I was having a very high CPU consumption on my Ubuntu server, and most of my Apache websites were down.
I just went to check the Apache logs on /var/log/apache2 and I saw that there was someone doing an xmlrpc attack on my WordPress sites.
54.38.157.178 - - [01/Oct/2018:11:28:18 +0200] "POST /xmlrpc.php HTTP/1.0" 500 556 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
54.38.157.178 - - [01/Oct/2018:11:28:18 +0200] "POST /xmlrpc.php HTTP/1.0" 500 556 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
54.38.157.178 - - [01/Oct/2018:11:28:19 +0200] "POST /xmlrpc.php HTTP/1.0" 500 556 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
54.38.157.178 - - [01/Oct/2018:11:28:18 +0200] "POST /xmlrpc.php HTTP/1.0" 500 556 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
54.38.157.178 - - [01/Oct/2018:11:28:18 +0200] "POST /xmlrpc.php HTTP/1.0" 500 556 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
54.38.157.178 - - [01/Oct/2018:11:27:27 +0200] "POST /xmlrpc.php HTTP/1.0" 500 556 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
54.38.157.178 - - [01/Oct/2018:11:27:54 +0200] "POST /xmlrpc.php HTTP/1.0" 500 556 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
54.38.157.178 - - [01/Oct/2018:11:28:00 +0200] "POST /xmlrpc.php HTTP/1.0" 500 556 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
54.38.157.178 - - [01/Oct/2018:11:27:30 +0200] "POST /xmlrpc.php HTTP/1.0" 500 556 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
The fastest way to stop it would be to just block that file on the Apache server.
Continue reading “Block xmlrpc.php on Apache for all Domains on Ubuntu”