1

I'm running some web pages on apache 2.4.

At the moment I can see a lot of connections like these on status-page:

Srv PID Acc M   CPU SS  Req Conn    Child   Slot    Client  VHost   Request
2-0 -   0/0/5   .   1297.48 944 2482371 0.0 0.00    0.26    82.xx.xxx.xx    example.com:7080    POST /xmlrpc.php HTTP/1.0

As you can see this connection needs a lot of CPU power and runs for a very long time.

How can I shut down those connections? Mod_Security with Comodo Ruleset did not detect this as an attack.

MyFault
  • 893
  • 3
  • 14
  • 35

1 Answers1

3

It looks like you have been targeted for some "WordPress Brute Force Amplification Attack" that, among other factors, heavily rely on the xmlrpc.php application you're mentioning.

Even tough I'm not a wordpress expert, when I was hitted by those attempts, I quicly realized that the xmlrpc.php could be blocked/removed without any major drawbacks as... it's used only when your wordpress is "federated" with other wordpress sites and needs to exchange data with them. xmlrpc.php has no role in common usage of common wordpress sites.

Again: I'm not a wordpress expert so please investigate further before acting and... at the very least, you should be able to carefully choose which remote IP can be granted HTTP access to such xmlrpc.php

Damiano Verzulli
  • 3,948
  • 1
  • 20
  • 30