xmlrpc and bots

Some time ago, I was told I should give back to the Internet and post some technical musings. As one does, I grabbed some off the shelf software and set up Apache on a little tiny virtual server. Off we went.

Some time later, I started getting alarms that the host was not responding or that one of the services had crashed. I’d fix the issue and some time later it would happen again.

Digging into this a little deeper I saw that all of the available Apache threads were active but there was little activity in the access/error logs. Something was causing them to hang. In response to this, I cranked down the time-outs in Apache.

This worked a little.

The site was afloat for longer periods of time before it would crash or hang. In digging deeper, I notice that xmlrpc.php was being hit more than occasionally. What the heck is xmlrpc.php?

From xmlrpc.com:

It’s a spec and a set of implementations that allow software running on disparate operating systems, running in different environments to make procedure calls over the Internet.

It’s remote procedure calling using HTTP as the transport and XML as the encoding. XML-RPC is designed to be as simple as possible, while allowing complex data structures to be transmitted, processed and returned.

Okay, so it’s a service in WordPress that allows for remote calls to be made, much like RPC. I’m not sure I need that service…Wait…What’s that link a few down in my Google Search.

WordPress “Pingback” DDoS Attacks

Crap snacks…

Turns out there is an opening in xmlrpc which allows for malicious types to send requests from my host to victims systems. WordPress had this service enabled by default. I went through and disable it in 3 different ways! Lo and behold, my site stopped crashing!

Looking at the logs, I see that more bots than available Apache threads are trying open xmlrpc.php. They would connect and hold the connection open while DDoSing some poor soul. This is what was causing the site to stop responding.

Hmmm…I wonder if those Internet Security researches have my site in their databa..oh..yeah…there I am…shucks.

Sorry poor hapless DDoS recipients. Mea culpa!