8
190.98.124.76
191.241.186.39
191.6.125.56
192.210.220.163
195.2.253.157
195.62.52.110
195.88.209.168
196.188.112.107
196.219.224.69
196.221.155.173
196.224.50.149
197.2.115.175
197.211.219.64
197.251.168.132
197.251.194.212
197.87.81.239
199.16.184.2
2.177.26.130
2.50.22.211
2.50.55.63
2.60.88.23
2.60.95.57
200.126.242.81
201.246.223.115
201.42.212.195
201.62.124.103
202.142.77.4
202.142.80.221
202.163.108.16
203.106.114.37
203.170.73.50
203.87.129.144
203.87.133.133
203.87.133.138
203.87.133.141
208.74.186.72
208.79.212.138
208.79.212.82
208.92.221.98
210.186.52.142
210.48.31.56
212.200.125.18
213.119.113.23
217.164.120.211
217.217.206.29
217.96.23.2
222.127.94.12
222.127.94.8
222.153.15.1
223.206.20.229
223.223.135.142
23.240.228.39
24.135.207.80
24.157.129.172
24.200.40.240
27.7.70.20
31.192.62.220
31.210.188.26
31.223.131.29
31.223.145.178
31.43.69.252
31.44.68.255
31.46.152.51
31.47.51.134
36.71.153.53
36.72.2.88
36.74.131.172
36.75.226.34
36.76.100.50
36.77.0.57
36.77.39.140
36.81.30.100
36.81.90.255
36.82.91.90
36.84.67.93
37.194.54.31
37.210.64.214
37.231.180.155
37.237.177.137
39.32.139.247
39.35.154.178
39.38.211.158
39.40.75.134
39.47.168.196
39.48.63.75
39.50.160.119
39.51.89.181
39.54.231.202
41.100.138.100
41.104.187.26
41.145.186.29
41.162.49.26
41.188.50.130
41.226.161.114
41.226.221.42
41.248.228.105
41.40.52.100
41.68.209.143
41.79.217.156
41.96.108.44
43.241.27.51
43.242.241.194
45.112.70.243
45.124.145.174
45.21.105.2
45.65.11.2
46.151.57.85
46.19.230.2
46.99.153.7
49.145.220.69
49.146.203.139
49.148.197.131
49.149.163.175
49.149.173.54
49.150.198.118
49.150.216.246
49.150.235.16
49.244.85.233
5.139.226.242
5.14.128.69
5.152.128.7
5.28.149.128
50.178.143.106
51.171.12.139
52.19.114.180
58.187.71.203
58.26.64.158
59.152.97.94
59.94.107.9
60.246.170.124
60.48.227.186
60.53.23.81
61.6.3.44
62.178.248.128
62.211.142.241
64.137.235.207
64.137.235.218
70.51.215.96
70.55.42.181
70.74.219.66
71.215.51.173
73.163.127.174
74.12.174.78
74.91.17.218
75.161.252.234
75.76.56.221
76.91.95.87
77.46.254.227
77.70.47.53
78.123.102.103
78.190.162.53
78.209.226.100
78.222.198.54
79.113.0.192
79.114.28.12
79.117.53.231
79.33.106.252
79.51.125.58
80.18.76.150
80.99.14.68
81.196.171.161
81.241.48.25
82.135.200.225
82.170.197.132
82.76.0.108
82.81.221.111
83.142.56.19
83.24.72.95
84.2.190.195
84.2.72.176
84.30.26.20
85.120.148.6
85.254.75.151
85.254.79.172
85.67.65.133
85.76.147.85
85.90.161.117
86.124.148.194
86.173.185.53
86.34.18.215
86.58.93.25
87.118.178.83
87.214.172.35
87.99.68.5
88.132.189.144
88.174.161.52
88.21.157.26
88.229.92.166
89.201.202.108
89.42.158.229
89.43.144.200
90.173.35.124
90.191.137.61
90.211.194.166
90.5.107.227
90.62.104.106
91.187.119.36
91.200.12.58
92.167.10.148
92.186.22.126
92.51.105.9
92.51.112.154
92.80.99.141
92.82.102.72
92.83.122.244
92.83.217.168
92.85.88.46
93.115.67.108
93.144.98.6
93.72.40.232
93.87.220.44
93.92.250.1
94.122.100.83
94.156.7.238
94.249.91.17
94.59.143.48
95.111.108.75
95.137.189.65
95.15.242.41
95.238.232.66
95.240.251.199
95.31.134.206
95.41.25.165
95.42.240.156
96.21.100.118
98.176.19.150
99.34.112.254

Leave a Reply