Malware now guessing WordPress credentials via “POST /xmlrpc.php”

• July 13, 2015
• technology  
• hackers  
• security  
• wordpress  

Two days ago I started seeing a massive increase in attacks trying to guess WordPress credentials via the xmlrpc.php module. Between 2015-01-01 and 2015-07-10 I saw 155 attempts to guess WordPress credentials via “POST /xmlrpc.php” requests. And 114 of those attempts occurred between 02-05 and 02-22. Those 155 attempts represent an average of 0.8 per day. Since 0300 hours on 07-11 I’ve seen 215 attacks of that nature. For an average of 87 per day — a two order of magnitude increase.

The attacks resemble this one (the most recent from my logs):

POST /xmlrpc.php HTTP/1.1
Connection: Close
Content-Length: 219
Host: www.skepticism.us

<?xml version="1.0" encoding="iso-8859-1"?>
<methodCall>
  <methodName>wp.getUsersBlogs</methodName>
  <params>
   <param><value>krader</value></param>
   <param><value>freefree</value></param>
  </params>
</methodCall>

I don’t know of any way to block these apriori; i.e., before the RPC is actually executed. What I do instead is log the authentication failure. I’ve modified wp-includes/class-wp-xmlrpc-server.php to include the apache-setenv call in the diff shown below:

@@ -237,6 +237,7 @@ class wp_xmlrpc_server extends IXR_Server {
                if (is_wp_error($user)) {
                        $this->error = new IXR_Error( 403, __( 'Incorrect username or password.' ) )

+                       apache_setenv('error-notes', 'auth-failure');
                        /**
                         * Filter the XML-RPC user login error message.
                         *

I then log the error-notes value by including %{error-notes}e in a custom LogFormat. My log monitor then notes the “auth-failure” and blacklists the source. That way the infected computer is unable to launch additional attacks. Obviously in a highly distributed attack of this nature that is of limited value but it’s better than nothing.