I have been seeing the same thing in my logs again for some days now. Didn’t this problem seem to be solved quite a while ago? Looks like it’s back again.Yesterdays logs show one single IP happily sending tens of subsequent requests per second to xmlrpc.php for hours.
Mea culpa! Forgot to add https port to /etc/fail2ban/jail.local
It didn’t happen since I updated. I will have a look in the next few days to confirm.
Thanks
I just got the case today, with latest version :
191.96.249.13 - - [24/Aug/2016:21:00:00 +0200] "POST /xmlrpc.php HTTP/1.0" 200 554 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.13 - - [24/Aug/2016:21:00:01 +0200] "POST /xmlrpc.php HTTP/1.0" 200 554 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.13 - - [24/Aug/2016:21:00:01 +0200] "POST /xmlrpc.php HTTP/1.0" 200 554 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.13 - - [24/Aug/2016:21:00:09 +0200] "POST /xmlrpc.php HTTP/1.0" 200 554 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.13 - - [24/Aug/2016:21:00:09 +0200] "POST /xmlrpc.php HTTP/1.0" 200 554 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.13 - - [24/Aug/2016:21:00:19 +0200] "POST /xmlrpc.php HTTP/1.0" 200 554 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.13 - - [24/Aug/2016:21:00:19 +0200] "POST /xmlrpc.php HTTP/1.0" 200 554 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.13 - - [24/Aug/2016:21:00:20 +0200] "POST /xmlrpc.php HTTP/1.0" 200 554 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.13 - - [24/Aug/2016:21:00:30 +0200] "POST /xmlrpc.php HTTP/1.0" 200 554 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.13 - - [24/Aug/2016:21:00:34 +0200] "POST /xmlrpc.php HTTP/1.0" 200 554 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.13 - - [24/Aug/2016:21:00:42 +0200] "POST /xmlrpc.php HTTP/1.0" 200 554 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.13 - - [24/Aug/2016:21:00:42 +0200] "POST /xmlrpc.php HTTP/1.0" 200 554 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.13 - - [24/Aug/2016:21:00:42 +0200] "POST /xmlrpc.php HTTP/1.0" 200 554 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.13 - - [24/Aug/2016:21:00:42 +0200] "POST /xmlrpc.php HTTP/1.0" 200 554 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.13 - - [24/Aug/2016:21:00:50 +0200] "POST /xmlrpc.php HTTP/1.0" 200 554 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
These are not generating logs
yes I can see:
Accepted password
Authentication failure for …
XML-RPC authentication failure for …
About the extensions I have :
add-from-server
awd-weightcountry-shipping
really-simple-captcha
woocommerce-customer-order-csv-export
woocommerce-pdf-invoices-packing-slips
wordpress-seo
wp-maintenance-mode
akismet
contact-form-7
jf3-maintenance-mode
regenerate-thumbnails
woocommerce
woocommerce-gateway-stripe
woocommerce-product-bundles
wp-crontrol
wp-security-scan
alo-easymail
events-manager
nextgen-facebook
shortcodes-ultimate
woocommerce-composite-products
woocommerce-menu-bar-cart
woothemes-updater
wp-fail2ban
wp-user-avatar
If you’re seeing:
XML-RPC authentication failure for …
then the XML-RPC requests you’re not seeing log entries for must not be trying to log in.
Any chance you can log the contents of $_POST for one of these requests so I can see what needs blocked?
Would you have some advice about how to do it ?
Nervermind, I used https://www.saotn.org/huge-increase-wordpress-xmlrpc-php-post-requests/
I will let you know about the results, I am waiting it happens again.
Thanks
OK I got it, in this case $_POST is empty.
Is this something your plugin could handle ?
Yes, it could. However, are you sure $_POST was empty? It’s just that making an empty request to xmlrpc.php doesn’t achieve anything for the attacker.
Yes, I did print_r($_POST,true) and it was an empty array in the case where there were no auth log
Sorry, just realised $_POST may be empty for XML-RPC. It’s the contents of $HTTP_RAW_POST_DATA you need to log. I seem to get different results depending on the version of PHP (though I wouldn’t call my testing comprehensive).
