rushipkar90 · May 23, 2023 06:39
diff --git a/xmlrpc attack investigation b/xmlrpc attack investigation
 #If you are receiving complaints against your server for outgoing xmlrpc brute-force attack, then you can easily find-out culprit account by using below steps:

 1) Run below command in 'Screen', it will dump all the monitored logs to /home/logs/tcpdump14022016 file.
 tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' > /home/logs/tcpdump14022016

 2) Set up below crons on the server. You can either set up these crons in the server crons i.e at crontab -e or you can set it up at /etc/cron.d/filename, for e.g. as in below case filename is "dumplogs".
   
 root@test[/etc/cron.d]# cat dumplogs
 * * * * * root /home/logs/writelogs.sh
 * * * * * root sleep 30; /home/logs/writelogs.sh

 Before setting up the cron job, please make sure that file: /home/logs/writelogs.sh is exist with the below script inside.

 root@test[/etc/cron.d]# cat /home/logs/writelogs.sh
 #!/bin/bash
 netstat -antpe > /home/logs/`date +%F_%T`-ns.txt
 ps auxfwww > /home/logs/`date +%F_%T`-ps.txt
 top ccbn1 -c > /home/logs/`date +%F_%T`-top.txt
 /etc/init.d/httpd fullstatus > /home/logs/`date +%F_%T`-apache.txt


 3) root@test[/home/logs]# tail -f tcpdump14022016

 Look for the xmlrpc requests and just ignore the requests which are like X-Pingback:domainname.com as all these are legit xmlrpc requests generated by the domains which are currently present on the server. Search for the pattern like Host:serverhostname & Host:domainname.com and then ping domainname.com to get the IP address of the remote domain. 

 [Please note that we can ignore this step if we already have the remote domain & it's IP address given in the xmlrpc brute-force complaint]

 4) Once we got the IP address of remote domain, then just do below. For e.g., if remote IP we got is: 93.93.69.48 then:

 root@test [/home/logs]# grep -lr 93.93.69.48 *
 2016-02-13_06:41:01-ns.txt
 2016-02-13_06:41:31-ns.txt
 2016-02-13_06:42:01-ns.txt
 2016-02-13_06:42:31-ns.txt
 2016-02-13_06:43:01-ns.txt
 2016-02-13_06:43:31-ns.txt
 2016-02-13_23:47:02-ps.txt
 2016-02-13_23:47:31-ps.txt
 2016-02-13_23:48:02-ps.txt
 2016-02-13_23:48:32-ps.txt
 2016-02-13_23:49:02-ps.txt
 2016-02-13_23:58:32-ps.txt
 2016-02-14_22:37:32-ps.txt


 root@test [/home/logs]## grep 93.93.69.48 2016-02-13_06:*-ns.txt
 2016-02-13_06:41:01-ns.txt:tcp    29662      0 69.90.163.115:32994         93.93.69.48:80              CLOSE_WAIT  1804       3650405461 270504/php
 2016-02-13_06:41:31-ns.txt:tcp        0      1 69.90.163.115:33293         93.93.69.48:80              SYN_SENT    1804       3650410786 270504/php
 2016-02-13_06:41:31-ns.txt:tcp        0      1 69.90.163.115:32994         93.93.69.48:80              LAST_ACK    0          0          -

 Please note that "270504" is the process ID which we are able see in the first two lines of result we got.

 5) Once we got the process ID, then just do below and which will show up the result with the exact domain name which was acting as the source of xmlrpc brute-force attack.

 root@test [/home/logs]# # grep 270504 2016-02-13*-ps.txt | less

 2016-02-13_06:02:02-ps.txt:tress468  270504  3.9  0.4 216212 68144 ?        R    06:01   0:00  |   \_ /usr/bin/php /home/tress468/public_html/cozynest.ca/index.php
 2016-02-13_06:02:32-ps.txt:tress468  270504  3.6  0.4 217552 74112 ?        S    06:01   0:01  |   \_ /usr/bin/php /home/tress468/public_html/cozynest.ca/index.php
 2016-02-13_06:03:02-ps.txt:tress468  270504  4.2  0.4 218756 75180 ?        R    06:01   0:03  |   \_ /usr/bin/php /home/tress468/public_html/cozynest.ca/index.php
 2016-02-13_06:03:32-ps.txt:tress468  270504  3.7  0.4 218756 75268 ?        S    06:01   0:03  |   \_ /usr/bin/php /home/tress468/public_html/cozynest.ca/index.php
 2016-02-13_06:04:02-ps.txt:tress468  270504  4.3  0.4 219268 75780 ?        S    06:01   0:05  |   \_ /usr/bin/php /home/tress468/public_html/cozynest.ca/index.php
 2016-02-13_06:04:32-ps.txt:tress468  270504  4.6  0.4 219268 75788 ?        S    06:01   0:07  |   \_ /usr/bin/php /home/tress468/public_html/cozynest.ca/index.php
 2016-02-13_06:05:01-ps.txt:tress468  270504  4.5  0.4 219268 75796 ?        S    06:01   0:08  |   \_ /usr/bin/php /home/tress468/public_html/cozynest.ca/index.php
 2016-02-13_06:05:31-ps.txt:tress468  270504  4.5  0.4 219268 75856 ?        S    06:01   0:10  |   \_ /usr/bin/php /home/tress468/public_html/cozynest.ca/index.php
 2016-02-13_06:06:02-ps.txt:tress468  270504  4.6  0.4 219424 76136 ?        S    06:01   0:11  |   \_ /usr/bin/php /home/tress468/public_html/cozynest.ca/index.php
 2016-02-13_06:06:32-ps.txt:tress468  270504  4.7  0.4 219424 76136 ?        S    06:01   0:13  |   \_ /usr/bin/php /home/tress468/public_html/cozynest.ca/index.php
 2016-02-13_06:07:02-ps.txt:tress468  270504  4.5  0.4 219424 76136 ?        S    06:01   0:14  |   \_ /usr/bin/php /home/tress468/public_html/cozynest.ca/index.php
 2016-02-13_06:07:33-ps.txt:tress468  270504  4.5  0.4 219424 76140 ?        S    06:01   0:15  |   \_ /usr/bin/php /home/tress468/public_html/cozynest.ca/index.php
 2016-02-13_06:08:03-ps.txt:tress468  270504  4.6  0.4 219424 76140 ?        R    06:01   0:17  |   \_ /usr/bin/php /home/tress468/public_html/cozynest.ca/index.php
 2016-02-13_06:08:32-ps.txt:tress468  270504  4.6  0.4 219740 76260 ?        R    06:01   0:18  |   \_ /usr/bin/php /home/tress468/public_html/cozynest.ca/index.php
 2016-02-13_06:09:02-ps.txt:tress468  270504  4.6  0.4 219740 76260 ?        R    06:01   0:20  |   \_ /usr/bin/php /home/tress468/public_html/cozynest.ca/index.php
 2016-02-13_06:09:32-ps.txt:tress468  270504  4.6  0.4 219740 76260 ?        S    06:01   0:21  |   \_ /usr/bin/php /home/tress468/public_html/cozynest.ca/index.php

 Here, we can see that culprit account is "tress468" and domain name through which xmlrpc attack was done is "cozynest.ca"


 6) In order to resolve this issue, below are the suggestions:

 Kindly inform client to refer the below URL's for information on mitigating xmlrpc attacks.
 https://wordpress.org/plugins/stop-xmlrpc-attack/
 https://wordpress.org/support/topic/recent-new-xmlrpcphp-brute-force-password-guessing-attack-details

 In meantime, we can disable xmlrpc.php for the culprit account by inserting below code inside .htaccess file.

 <Files xmlrpc.php>
 order deny,allow
 deny from all
 </Files>

 Bingo!!!! :) :)
	#If you are receiving complaints against your server for outgoing xmlrpc brute-force attack, then you can easily find-out culprit account by using below steps:

	1) Run below command in 'Screen', it will dump all the monitored logs to /home/logs/tcpdump14022016 file.
	tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' > /home/logs/tcpdump14022016

	2) Set up below crons on the server. You can either set up these crons in the server crons i.e at crontab -e or you can set it up at /etc/cron.d/filename, for e.g. as in below case filename is "dumplogs".

	root@test[/etc/cron.d]# cat dumplogs
	* * * * * root /home/logs/writelogs.sh
	* * * * * root sleep 30; /home/logs/writelogs.sh

	Before setting up the cron job, please make sure that file: /home/logs/writelogs.sh is exist with the below script inside.

	root@test[/etc/cron.d]# cat /home/logs/writelogs.sh
	#!/bin/bash
	netstat -antpe > /home/logs/`date +%F_%T`-ns.txt
	ps auxfwww > /home/logs/`date +%F_%T`-ps.txt
	top ccbn1 -c > /home/logs/`date +%F_%T`-top.txt
	/etc/init.d/httpd fullstatus > /home/logs/`date +%F_%T`-apache.txt


	3) root@test[/home/logs]# tail -f tcpdump14022016

	Look for the xmlrpc requests and just ignore the requests which are like X-Pingback:domainname.com as all these are legit xmlrpc requests generated by the domains which are currently present on the server. Search for the pattern like Host:serverhostname & Host:domainname.com and then ping domainname.com to get the IP address of the remote domain.

	[Please note that we can ignore this step if we already have the remote domain & it's IP address given in the xmlrpc brute-force complaint]

	4) Once we got the IP address of remote domain, then just do below. For e.g., if remote IP we got is: 93.93.69.48 then:

	root@test [/home/logs]# grep -lr 93.93.69.48 *
	2016-02-13_06:41:01-ns.txt
	2016-02-13_06:41:31-ns.txt
	2016-02-13_06:42:01-ns.txt
	2016-02-13_06:42:31-ns.txt
	2016-02-13_06:43:01-ns.txt
	2016-02-13_06:43:31-ns.txt
	2016-02-13_23:47:02-ps.txt
	2016-02-13_23:47:31-ps.txt
	2016-02-13_23:48:02-ps.txt
	2016-02-13_23:48:32-ps.txt
	2016-02-13_23:49:02-ps.txt
	2016-02-13_23:58:32-ps.txt
	2016-02-14_22:37:32-ps.txt


	root@test [/home/logs]## grep 93.93.69.48 2016-02-13_06:*-ns.txt
	2016-02-13_06:41:01-ns.txt:tcp 29662 0 69.90.163.115:32994 93.93.69.48:80 CLOSE_WAIT 1804 3650405461 270504/php
	2016-02-13_06:41:31-ns.txt:tcp 0 1 69.90.163.115:33293 93.93.69.48:80 SYN_SENT 1804 3650410786 270504/php
	2016-02-13_06:41:31-ns.txt:tcp 0 1 69.90.163.115:32994 93.93.69.48:80 LAST_ACK 0 0 -

	Please note that "270504" is the process ID which we are able see in the first two lines of result we got.

	5) Once we got the process ID, then just do below and which will show up the result with the exact domain name which was acting as the source of xmlrpc brute-force attack.

	root@test [/home/logs]# # grep 270504 2016-02-13*-ps.txt \| less

	2016-02-13_06:02:02-ps.txt:tress468 270504 3.9 0.4 216212 68144 ? R 06:01 0:00 \| \_ /usr/bin/php /home/tress468/public_html/cozynest.ca/index.php
	2016-02-13_06:02:32-ps.txt:tress468 270504 3.6 0.4 217552 74112 ? S 06:01 0:01 \| \_ /usr/bin/php /home/tress468/public_html/cozynest.ca/index.php
	2016-02-13_06:03:02-ps.txt:tress468 270504 4.2 0.4 218756 75180 ? R 06:01 0:03 \| \_ /usr/bin/php /home/tress468/public_html/cozynest.ca/index.php
	2016-02-13_06:03:32-ps.txt:tress468 270504 3.7 0.4 218756 75268 ? S 06:01 0:03 \| \_ /usr/bin/php /home/tress468/public_html/cozynest.ca/index.php
	2016-02-13_06:04:02-ps.txt:tress468 270504 4.3 0.4 219268 75780 ? S 06:01 0:05 \| \_ /usr/bin/php /home/tress468/public_html/cozynest.ca/index.php
	2016-02-13_06:04:32-ps.txt:tress468 270504 4.6 0.4 219268 75788 ? S 06:01 0:07 \| \_ /usr/bin/php /home/tress468/public_html/cozynest.ca/index.php
	2016-02-13_06:05:01-ps.txt:tress468 270504 4.5 0.4 219268 75796 ? S 06:01 0:08 \| \_ /usr/bin/php /home/tress468/public_html/cozynest.ca/index.php
	2016-02-13_06:05:31-ps.txt:tress468 270504 4.5 0.4 219268 75856 ? S 06:01 0:10 \| \_ /usr/bin/php /home/tress468/public_html/cozynest.ca/index.php
	2016-02-13_06:06:02-ps.txt:tress468 270504 4.6 0.4 219424 76136 ? S 06:01 0:11 \| \_ /usr/bin/php /home/tress468/public_html/cozynest.ca/index.php
	2016-02-13_06:06:32-ps.txt:tress468 270504 4.7 0.4 219424 76136 ? S 06:01 0:13 \| \_ /usr/bin/php /home/tress468/public_html/cozynest.ca/index.php
	2016-02-13_06:07:02-ps.txt:tress468 270504 4.5 0.4 219424 76136 ? S 06:01 0:14 \| \_ /usr/bin/php /home/tress468/public_html/cozynest.ca/index.php
	2016-02-13_06:07:33-ps.txt:tress468 270504 4.5 0.4 219424 76140 ? S 06:01 0:15 \| \_ /usr/bin/php /home/tress468/public_html/cozynest.ca/index.php
	2016-02-13_06:08:03-ps.txt:tress468 270504 4.6 0.4 219424 76140 ? R 06:01 0:17 \| \_ /usr/bin/php /home/tress468/public_html/cozynest.ca/index.php
	2016-02-13_06:08:32-ps.txt:tress468 270504 4.6 0.4 219740 76260 ? R 06:01 0:18 \| \_ /usr/bin/php /home/tress468/public_html/cozynest.ca/index.php
	2016-02-13_06:09:02-ps.txt:tress468 270504 4.6 0.4 219740 76260 ? R 06:01 0:20 \| \_ /usr/bin/php /home/tress468/public_html/cozynest.ca/index.php
	2016-02-13_06:09:32-ps.txt:tress468 270504 4.6 0.4 219740 76260 ? S 06:01 0:21 \| \_ /usr/bin/php /home/tress468/public_html/cozynest.ca/index.php

	Here, we can see that culprit account is "tress468" and domain name through which xmlrpc attack was done is "cozynest.ca"


	6) In order to resolve this issue, below are the suggestions:

	Kindly inform client to refer the below URL's for information on mitigating xmlrpc attacks.
	https://wordpress.org/plugins/stop-xmlrpc-attack/
	https://wordpress.org/support/topic/recent-new-xmlrpcphp-brute-force-password-guessing-attack-details

	In meantime, we can disable xmlrpc.php for the culprit account by inserting below code inside .htaccess file.

	<Files xmlrpc.php>
	order deny,allow
	deny from all
	</Files>

	Bingo!!!! :) :)