Jun 22 2016

xmlrpc attacks and how to handle them

Category: TechnicalIuliana @ 23:05

Here I am managing my own blog. Last week the blog crashed. Which made no sense because everything was brand new and the setup on my Amazon instance was pristine. So when I got home I started investigating. And the only hint as to what happened were a lot of entries in /var/log/httpd/access_log, entries that looked like this: - - [22/Jun/2016:18:19:44 +0000] "POST /xmlrpc.php HTTP/1.0" 500 251 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" - - [22/Jun/2016:18:19:45 +0000] "POST /xmlrpc.php HTTP/1.0" 500 251 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" - - [22/Jun/2016:18:19:48 +0000] "POST /xmlrpc.php HTTP/1.0" 500 251 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" - - [22/Jun/2016:18:19:50 +0000] "POST /xmlrpc.php HTTP/1.0" 500 251 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"

I had no idea what these were and what to do about them, so the first thing I did was to ask my dear friend Google. And I found this guy. I did everything he recommended and this week it happened again.

So I did what every person that manages a blog and the machine it is on. I asked the previous administrator if he knew what to do about it. And he said that these kind of attacks on my blog happened all the time when he was administering it, but he manually took the ip classes and added them to iptables with DROP. Plus, the previous server was more powerful and the effect of the attack was not visible. My micro Amazon machine is quite a defenseless victim.
So I did what could be done at this point, modify the iptables settings to be more restrictive.

#This will reject connections above 15 from one source IP.
iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 15 --connlimit-mask 32 -j REJECT --reject-with tcp-reset
#In this 160 new connections (packets really) are allowed before the limit of 150 NEW connections (packets) per second is applied.
iptables -A INPUT -m state --state RELATED,ESTABLISHED -m limit --limit 150/second --limit-burst 160 -j ACCEPT

But this is not enough, I want to shame the organizations allowing this to happen, so I created a java program to analyze the access_log file and extract ip families and organizations they match to. So below, you can see the full list of culprits:

AT&T Internet Services; Richardson
African Network Information Center; Ebene
Amazon Technologies Inc.; Seattle
Asia Pacific Network Information Centre; South Brisbane ;
CLGW; Kennett
KW Datacenter; Petersburg;
Latin American and Caribbean IP address Regional Registry; Montevideo
MCI Communications Services, Inc. d/b/a Verizon Business; Ashburn
Qwest Communications Company, LLC; Monroe
RIPE Network Coordination Centre; Amsterdam
Shaw Communications Inc.; Calgary
Time Warner Cable Internet LLC; Herndon

The requests spamming this blog came from 401 ips, I could write a script to block connections from all of them to this blog, but I don’t have the time. So I’ll just lease the rues above for iptables and I’ll see if there is need for anything else more drastic. But I really hope it won’t be for a while.
Below is the ip list, in case somebody is interested.

Leave a Reply