Differences

This shows you the differences between two versions of the page.

--- wordpress_xmlrpc [2016/03/04 10:12] – luke7858
+++ wordpress_xmlrpc [2024/05/23 07:26] (current) – external edit 127.0.0.1
@@ Line 15: / Line 15: @@
 \\
 \\
-==What is an xmlrpc attack?==
+== What is an xmlrpc attack?==
 xml-rpc can use **//system.multicall//** - this can be used to execute multiple methods inside a single request. This allows applications to pass multiple commands with one http request.
 \\
@@ Line 29: / Line 29: @@
 **__NOTE__**: //WordPress, Drupal and most content management systems support XML-RPC.//
 \\
-It can be used with Perl, Java, Python, C, C++, PHP and many other programming languages
+It can be used with Perl, Java, Python, C, C++, PHP and many other programming languages.
 \\
 \\
+Checking apache and nginx logs for xmlrpc
+\\
+<sxh bash>
+ awk '/xmlrpc.php/ {REQ[$1" "$6" "$7]++}END{for (i in REQ) print REQ[i],i}' /var/log/httpd/*access*log | sort -n | tail -25
+</sxh>
 \\
 Basic configuration:
 <sxh bash>
 To prevent xmlrpc attacks add the following to a .htaccess
-<sxh bash>
 <Files "xmlrpc.php">
 Order Allow,Deny
@@ Line 46: / Line 50: @@
 **__Apache .htaccess:__**
 <sxh bash>
-<files xmlrpc.php="">
+<Files "xmlrpc.php">
 Order Deny,Allow
 Deny from all
@@ Line 66: / Line 70: @@
 </sxh>
 \\
+\\
+Allowing Wordpress IPs
+<sxh bash>
+         location = /xmlrpc.php {
+            allow 192.0.64.0/18;
+            deny all;
+            access_log off; #to prevent from filling up the access log file
+            error_log off; #to prevent from filling up the error log file
+        }
+</sxh>
 \\
 == JetPack ==
@@ Line 76: / Line 90: @@
 \\
 \\
-=== Wordfence ===
 \\
+=== Wordfence ===
 ##CURRENTLY INVESTIGATING ##
 \\