0

I'm getting tens of thousands of (quite probably malicious) hits on Apache which are bringing the server down. All hits look like this on the Apache log:

[30/Jan/2022:21:57:41 +0000] "POST //xmlrpc.php HTTP/1.1" 200 630 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4240.193 Safari/537.36"

(Note the double slash. I don't know what it means.)

I have added the rule below on .htaccess to try to mitigate the server load:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} ^//xmlrpc.php
RewriteRule .* - [F,L]
</IfModule>

When I run curl -kIL -X POST -H 'Host: [REDACTED]' https://127.0.0.1:443/xmlrpc.php, I get the 403 error code.

However, apparently it is not enough: according to the log, Apache keeps returning 200 for the requests with two slashes. How can I block these requests (return 403)? How can I use curl / wget / etc to check if the block is active?

I need a rule to prevent "POST //xmlrpc.php HTTP/1.1" from returning 200 (HTTP OK) and return 403 instead.

That Brazilian Guy
  • 229
  • 2
  • 15
  • *but the //xmlrpc.php keep showing on the log.* Its not clear for me. Is the issue related to double slash? `//`. 403 response mean *it works*, but the rule does not prevent requests to be logged, it's another thing. – Chris Jan 31 '22 at 17:33
  • I need a rule to prevent `"POST //xmlrpc.php HTTP/1.1"` from returning 200 (HTTP OK). How do I achieve that? – That Brazilian Guy Jan 31 '22 at 17:55
  • I just tested the RewriteCond and it does not work. The only thing that works is `RewriteCond %{REQUEST_URI} ^/xmlrpc.php`, with 1 slash, wich block both `/xmlrpc.php` and `//xmlrpc.php`. If you want to block all requests its good for you, but if you want to block only requests with double slash, I dont't know. – Chris Jan 31 '22 at 18:57

1 Answers1

1

Disable XML-RPC on your WordPress installation as quickly as possible. It is a big security risk, and the problem you are seeing now is only the beginning of it. See for example https://www.getastra.com/blog/cms/wordpress-security/wordpress-xml-rpc-exploit-everything-you-need-to-know/ for details. (Not affiliated in any way.)

Tilman Schmidt
  • 4,101
  • 12
  • 27