Wordpress xmlrpc.php attack
This morning I woke up and found on my email a "more than 90% CPU use over 2h report".
Hum... interesting, did I become famous overnight or am I under attack?
Quick look on my server and found that CPU was still at max.
Did I make some weird bug?
Let me check Nginx requests
My hopes of fame were higher now but it was too constant, it looks more like brute force attack.
First things first, run a top
command and found php-fpm
eating all of my CPU.
Run a tail /var/log/nginx/access.log
and found that there was someone brute forcing me:
172.21.0.6 - - [27/May/2017:08:08:10 +0000] "POST /xmlrpc.php HTTP/1.1" 200 422 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
172.21.0.6 - - [27/May/2017:08:08:10 +0000] "POST /xmlrpc.php HTTP/1.1" 200 422 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
172.21.0.6 - - [27/May/2017:08:08:10 +0000] "POST /xmlrpc.php HTTP/1.1" 200 422 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
172.21.0.6 - - [27/May/2017:08:08:10 +0000] "POST /xmlrpc.php HTTP/1.1" 200 422 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
Done a quick google for it, and there it was, a clear Wordpress exploit.
Since I don't use API to access my Wordpress, the fix was simple, just block it.
A quick trip to Nginx's config file and problem solved.
server {
...
location /xmlrpc.php {
deny all;
}
...
}
Reload nginx and its done.
If you have a Wordpress, you can do it before being brute forced to avoid any problems in future.