XML-RPC attacks examined
Nikolett Hegedüs

XML-RPC attacks examined

Nikolett Hegedüs

XML-RPC attacks are “trending” nowadays. If you search for “XML-RPC attack” on Google, you can see approximately 380,000 results. Most of the articles deal with XML-RPC attacks on Wordpress-based websites.

What is XML-RPC?

RPC stands for remote procedure call and XML is the abbreviation of Extensible Markup Language. XML is widely used to represent data structures used in web services, and it is markup format that’s both human- and machine-readable. 

XML-RPC is a protocol that uses XML to encode its remote procedure calls. It also uses HTTP as a transport mechanism.

The protocol was created by Microsoft in the late 1990’s. XML-RPC works by sending an HTTP request to a server implementing the protocol. Multiple parameters can be passed to the remote method and one return value is returned. The protocol can be used to transport structures or object as input or output parameters.

Why are Wordpress XML-RPC attacks so frequent?

Last week while I was checking the logs of our running services I encountered a massive XML-RPC brute force attempt. There were lines crawling all over the logs containing the following information:

xx.xxx.xxx.xxx - - [  +0000] "POST /xmlrpc.php HTTP/1.0" 200 181 "-" "-"

The IP address is obfuscated on purpose.

It is an attack we frequently encounter in the server security business.

The popular CMS Wordpress uses an XML-RPC interface. XML-RPC has a system.multicall method which can be used to utilize a brute force attempt without sending a lot of requests. If the hacker send e.g. 500 single calls to guess the password for a Wordpress website, it can be easily stopped. But if the brute force password guessing can be made in a single request (by using the XML-RPC protocol), it becomes harder to stop these attacks.

It basically means that hundreds of passwords can be sent during a single HTTP request.

Some Wordpress plugins are using the file xmlrpc.php - so blocking the file is not always possible - but it is generally advised to block all access to this file if none of your plugins are using it.

How do we provide protection?

When one of the servers protected by BitNinja get an XML-RPC attack, our log analyzer module called SenseLog comes to the rescue. It detects the log lines that point to the possible attack and after a certain amount of connections, the IP gets blocked. We have filters in our service that are responsible for recognizing these suspicious lines in server logs and acting on it.

Share your ideas with us about this article

Previous posts

Cloudifying your legacy applications
In this article we will be dealing with OpenShift and Kubernetes technology. You can find some explanations about the terms used at the end of the article. If you want to take the neccessary steps to upgrade your own application, the first thing to do will be turning your pile of code into a container image.   The first step: containerization The Source-to-Image (s2i) method: Source-to-Image is an OpenShift tool for building reproducible Docker images by injecting source code into a Docker image. The new image will include the base (builder) image and the injec...
From Monolith to Microservices in 10 Steps
Do you have a monolithic application (for example a complex server-side enterprise application) with big features like support varieties of different clients, API for 3rd parties and some integrations with other web services and message brokers? Code usage is tolerable, but you want to release a smashing feature in the future, though you do not know how to manage the code, the integrations, the changes, etc.? If you are using monolithic applications, you might have been wondered about the following questions: How to manage the codebase? How to scale our application for...