谨防黑客攻击wordpress的xmlrpc.php

最近两天随便瞟了两眼机器的负载,发现飙升到了0.6了,我的博客一向访问人很少,即便是1CPU1G的配置,负载也不会这么高的。仔细看了apache的access日志。发现大量的访问xmlrpc.php的请求。

167.114.89.173 - - [22/Nov/2015:04:52:29 +0800] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/5.0 (compatible; Googlebot/2.1;  http://www.google.com/bot.html)"
192.99.196.123 - - [22/Nov/2015:04:52:33 +0800] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/5.0 (compatible; Googlebot/2.1;  http://www.google.com/bot.html)"
192.99.196.123 - - [22/Nov/2015:04:52:39 +0800] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/5.0 (compatible; Googlebot/2.1;  http://www.google.com/bot.html)"
167.114.89.173 - - [22/Nov/2015:04:52:41 +0800] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/5.0 (compatible; Googlebot/2.1;  http://www.google.com/bot.html)"
167.114.89.173 - - [22/Nov/2015:04:52:49 +0800] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/5.0 (compatible; Googlebot/2.1;  http://www.google.com/bot.html)"
167.114.89.168 - - [22/Nov/2015:04:52:49 +0800] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/5.0 (compatible; Googlebot/2.1;  http://www.google.com/bot.html)"
192.99.196.123 - - [22/Nov/2015:04:52:51 +0800] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/5.0 (compatible; Googlebot/2.1;  http://www.google.com/bot.html)"
192.99.196.123 - - [22/Nov/2015:04:52:58 +0800] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/5.0 (compatible; Googlebot/2.1;  http://www.google.com/bot.html)"
167.114.89.168 - - [22/Nov/2015:04:52:58 +0800] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/5.0 (compatible; Googlebot/2.1;  http://www.google.com/bot.html)"
167.114.89.168 - - [22/Nov/2015:04:52:58 +0800] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/5.0 (compatible; Googlebot/2.1;  http://www.google.com/bot.html)"
167.114.89.173 - - [22/Nov/2015:04:53:04 +0800] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/5.0 (compatible; Googlebot/2.1;  http://www.google.com/bot.html)"
167.114.89.173 - - [22/Nov/2015:04:53:07 +0800] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/5.0 (compatible; Googlebot/2.1;  http://www.google.com/bot.html)"

之前也看到过类似的请求,第一眼看到User-Agent包含Googlebot/2.1,http://www.google.com/bot.html等关键字,以为是google的爬虫,没有太留意。今天仔细看了下,发现并非如此,这样的访问是大量连续存在的,而且存在多个ip地址。都是POST请求到xmlrpc.php。抓包看内容完全一样的。百度下ip大都是芬兰啊,加拿大等国外的,也没有迹象表明是google的ip。google爬虫也应该不是这样的行为,所以果断屏蔽。之前使用虚拟机,只能在apache和php层。这次使用的独立主机,最直接的的方式就是在防火墙上屏蔽它们。

首先统计下,当前日志里有哪些这样的ip:

#>grep xmlrpc.php zhaoyanblog.com-access_log |awk '{print $1}'| sort |uniq -c
      61 103.24.105.228
      12 158.69.159.211
   15051 158.69.159.223
   21941 167.114.89.168
   21512 167.114.89.173
   31182 192.99.196.123
      38 46.148.16.114
      37 46.148.17.90
     212 68.180.229.113
      21 92.63.87.97

为了防止错杀,先把这些数量多的ip屏蔽掉,举例:

iptables -I INPUT -s 167.114.89.168 -j DROP

留言

提示:你的email不会被公布,欢迎留言^_^

*

验证码 *