XML-RPC Attack Traffic

One More Check In on WordPress XML-RPC Fail2ban Traps

by

Just putting out an updated chart showing how this has performed through several additional months of operation. I’ve previously covered what’s happening here in detail when I began to sustain a high volume of attacks, when I implemented the fail2ban based countermeasures, and when I checked in on how the traps were performing four months ago.

XML-RPC Attack Traffic

The attacks remain well controlled. I haven’t changed the hooks or any of the parameters of the fail2ban jail. Requesters get maxretry = 3 in findtime = 3600 (one hour) and get banned for bantime = 86400 (one day). When triggered, this keeps them contained to sets of 3 closely spaced requests. They filter into the access logs looking like this, here integrated over 7 days:

146.185.251.102 - - [25/Mar/2015:05:22:15 -0700] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
146.185.251.102 - - [25/Mar/2015:05:24:09 -0700] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
146.185.251.102 - - [25/Mar/2015:05:25:06 -0700] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
93.174.93.99 - - [25/Mar/2015:09:16:06 -0700] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
93.174.93.99 - - [25/Mar/2015:09:16:11 -0700] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
93.174.93.143 - - [25/Mar/2015:09:20:38 -0700] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
93.174.93.99 - - [25/Mar/2015:09:21:24 -0700] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
93.174.93.143 - - [25/Mar/2015:09:34:28 -0700] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
93.174.93.143 - - [25/Mar/2015:09:37:38 -0700] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
218.70.26.194 - - [25/Mar/2015:11:36:42 -0700] "POST /xmlrpc.php HTTP/1.1" 200 370 "http://www.scottbrownconsulting.com/" "PHP/5.3.59"
146.185.251.102 - - [26/Mar/2015:05:25:10 -0700] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
146.185.251.102 - - [26/Mar/2015:05:26:26 -0700] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
146.185.251.102 - - [26/Mar/2015:05:26:49 -0700] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
93.174.93.143 - - [26/Mar/2015:09:50:56 -0700] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
93.174.93.143 - - [26/Mar/2015:10:08:29 -0700] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
93.174.93.99 - - [26/Mar/2015:10:20:59 -0700] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
93.174.93.99 - - [26/Mar/2015:10:42:20 -0700] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
93.174.93.99 - - [26/Mar/2015:10:48:00 -0700] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
93.174.93.143 - - [26/Mar/2015:10:48:04 -0700] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
146.185.251.102 - - [27/Mar/2015:05:27:17 -0700] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
146.185.251.102 - - [27/Mar/2015:05:29:49 -0700] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
146.185.251.102 - - [27/Mar/2015:05:31:10 -0700] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
93.174.93.143 - - [27/Mar/2015:10:48:35 -0700] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
93.174.93.99 - - [27/Mar/2015:11:02:44 -0700] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
93.174.93.143 - - [27/Mar/2015:11:17:50 -0700] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
93.174.93.143 - - [27/Mar/2015:11:31:48 -0700] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
216.231.128.131 - - [28/Mar/2015:01:28:38 -0700] "POST /xmlrpc.php HTTP/1.0" 200 403 "http://www.scottbrownconsulting.com/" "PHP/5.2.97"
146.185.251.102 - - [28/Mar/2015:05:32:00 -0700] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
146.185.251.102 - - [28/Mar/2015:05:33:53 -0700] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
146.185.251.102 - - [28/Mar/2015:05:35:29 -0700] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
62.210.211.112 - - [28/Mar/2015:10:41:14 -0700] "POST /xmlrpc.php HTTP/1.1" 200 403 "http://www.scottbrownconsulting.com/" "PHP/5.2.44"
216.231.128.231 - - [28/Mar/2015:17:35:19 -0700] "POST /xmlrpc.php HTTP/1.0" 200 370 "http://www.scottbrownconsulting.com/" "PHP/5.3.84"
146.185.251.102 - - [29/Mar/2015:05:36:39 -0700] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
146.185.251.102 - - [29/Mar/2015:05:36:47 -0700] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
146.185.251.102 - - [29/Mar/2015:05:38:18 -0700] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
93.174.93.99 - - [30/Mar/2015:03:11:38 -0700] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
93.174.93.99 - - [30/Mar/2015:03:20:19 -0700] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
93.174.93.99 - - [30/Mar/2015:03:30:23 -0700] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
146.185.251.102 - - [30/Mar/2015:05:39:40 -0700] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
146.185.251.102 - - [30/Mar/2015:05:42:37 -0700] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
146.185.251.102 - - [30/Mar/2015:05:42:57 -0700] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
93.174.93.143 - - [30/Mar/2015:06:10:42 -0700] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
80.82.64.122 - - [30/Mar/2015:06:10:56 -0700] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
93.174.93.143 - - [30/Mar/2015:06:12:57 -0700] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
93.174.93.143 - - [30/Mar/2015:06:17:39 -0700] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
80.82.64.122 - - [30/Mar/2015:06:36:25 -0700] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
80.82.64.122 - - [30/Mar/2015:06:40:32 -0700] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
93.174.93.99 - - [31/Mar/2015:03:39:45 -0700] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
93.174.93.99 - - [31/Mar/2015:03:45:30 -0700] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
93.174.93.99 - - [31/Mar/2015:03:53:56 -0700] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
146.185.251.102 - - [31/Mar/2015:05:44:42 -0700] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
146.185.251.102 - - [31/Mar/2015:05:44:55 -0700] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
146.185.251.102 - - [31/Mar/2015:05:47:34 -0700] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
93.174.93.143 - - [31/Mar/2015:07:12:29 -0700] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
93.174.93.143 - - [31/Mar/2015:07:42:46 -0700] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
93.174.93.143 - - [31/Mar/2015:08:40:20 -0700] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
93.174.93.143 - - [31/Mar/2015:09:02:56 -0700] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
93.174.93.143 - - [31/Mar/2015:09:33:38 -0700] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
80.82.64.122 - - [31/Mar/2015:15:50:50 -0700] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
80.82.64.122 - - [31/Mar/2015:15:56:28 -0700] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
80.82.64.122 - - [31/Mar/2015:15:58:28 -0700] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"

As you can see above the same IP addresses show back up as soon as their ban expires, or, put more accurately, they never stop hammering away. This tells us that the authors of these scripts don’t make an effort to check whether their attempts fail at TCP socket negotiation time, squandering the opportunity to remove or suspend uncooperative targets on their list. I wouldn’t do that either, I guess, if I were them – there are no bonus points for efficiency.

Here’s a uniq -c | sort -rn of the IP addresses in the sample above:

21 146.185.251.102
17 93.174.93.143
13 93.174.93.99
 6 80.82.64.122
 1 62.210.211.112
 1 218.70.26.194
 1 216.231.128.231
 1 216.231.128.131

A select few IPs attack too slowly to trip the jail; nothing fail2ban can do about those.

Bear in mind that I had no legitimate XML-RPC traffic (such as valid pingbacks to any of my articles) during this window. All of the request traffic exhibited here is malicious.

Shall we figure out where our friends are visiting from?

IP address        Registry    Registrant, Location
146.185.251.102   RIPE        SPSERVERS Network Operation Centre, Moscow, Russia
93.174.93.143     RIPE        Ecatel LTD, The Hague, Netherlands
93.174.93.99      RIPE        Ecatel LTD, The Hague, Netherlands
80.82.64.122      RIPE        Ecatel LTD, The Hague, Netherlands
62.210.211.112    RIPE        Iliad Entreprises Business Hosting, Paris, France
218.70.26.194     APNIC       ChinaNet, Chongqing, China
216.231.128.231   ARIN        mach9servers, Lombard, IL, USA
216.231.128.131   ARIN        mach9servers, Lombard, IL, USA

Whois lookup turns up Russian, Dutch, French, Chinese, and American source IPs in this small sample.