Jump to content

Php Xmlrpc Vulnerability Scans

dale

By dale
in Abuse Related

 Share

Recommended Posts

dale Newbie

dale

Posted
Posted

I keep seeing attempts to access the following files in my error log:

 

/public_html/cgi-bin/awstats.pl

/public_html/cgi-bin/awstats

/xmlrpc.php

/blog/xmlrpc.php

/blog/xmlsrv/xmlrpc.php

/blogs/xmlsrv/xmlrpc.php

/drupal/xmlrpc.php

/phpgroupware/xmlrpc.php

/wordpress/xmlrpc.php

/xmlrpc.php

/xmlrpc/xmlrpc.php

/xmlsrv/xmlrpc.php

 

Always in this order, but always from a different IP address. To my untrained eye it looks like a script attempting to find vulnerable, unpatched servers in an attempt to inject executable code for who-knows-what purpose.

 

What I've been doing is adding these folks to my "IP Deny" list via cPanel. What I'd like to do is automate this so that as soon as an attempt like this can be detected, have the IP address automatically added. Does anyone know how I might do this? I could make a fake "xmlrpc.php" file that emails me with the IP, but I don't know how to programmatically add them to my deny list.

 

Thanks for any input on this issue.

Head Guru Grand Master

Head Guru

Posted
Posted

These are just automated scripts that scan IP blocks looking for things to exploit.

 

It is really nothing to be overly concerned with.

 

We are working on a new security rule so that the XML scans do not make it thru to your actual account. That is a few days off however.

dscotese Apprentice

dscotese

Posted
Posted 

><?php
/* Put the following into your .htaccess file.
* If you already have order and deny lines,
* simply add a new deny line for badip.
* -----------------------------------------------
## Prevent web clients from accessing any .ht* file.
<Files ~ "^\.ht">
Order allow,deny
Deny from all
</Files>

##Start Bad IPs - The script uses the End line, so
## DO NOT ALTER IT
##End Bad IPs

order deny,allow
deny from env=badip
* -----------------------------------------------
* Save this file under any name that only hackers will
* access.
*/

// Note that this is the .htaccess file in the same directory.
// You can place it in a parent directory to block access to 
// subdirectories other than this one.  That means you'll
// have to put in the correct path for $file.
// Make sure permissions on .htaccess allow it to be written.
// ---------------------------------------------------------------
$file = "./.htaccess";
$fp = fopen($file, rb) or die;

// Read the file.

flock($fp, LOCK_SH);
$data = fread($fp, filesize($file));
flock($fp, LOCK_UN);
fclose($fp);

// Modify $data here.
// Add new Bad IP above the line ##End Bad IPs
// Note this code will add the bad IP above every occurrence of that line.

$badIp = $_SERVER['REMOTE_ADDR'];
$data = preg_replace( '/^##End Bad IPs$/m',
"SetEnvIf REMOTE_ADDR \"^$badIp\$\" badip
##End Bad IPs", $data );

echo "<br /><br />";
echo "New file:<br />$data";

// Write the modified file.

$fp = fopen($file, wb) or die;
flock($fp, LOCK_EX);
fwrite($fp, $data);
flock($fp, LOCK_UN);
fclose($fp);
?>

 

-Dave Scotese.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...