Are the URLs in xmlrpc DDOS attacks passive, compromised or active participants?
My (Linux / Apache) server has ben under attack for weeks - via xmlrpc.php and wp-login.php - and Wordpress script files.
I took the liberty of adding code to email me the POST data, etc.
What I see for xmlrpc attacks is POST XML which identifies some pingback urls that look suspicious.
For example:
<?xmlversion="1.0"?><methodCall><methodName>pingback.ping</methodName><params><param> <value><string>http://absolutehacks.com/forum</string></value></param><param><value><string>http://www.__my_domain__.com/__a blog url on my site__/</string></value></param></params></methodCall>
and
<?xmlversion="1.0"?><methodCall><methodName>pingback.ping</methodName><params><param><value><string> http://sinfulexp.net/forum</string></value></param><param><value><string>http://www.__my_domain__.com/__a blog url on my site__/</string></value></param></params></methodCall>
I may be wrong, but only by their names - absolutehacks.com, sinfulexp.net. I believe that they are not just passive, compromised participants in these attacks.
Any comments leading to enlightenment would be appreciated.
Colin g
+3
source to share
No one has answered this question yet
Check out similar questions: