rushipkar90/xmlrpc attack investigation

## xmlrpc attack investigation
#If you are receiving complaints against your server for outgoing xmlrpc brute-force attack, then you can easily find-out culprit account by using below steps:

1) Run below command in 'Screen', it will dump all the monitored logs to /home/logs/tcpdump14022016 file.
tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' > /home/logs/tcpdump14022016

2) Set up below crons on the server. You can either set up these crons in the server crons i.e at crontab -e or you can set it up at /etc/cron.d/filename, for e.g. as in below case filename is "dumplogs".

root@test[/etc/cron.d]# cat dumplogs
* * * * * root /home/logs/writelogs.sh
* * * * * root sleep 30; /home/logs/writelogs.sh

Before setting up the cron job, please make sure that file: /home/logs/writelogs.sh is exist with the below script inside.

root@test[/etc/cron.d]# cat /home/logs/writelogs.sh
#!/bin/bash
netstat -antpe > /home/logs/`date +%F_%T`-ns.txt
ps auxfwww > /home/logs/`date +%F_%T`-ps.txt
top ccbn1 -c > /home/logs/`date +%F_%T`-top.txt
/etc/init.d/httpd fullstatus > /home/logs/`date +%F_%T`-apache.txt


3) root@test[/home/logs]# tail -f tcpdump14022016

Look for the xmlrpc requests and just ignore the requests which are like X-Pingback:domainname.com as all these are legit xmlrpc requests generated by the domains which are currently present on the server. Search for the pattern like Host:serverhostname & Host:domainname.com and then ping domainname.com to get the IP address of the remote domain.

[Please note that we can ignore this step if we already have the remote domain & it's IP address given in the xmlrpc brute-force complaint]

4) Once we got the IP address of remote domain, then just do below. For e.g., if remote IP we got is: 93.93.69.48 then:

root@test [/home/logs]# grep -lr 93.93.69.48 *
2016-02-13_06:41:01-ns.txt
2016-02-13_06:41:31-ns.txt
2016-02-13_06:42:01-ns.txt
2016-02-13_06:42:31-ns.txt
2016-02-13_06:43:01-ns.txt
2016-02-13_06:43:31-ns.txt
2016-02-13_23:47:02-ps.txt
2016-02-13_23:47:31-ps.txt
2016-02-13_23:48:02-ps.txt
2016-02-13_23:48:32-ps.txt
2016-02-13_23:49:02-ps.txt
2016-02-13_23:58:32-ps.txt
2016-02-14_22:37:32-ps.txt


root@test [/home/logs]## grep 93.93.69.48 2016-02-13_06:*-ns.txt
2016-02-13_06:41:01-ns.txt:tcp    29662      0 69.90.163.115:32994         93.93.69.48:80              CLOSE_WAIT  1804       3650405461 270504/php
2016-02-13_06:41:31-ns.txt:tcp        0      1 69.90.163.115:33293         93.93.69.48:80              SYN_SENT    1804       3650410786 270504/php
2016-02-13_06:41:31-ns.txt:tcp        0      1 69.90.163.115:32994         93.93.69.48:80              LAST_ACK    0          0          -

Please note that "270504" is the process ID which we are able see in the first two lines of result we got.

5) Once we got the process ID, then just do below and which will show up the result with the exact domain name which was acting as the source of xmlrpc brute-force attack.

root@test [/home/logs]# # grep 270504 2016-02-13*-ps.txt | less

2016-02-13_06:02:02-ps.txt:tress468  270504  3.9  0.4 216212 68144 ?        R    06:01   0:00  |   \_ /usr/bin/php /home/tress468/public_html/cozynest.ca/index.php
2016-02-13_06:02:32-ps.txt:tress468  270504  3.6  0.4 217552 74112 ?        S    06:01   0:01  |   \_ /usr/bin/php /home/tress468/public_html/cozynest.ca/index.php
2016-02-13_06:03:02-ps.txt:tress468  270504  4.2  0.4 218756 75180 ?        R    06:01   0:03  |   \_ /usr/bin/php /home/tress468/public_html/cozynest.ca/index.php
2016-02-13_06:03:32-ps.txt:tress468  270504  3.7  0.4 218756 75268 ?        S    06:01   0:03  |   \_ /usr/bin/php /home/tress468/public_html/cozynest.ca/index.php
2016-02-13_06:04:02-ps.txt:tress468  270504  4.3  0.4 219268 75780 ?        S    06:01   0:05  |   \_ /usr/bin/php /home/tress468/public_html/cozynest.ca/index.php
2016-02-13_06:04:32-ps.txt:tress468  270504  4.6  0.4 219268 75788 ?        S    06:01   0:07  |   \_ /usr/bin/php /home/tress468/public_html/cozynest.ca/index.php
2016-02-13_06:05:01-ps.txt:tress468  270504  4.5  0.4 219268 75796 ?        S    06:01   0:08  |   \_ /usr/bin/php /home/tress468/public_html/cozynest.ca/index.php
2016-02-13_06:05:31-ps.txt:tress468  270504  4.5  0.4 219268 75856 ?        S    06:01   0:10  |   \_ /usr/bin/php /home/tress468/public_html/cozynest.ca/index.php
2016-02-13_06:06:02-ps.txt:tress468  270504  4.6  0.4 219424 76136 ?        S    06:01   0:11  |   \_ /usr/bin/php /home/tress468/public_html/cozynest.ca/index.php
2016-02-13_06:06:32-ps.txt:tress468  270504  4.7  0.4 219424 76136 ?        S    06:01   0:13  |   \_ /usr/bin/php /home/tress468/public_html/cozynest.ca/index.php
2016-02-13_06:07:02-ps.txt:tress468  270504  4.5  0.4 219424 76136 ?        S    06:01   0:14  |   \_ /usr/bin/php /home/tress468/public_html/cozynest.ca/index.php
2016-02-13_06:07:33-ps.txt:tress468  270504  4.5  0.4 219424 76140 ?        S    06:01   0:15  |   \_ /usr/bin/php /home/tress468/public_html/cozynest.ca/index.php
2016-02-13_06:08:03-ps.txt:tress468  270504  4.6  0.4 219424 76140 ?        R    06:01   0:17  |   \_ /usr/bin/php /home/tress468/public_html/cozynest.ca/index.php
2016-02-13_06:08:32-ps.txt:tress468  270504  4.6  0.4 219740 76260 ?        R    06:01   0:18  |   \_ /usr/bin/php /home/tress468/public_html/cozynest.ca/index.php
2016-02-13_06:09:02-ps.txt:tress468  270504  4.6  0.4 219740 76260 ?        R    06:01   0:20  |   \_ /usr/bin/php /home/tress468/public_html/cozynest.ca/index.php
2016-02-13_06:09:32-ps.txt:tress468  270504  4.6  0.4 219740 76260 ?        S    06:01   0:21  |   \_ /usr/bin/php /home/tress468/public_html/cozynest.ca/index.php

Here, we can see that culprit account is "tress468" and domain name through which xmlrpc attack was done is "cozynest.ca"


6) In order to resolve this issue, below are the suggestions:

Kindly inform client to refer the below URL's for information on mitigating xmlrpc attacks.
https://wordpress.org/plugins/stop-xmlrpc-attack/
https://wordpress.org/support/topic/recent-new-xmlrpcphp-brute-force-password-guessing-attack-details

In meantime, we can disable xmlrpc.php for the culprit account by inserting below code inside .htaccess file.

<Files xmlrpc.php>
order deny,allow
deny from all
</Files>

Bingo!!!! :) :)
	#If you are receiving complaints against your server for outgoing xmlrpc brute-force attack, then you can easily find-out culprit account by using below steps:

	1) Run below command in 'Screen', it will dump all the monitored logs to /home/logs/tcpdump14022016 file.
	tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' > /home/logs/tcpdump14022016

	2) Set up below crons on the server. You can either set up these crons in the server crons i.e at crontab -e or you can set it up at /etc/cron.d/filename, for e.g. as in below case filename is "dumplogs".

	root@test[/etc/cron.d]# cat dumplogs
	* * * * * root /home/logs/writelogs.sh
	* * * * * root sleep 30; /home/logs/writelogs.sh

	Before setting up the cron job, please make sure that file: /home/logs/writelogs.sh is exist with the below script inside.

	root@test[/etc/cron.d]# cat /home/logs/writelogs.sh
	#!/bin/bash
	netstat -antpe > /home/logs/`date +%F_%T`-ns.txt
	ps auxfwww > /home/logs/`date +%F_%T`-ps.txt
	top ccbn1 -c > /home/logs/`date +%F_%T`-top.txt
	/etc/init.d/httpd fullstatus > /home/logs/`date +%F_%T`-apache.txt


	3) root@test[/home/logs]# tail -f tcpdump14022016

	Look for the xmlrpc requests and just ignore the requests which are like X-Pingback:domainname.com as all these are legit xmlrpc requests generated by the domains which are currently present on the server. Search for the pattern like Host:serverhostname & Host:domainname.com and then ping domainname.com to get the IP address of the remote domain.

	[Please note that we can ignore this step if we already have the remote domain & it's IP address given in the xmlrpc brute-force complaint]

	4) Once we got the IP address of remote domain, then just do below. For e.g., if remote IP we got is: 93.93.69.48 then:

	root@test [/home/logs]# grep -lr 93.93.69.48 *
	2016-02-13_06:41:01-ns.txt
	2016-02-13_06:41:31-ns.txt
	2016-02-13_06:42:01-ns.txt
	2016-02-13_06:42:31-ns.txt
	2016-02-13_06:43:01-ns.txt
	2016-02-13_06:43:31-ns.txt
	2016-02-13_23:47:02-ps.txt
	2016-02-13_23:47:31-ps.txt
	2016-02-13_23:48:02-ps.txt
	2016-02-13_23:48:32-ps.txt
	2016-02-13_23:49:02-ps.txt
	2016-02-13_23:58:32-ps.txt
	2016-02-14_22:37:32-ps.txt


	root@test [/home/logs]## grep 93.93.69.48 2016-02-13_06:*-ns.txt
	2016-02-13_06:41:01-ns.txt:tcp 29662 0 69.90.163.115:32994 93.93.69.48:80 CLOSE_WAIT 1804 3650405461 270504/php
	2016-02-13_06:41:31-ns.txt:tcp 0 1 69.90.163.115:33293 93.93.69.48:80 SYN_SENT 1804 3650410786 270504/php
	2016-02-13_06:41:31-ns.txt:tcp 0 1 69.90.163.115:32994 93.93.69.48:80 LAST_ACK 0 0 -

	Please note that "270504" is the process ID which we are able see in the first two lines of result we got.

	5) Once we got the process ID, then just do below and which will show up the result with the exact domain name which was acting as the source of xmlrpc brute-force attack.

	root@test [/home/logs]# # grep 270504 2016-02-13*-ps.txt \| less

	2016-02-13_06:02:02-ps.txt:tress468 270504 3.9 0.4 216212 68144 ? R 06:01 0:00 \| \_ /usr/bin/php /home/tress468/public_html/cozynest.ca/index.php
	2016-02-13_06:02:32-ps.txt:tress468 270504 3.6 0.4 217552 74112 ? S 06:01 0:01 \| \_ /usr/bin/php /home/tress468/public_html/cozynest.ca/index.php
	2016-02-13_06:03:02-ps.txt:tress468 270504 4.2 0.4 218756 75180 ? R 06:01 0:03 \| \_ /usr/bin/php /home/tress468/public_html/cozynest.ca/index.php
	2016-02-13_06:03:32-ps.txt:tress468 270504 3.7 0.4 218756 75268 ? S 06:01 0:03 \| \_ /usr/bin/php /home/tress468/public_html/cozynest.ca/index.php
	2016-02-13_06:04:02-ps.txt:tress468 270504 4.3 0.4 219268 75780 ? S 06:01 0:05 \| \_ /usr/bin/php /home/tress468/public_html/cozynest.ca/index.php
	2016-02-13_06:04:32-ps.txt:tress468 270504 4.6 0.4 219268 75788 ? S 06:01 0:07 \| \_ /usr/bin/php /home/tress468/public_html/cozynest.ca/index.php
	2016-02-13_06:05:01-ps.txt:tress468 270504 4.5 0.4 219268 75796 ? S 06:01 0:08 \| \_ /usr/bin/php /home/tress468/public_html/cozynest.ca/index.php
	2016-02-13_06:05:31-ps.txt:tress468 270504 4.5 0.4 219268 75856 ? S 06:01 0:10 \| \_ /usr/bin/php /home/tress468/public_html/cozynest.ca/index.php
	2016-02-13_06:06:02-ps.txt:tress468 270504 4.6 0.4 219424 76136 ? S 06:01 0:11 \| \_ /usr/bin/php /home/tress468/public_html/cozynest.ca/index.php
	2016-02-13_06:06:32-ps.txt:tress468 270504 4.7 0.4 219424 76136 ? S 06:01 0:13 \| \_ /usr/bin/php /home/tress468/public_html/cozynest.ca/index.php
	2016-02-13_06:07:02-ps.txt:tress468 270504 4.5 0.4 219424 76136 ? S 06:01 0:14 \| \_ /usr/bin/php /home/tress468/public_html/cozynest.ca/index.php
	2016-02-13_06:07:33-ps.txt:tress468 270504 4.5 0.4 219424 76140 ? S 06:01 0:15 \| \_ /usr/bin/php /home/tress468/public_html/cozynest.ca/index.php
	2016-02-13_06:08:03-ps.txt:tress468 270504 4.6 0.4 219424 76140 ? R 06:01 0:17 \| \_ /usr/bin/php /home/tress468/public_html/cozynest.ca/index.php
	2016-02-13_06:08:32-ps.txt:tress468 270504 4.6 0.4 219740 76260 ? R 06:01 0:18 \| \_ /usr/bin/php /home/tress468/public_html/cozynest.ca/index.php
	2016-02-13_06:09:02-ps.txt:tress468 270504 4.6 0.4 219740 76260 ? R 06:01 0:20 \| \_ /usr/bin/php /home/tress468/public_html/cozynest.ca/index.php
	2016-02-13_06:09:32-ps.txt:tress468 270504 4.6 0.4 219740 76260 ? S 06:01 0:21 \| \_ /usr/bin/php /home/tress468/public_html/cozynest.ca/index.php

	Here, we can see that culprit account is "tress468" and domain name through which xmlrpc attack was done is "cozynest.ca"


	6) In order to resolve this issue, below are the suggestions:

	Kindly inform client to refer the below URL's for information on mitigating xmlrpc attacks.
	https://wordpress.org/plugins/stop-xmlrpc-attack/
	https://wordpress.org/support/topic/recent-new-xmlrpcphp-brute-force-password-guessing-attack-details

	In meantime, we can disable xmlrpc.php for the culprit account by inserting below code inside .htaccess file.

	<Files xmlrpc.php>
	order deny,allow
	deny from all
	</Files>

	Bingo!!!! :) :)