XMLRPC, eh?
January 30, 2008 at 12:00 AM | categories: home | View CommentsToday I noticed some link-spam and wp-stats iframes in my last three posts. After removing the symptoms, I went looking for the culprit. I suspect that there's a flaw in xmlrpc.php, and that's how my site was compromised.
219.204.252.200 - - [25/Jan/2008:07:11:30 -0800] "POST /wordpress/xmlrpc.php HTTP/1.0" 200 2736 "-" "Opera/9.01 (Windows NT 5.0; U; en)"
62.65.159.182 - - [25/Jan/2008:07:12:37 -0800] "POST /wordpress/xmlrpc.php HTTP/1.0" 200 163 "-" "Opera/9.01 (Windows NT 5.0; U; en)"
222.122.148.83 - - [28/Jan/2008:08:25:55 -0800] "POST /wordpress/xmlrpc.php HTTP/1.0" 200 3042 "-" "Opera/9.01 (Windows NT 5.0; U; en)"
121.144.82.209 - - [28/Jan/2008:08:26:44 -0800] "POST /wordpress/xmlrpc.php HTTP/1.0" 200 163 "-" "Opera/9.01 (Windows NT 5.0; U; en)"
201.0.51.181 - - [28/Jan/2008:08:27:43 -0800] "POST /wordpress/xmlrpc.php HTTP/1.0" 200 163 "-" "Opera/9.01 (Windows NT 5.0; U; en)"
222.122.148.83 - - [28/Jan/2008:08:25:55 -0800] "POST /wordpress/xmlrpc.php HTTP/1.0" 200 3042 "-" "Opera/9.01 (Windows NT 5.0; U; en)"
121.144.82.209 - - [28/Jan/2008:08:26:44 -0800] "POST /wordpress/xmlrpc.php HTTP/1.0" 200 163 "-" "Opera/9.01 (Windows NT 5.0; U; en)"
201.0.51.181 - - [28/Jan/2008:08:27:43 -0800] "POST /wordpress/xmlrpc.php HTTP/1.0" 200 163 "-" "Opera/9.01 (Windows NT 5.0; U; en)"
POSTs to xmlrpc.php seem like an odd thing, especially since these IPs are nothing special.
Name: softbank219204252200.bbtec.net
Address: 219.204.252.200
62.65.159.182 does not exist (Authoritative answer)
222.122.148.83 does not exist (Authoritative answer)
121.144.82.209 does not exist (Authoritative answer)
Name: 201-0-51-181.dsl.telesp.net.br
Address: 201.0.51.181
222.122.148.83 does not exist (Authoritative answer)
121.144.82.209 does not exist (Authoritative answer)
Name: 201-0-51-181.dsl.telesp.net.br
Address: 201.0.51.181
For the moment, I've disabled xmlrpc.php entirely. Let's hope that fixes the problem.