lev neiman dot com

Ukranians, WordPress and xmlrpc.php

On this sunny day of February 28, 2016, the year of our Lord, I woke up with a bunch of emails telling me MySQL db on this fine server has been going down a whole number of times.

SSH didn't work, until it did.  At which point I could not execute any command because OS could not fork anything due to the lack of free memory.

Once the top command managed to work I saw that everything was dominated by a big array of apache2 processes, which indicated some sort of DOS attack.

After a nice reboot (and a backup in between, of course!) I took a look at the logs and discovered a whole bunch of accesses like such:


185.93.185.249 - - [28/Feb/2016:21:40:49 +0000] "POST /xmlrpc.php HTTP/1.1" 500 607 "-" "-"
185.93.185.247 - - [28/Feb/2016:21:41:10 +0000] "POST /xmlrpc.php HTTP/1.1" 500 607 "-" "-"
185.93.185.249 - - [28/Feb/2016:21:41:35 +0000] "POST /xmlrpc.php HTTP/1.1" 500 607 "-" "-"
185.93.185.247 - - [28/Feb/2016:21:42:22 +0000] "POST /xmlrpc.php HTTP/1.1" 500 607 "-" "-"
185.93.185.253 - - [28/Feb/2016:21:42:30 +0000] "POST /xmlrpc.php HTTP/1.1" 500 607 "-" "-"
185.93.185.253 - - [28/Feb/2016:21:42:36 +0000] "POST /xmlrpc.php HTTP/1.1" 500 607 "-" "-"
185.93.185.253 - - [28/Feb/2016:21:42:52 +0000] "POST /xmlrpc.php HTTP/1.1" 500 607 "-" "-"
185.93.185.254 - - [28/Feb/2016:21:42:55 +0000] "POST /xmlrpc.php HTTP/1.1" 500 607 "-" "-"
185.93.185.254 - - [28/Feb/2016:21:44:01 +0000] "POST /xmlrpc.php HTTP/1.1" 500 607 "-" "-"

As first order of business, I moved xmlrpc.php somewhere out of sight (who needs it anyway? I can post shit just fine!) then minimized the number of processes apache can spawn and added some golden rules to iptables:


# block ukranians
iptables -I INPUT -m iprange --src-range 185.93.185.1-185.93.185.254 -j DROP

And now you can read this!