Score:0

Block `//xmlrpc.php`

cn flag

I'm getting tens of thousands of (quite probably malicious) hits on Apache which are bringing the server down. All hits look like this on the Apache log:

[30/Jan/2022:21:57:41 +0000] "POST //xmlrpc.php HTTP/1.1" 200 630 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4240.193 Safari/537.36"

(Note the double slash. I don't know what it means.)

I have added the rule below on .htaccess to try to mitigate the server load:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} ^//xmlrpc.php
RewriteRule .* - [F,L]
</IfModule>

When I run curl -kIL -X POST -H 'Host: [REDACTED]' https://127.0.0.1:443/xmlrpc.php, I get the 403 error code.

However, apparently it is not enough: according to the log, Apache keeps returning 200 for the requests with two slashes. How can I block these requests (return 403)? How can I use curl / wget / etc to check if the block is active?

I need a rule to prevent "POST //xmlrpc.php HTTP/1.1" from returning 200 (HTTP OK) and return 403 instead.

Chris avatar
it flag
*but the //xmlrpc.php keep showing on the log.* Its not clear for me. Is the issue related to double slash? `//`. 403 response mean *it works*, but the rule does not prevent requests to be logged, it's another thing.
That Brazilian Guy avatar
cn flag
I need a rule to prevent `"POST //xmlrpc.php HTTP/1.1"` from returning 200 (HTTP OK). How do I achieve that?
Chris avatar
it flag
I just tested the RewriteCond and it does not work. The only thing that works is `RewriteCond %{REQUEST_URI} ^/xmlrpc.php`, with 1 slash, wich block both `/xmlrpc.php` and `//xmlrpc.php`. If you want to block all requests its good for you, but if you want to block only requests with double slash, I dont't know.
Score:1
bd flag

Disable XML-RPC on your WordPress installation as quickly as possible. It is a big security risk, and the problem you are seeing now is only the beginning of it. See for example https://www.getastra.com/blog/cms/wordpress-security/wordpress-xml-rpc-exploit-everything-you-need-to-know/ for details. (Not affiliated in any way.)

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.