Brute Force xmlrpc.php Attack on WordPress: Case Study

Brute force attacked, I was, for the xmlrpc.php API in WordPress. Thankfully WordPress was strong enough to ward off this attack. I’ve had random attacks on xmlrpc.php before, but nothing this organized. I thought I’d document a case of 57 xmlrpc.php POST attempts here for all to see. Maybe someone can identify the culprit, as I could not.

I had 57 POSTs to xmlrpc.php on WordPress. They are randomly spaced apart throughout the day, use different IP addresses and hosts, but use the same POST (POST /wp/xmlrpc.php HTTP/1.0), referrer (http://dontai.com/wp/xmlrpc.php) and user agent (Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko)

As for IPs and hosts, this is where it gets very distributed. They seem to come from all over the more populous internet world: US, Germany, Austria, France, Uk, Canada, Czeck Republic, Bulgaria, Netherlands, Japan, HK. All but two had hostnames that resolved successfully. Two host names were from AWS, none from Digital Ocean, OVH, Azure or IBM Cloud. None were obviously from China, Russia, or India, which is suspicious. When you sort the hostname, the name “infong” has been used in 8 entries, but different IPs and host names. Only a couple of IPs were repeated, not many, so very distributed. None of these are Tor exit servers.

I realize that this is not much to go on, but this is common in the new digital web space, where you can do a distributed attack from anywhere in the world, wipe your feet cleanly and not get caught. I can find no obvious or even suspicious entity. While the attack is not large, it is also not small and should have given me more clues.

Attack IPs sorted by IP address, followed by host name

108.175.6.58 infong1215.lxa.perfora.net
130.158.69.238 online.sports.tsukuba.ac.jp
139.162.186.93 de4.fcomet.com
146.0.236.138 manageyourbiz.com
146.0.236.138 manageyourbiz.com
151.236.51.86 151-236-51-86.static.as29550.net
162.243.236.157 aisabuja.com
162.244.253.202 r1.supportedns.com
177.12.161.57 web573.kinghost.net
177.185.194.163 web2353.uni5.net
179.61.12.102 server102.tecnoweb.net
184.171.251.122 king.truehostdns.com
187.110.226.96 hlcl02.argohost.net
193.192.49.162 tarasoft.asp.bg
195.186.81.68 lxb03026.hostcenter.com
195.20.9.89 jan.eatserver.nl
195.3.124.165 linweb16.ispservices.at
198.15.119.162 x3440-21261.securedservers.com
198.71.62.230 infong1420.lxa.perfora.net
199.189.85.151 usve31850.startvps.com
209.59.172.52 209.59.128.0 – 209.59.191.255
210.87.255.236 210.87.252.0 – 210.87.255.255
212.227.118.8 infong76.kundenserver.de
212.227.119.136 infong319.kundenserver.de
212.227.127.172 infong274.kundenserver.de
212.227.29.3 infong635.kundenserver.de
212.45.63.18 lswfront6.solcon.nl
212.90.148.12 w52.goneo.de
216.104.160.96 serv26.tierra.net
216.177.134.128 web3.websitesource.net
46.4.107.79 5i-misdns.net
54.207.72.40 ec2-54-207-72-40.sa-east-1.compute.amazonaws.com
54.233.99.198 ec2-54-233-99-198.sa-east-1.compute.amazonaws.com
62.233.120.25 glamailrelay.iomart.com
65.99.237.198 kefka.asoshared.com
67.227.188.31 vsin3v5g.wavescohosting.com
67.227.188.31 vsin3v5g.wavescohosting.com
67.227.188.31 vsin3v5g.wavescohosting.com
68.109.247.118 68-109-247-118.perimetercenter.net
68.109.247.118 68-109-247-118.perimetercenter.net
72.29.65.181 dime28.dizinc.com
72.29.77.223 rbr25.dizinc.com
74.208.16.121 infong581.lxa.perfora.net
74.208.16.60 infong832.lxa.perfora.net
75.119.198.102 azalea.dreamhost.com
75.119.200.119 block15.dreamhost.com
76.74.247.50 cwh9.canadianwebhosting.com
76.74.247.50 cwh9.canadianwebhosting.com
76.74.247.50 cwh9.canadianwebhosting.com
79.170.40.37 web37.extendcp.co.uk
79.170.40.37 web37.extendcp.co.uk
79.170.44.81 web81.extendcp.co.uk
80.237.133.45 wp276.webpack.hosteurope.de
81.169.211.58 h2350833.stratoserver.net
82.100.220.50 w20.goneo.de
87.106.110.3 s16366496.domainepardefaut.fr
88.86.120.45 vilik.stable.cz

Attack IPs sorted by Host name

76.74.247.50 cwh9.canadianwebhosting.com
76.74.247.50 cwh9.canadianwebhosting.com
76.74.247.50 cwh9.canadianwebhosting.com
139.162.186.93 de4.fcomet.com
72.29.65.181 dime28.dizinc.com
54.207.72.40 ec2-54-207-72-40.sa-east-1.compute.amazonaws.com
54.233.99.198 ec2-54-233-99-198.sa-east-1.compute.amazonaws.com
62.233.120.25 glamailrelay.iomart.com
81.169.211.58 h2350833.stratoserver.net
187.110.226.96 hlcl02.argohost.net
108.175.6.58 infong1215.lxa.perfora.net
198.71.62.230 infong1420.lxa.perfora.net
212.227.127.172 infong274.kundenserver.de
212.227.119.136 infong319.kundenserver.de
74.208.16.121 infong581.lxa.perfora.net
212.227.29.3 infong635.kundenserver.de
212.227.118.8 infong76.kundenserver.de
74.208.16.60 infong832.lxa.perfora.net
195.20.9.89 jan.eatserver.nl
65.99.237.198 kefka.asoshared.com
184.171.251.122 king.truehostdns.com
195.3.124.165 linweb16.ispservices.at
212.45.63.18 lswfront6.solcon.nl
195.186.81.68 lxb03026.hostcenter.com
146.0.236.138 manageyourbiz.com
146.0.236.138 manageyourbiz.com
130.158.69.238 online.sports.tsukuba.ac.jp
162.244.253.202 r1.supportedns.com
72.29.77.223 rbr25.dizinc.com
87.106.110.3 s16366496.domainepardefaut.fr
216.104.160.96 serv26.tierra.net
179.61.12.102 server102.tecnoweb.net
193.192.49.162 tarasoft.asp.bg
199.189.85.151 usve31850.startvps.com
88.86.120.45 vilik.stable.cz
67.227.188.31 vsin3v5g.wavescohosting.com
67.227.188.31 vsin3v5g.wavescohosting.com
67.227.188.31 vsin3v5g.wavescohosting.com
82.100.220.50 w20.goneo.de
212.90.148.12 w52.goneo.de
177.185.194.163 web2353.uni5.net
216.177.134.128 web3.websitesource.net
79.170.40.37 web37.extendcp.co.uk
79.170.40.37 web37.extendcp.co.uk
177.12.161.57 web573.kinghost.net
79.170.44.81 web81.extendcp.co.uk
80.237.133.45 wp276.webpack.hosteurope.de
198.15.119.162 x3440-21261.securedservers.com

I’ve gone as far as I could, but cannot find the culprit or even narrow down the attack to more than “people on earth that use computers a lot”. Sad, but they are good. All I have done is ban their IP addresses in the hopeful attempt that they will be blocked on the next attack. In reality I doubt that this will be effective, as they have obviously hijacked or have obtained many unique IP addresses.

Complete log of the xmlrpc.php attack

108.175.6.58	[11/Dec/2016:21:38:18	POST /wp/xmlrpc.php HTTP/1.0	200	403	http://dontai.com/wp/xmlrpc.php	Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
130.158.69.238	[11/Dec/2016:12:36:29	POST /wp/xmlrpc.php HTTP/1.0	200	403	http://dontai.com/wp/xmlrpc.php	Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
139.162.186.93	[11/Dec/2016:15:38:11	POST /wp/xmlrpc.php HTTP/1.0	301	-	http://dontai.com/wp/xmlrpc.php	Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
146.0.236.138	[11/Dec/2016:08:35:31	POST /wp/xmlrpc.php HTTP/1.0	200	403	http://dontai.com/wp/xmlrpc.php	Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
146.0.236.138	[11/Dec/2016:15:53:15	POST /wp/xmlrpc.php HTTP/1.0	200	403	http://dontai.com/wp/xmlrpc.php	Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
151.236.51.86	[11/Dec/2016:20:51:24	POST /wp/xmlrpc.php HTTP/1.0	403	636	http://dontai.com/wp/xmlrpc.php	Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
162.243.236.157	[12/Dec/2016:00:21:15	POST /wp/xmlrpc.php HTTP/1.0	200	403	http://dontai.com/wp/xmlrpc.php	Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
162.244.253.202	[11/Dec/2016:11:47:34	POST /wp/xmlrpc.php HTTP/1.0	200	403	http://dontai.com/wp/xmlrpc.php	Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
177.12.161.57	[11/Dec/2016:23:24:41	POST /wp/xmlrpc.php HTTP/1.0	200	403	http://dontai.com/wp/xmlrpc.php	Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
177.185.194.163	[11/Dec/2016:07:56:29	POST /wp/xmlrpc.php HTTP/1.0	200	403	http://dontai.com/wp/xmlrpc.php	Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
179.61.12.102	[11/Dec/2016:09:28:18	POST /wp/xmlrpc.php HTTP/1.0	200	403	http://dontai.com/wp/xmlrpc.php	Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
184.171.251.122	[11/Dec/2016:20:28:17	POST /wp/xmlrpc.php HTTP/1.0	200	403	http://dontai.com/wp/xmlrpc.php	Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
187.110.226.96	[11/Dec/2016:19:21:30	POST /wp/xmlrpc.php HTTP/1.0	200	403	http://dontai.com/wp/xmlrpc.php	Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
193.192.49.162	[11/Dec/2016:13:03:38	POST /wp/xmlrpc.php HTTP/1.0	200	403	http://dontai.com/wp/xmlrpc.php	Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
195.186.81.68	[11/Dec/2016:13:17:46	POST /wp/xmlrpc.php HTTP/1.0	200	403	http://dontai.com/wp/xmlrpc.php	Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
195.20.9.89	[11/Dec/2016:20:06:53	POST /wp/xmlrpc.php HTTP/1.0	200	403	http://dontai.com/wp/xmlrpc.php	Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
195.3.124.165	[11/Dec/2016:12:50:18	POST /wp/xmlrpc.php HTTP/1.0	200	403	http://dontai.com/wp/xmlrpc.php	Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
198.15.119.162	[11/Dec/2016:18:21:54	POST /wp/xmlrpc.php HTTP/1.0	200	403	http://dontai.com/wp/xmlrpc.php	Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
198.71.62.230	[11/Dec/2016:12:23:09	POST /wp/xmlrpc.php HTTP/1.0	200	403	http://dontai.com/wp/xmlrpc.php	Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
199.189.85.151	[11/Dec/2016:14:40:27	POST /wp/xmlrpc.php HTTP/1.0	200	403	http://dontai.com/wp/xmlrpc.php	Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
209.59.172.52	[11/Dec/2016:18:41:08	POST /wp/xmlrpc.php HTTP/1.0	200	403	http://dontai.com/wp/xmlrpc.php	Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
210.87.255.236	[11/Dec/2016:09:48:05	POST /wp/xmlrpc.php HTTP/1.0	200	403	http://dontai.com/wp/xmlrpc.php	Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
212.227.118.8	[11/Dec/2016:13:58:51	POST /wp/xmlrpc.php HTTP/1.0	403	636	http://dontai.com/wp/xmlrpc.php	Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
212.227.119.136	[11/Dec/2016:10:08:11	POST /wp/xmlrpc.php HTTP/1.0	403	638	http://dontai.com/wp/xmlrpc.php	Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
212.227.127.172	[11/Dec/2016:10:49:58	POST /wp/xmlrpc.php HTTP/1.0	200	403	http://dontai.com/wp/xmlrpc.php	Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
212.227.29.3	[11/Dec/2016:14:26:42	POST /wp/xmlrpc.php HTTP/1.0	403	635	http://dontai.com/wp/xmlrpc.php	Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
212.45.63.18	[11/Dec/2016:16:08:39	POST /wp/xmlrpc.php HTTP/1.0	200	403	http://dontai.com/wp/xmlrpc.php	Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
212.90.148.12	[11/Dec/2016:18:03:57	POST /wp/xmlrpc.php HTTP/1.0	200	403	http://dontai.com/wp/xmlrpc.php	Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
216.104.160.96	[11/Dec/2016:08:13:32	POST /wp/xmlrpc.php HTTP/1.0	200	403	http://dontai.com/wp/xmlrpc.php	Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
216.177.134.128	[11/Dec/2016:21:14:39	POST /wp/xmlrpc.php HTTP/1.0	200	403	http://dontai.com/wp/xmlrpc.php	Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
46.4.107.79	[11/Dec/2016:19:43:07	POST /wp/xmlrpc.php HTTP/1.0	200	403	http://dontai.com/wp/xmlrpc.php	Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
54.207.72.40	[11/Dec/2016:11:58:09	POST /wp/xmlrpc.php HTTP/1.0	403	635	http://dontai.com/wp/xmlrpc.php	Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
54.233.99.198	[11/Dec/2016:09:08:26	POST /wp/xmlrpc.php HTTP/1.0	200	403	http://dontai.com/wp/xmlrpc.php	Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
62.233.120.25	[11/Dec/2016:16:25:52	POST /wp/xmlrpc.php HTTP/1.0	200	403	http://dontai.com/wp/xmlrpc.php	Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
65.99.237.198	[11/Dec/2016:10:28:21	POST /wp/xmlrpc.php HTTP/1.0	403	636	http://dontai.com/wp/xmlrpc.php	Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
67.227.188.31	[11/Dec/2016:15:09:11	POST /wp/xmlrpc.php HTTP/1.0	200	403	http://dontai.com/wp/xmlrpc.php	Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
67.227.188.31	[11/Dec/2016:22:03:18	POST /wp/xmlrpc.php HTTP/1.0	200	403	http://dontai.com/wp/xmlrpc.php	Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
67.227.188.31	[11/Dec/2016:22:56:50	POST /wp/xmlrpc.php HTTP/1.0	200	403	http://dontai.com/wp/xmlrpc.php	Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
68.109.247.118	[11/Dec/2016:14:54:38	POST /wp/xmlrpc.php HTTP/1.0	200	403	http://dontai.com/wp/xmlrpc.php	Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
68.109.247.118	[11/Dec/2016:15:23:17	POST /wp/xmlrpc.php HTTP/1.0	200	403	http://dontai.com/wp/xmlrpc.php	Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
72.29.65.181	[11/Dec/2016:11:22:41	POST /wp/xmlrpc.php HTTP/1.0	200	403	http://dontai.com/wp/xmlrpc.php	Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
72.29.77.223	[11/Dec/2016:20:04:40	POST /wp/xmlrpc.php HTTP/1.0	200	403	http://dontai.com/wp/xmlrpc.php	Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
74.208.16.121	[11/Dec/2016:08:51:23	POST /wp/xmlrpc.php HTTP/1.0	403	636	http://dontai.com/wp/xmlrpc.php	Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
74.208.16.60	[11/Dec/2016:11:35:58	POST /wp/xmlrpc.php HTTP/1.0	200	403	http://dontai.com/wp/xmlrpc.php	Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
75.119.198.102	[11/Dec/2016:16:57:20	POST /wp/xmlrpc.php HTTP/1.0	200	403	http://dontai.com/wp/xmlrpc.php	Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
75.119.200.119	[12/Dec/2016:00:51:42	POST /wp/xmlrpc.php HTTP/1.0	403	637	http://dontai.com/wp/xmlrpc.php	Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
76.74.247.50	[11/Dec/2016:12:10:00	POST /wp/xmlrpc.php HTTP/1.0	200	403	http://dontai.com/wp/xmlrpc.php	Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
76.74.247.50	[11/Dec/2016:22:28:35	POST /wp/xmlrpc.php HTTP/1.0	200	403	http://dontai.com/wp/xmlrpc.php	Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
76.74.247.50	[11/Dec/2016:23:52:13	POST /wp/xmlrpc.php HTTP/1.0	200	403	http://dontai.com/wp/xmlrpc.php	Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
79.170.40.37	[11/Dec/2016:14:12:44	POST /wp/xmlrpc.php HTTP/1.0	200	403	http://dontai.com/wp/xmlrpc.php	Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
79.170.40.37	[11/Dec/2016:19:01:14	POST /wp/xmlrpc.php HTTP/1.0	200	403	http://dontai.com/wp/xmlrpc.php	Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
79.170.44.81	[11/Dec/2016:17:30:44	POST /wp/xmlrpc.php HTTP/1.0	200	403	http://dontai.com/wp/xmlrpc.php	Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
80.237.133.45	[11/Dec/2016:17:14:29	POST /wp/xmlrpc.php HTTP/1.0	200	403	http://dontai.com/wp/xmlrpc.php	Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
81.169.211.58	[11/Dec/2016:13:45:11	POST /wp/xmlrpc.php HTTP/1.0	200	403	http://dontai.com/wp/xmlrpc.php	Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
82.100.220.50	[11/Dec/2016:17:47:30	POST /wp/xmlrpc.php HTTP/1.0	200	403	http://dontai.com/wp/xmlrpc.php	Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
87.106.110.3	[11/Dec/2016:13:31:41	POST /wp/xmlrpc.php HTTP/1.0	200	403	http://dontai.com/wp/xmlrpc.php	Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
88.86.120.45	[11/Dec/2016:16:40:57	POST /wp/xmlrpc.php HTTP/1.0	200	403	http://dontai.com/wp/xmlrpc.php	Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko

Leave a Reply

Your email address will not be published. Required fields are marked *