谨防黑客攻击wordpress的xmlrpc.php
最近两天随便瞟了两眼机器的负载,发现飙升到了0.6了,我的博客一向访问人很少,即便是1CPU1G的配置,负载也不会这么高的。仔细看了apache的access日志。发现大量的访问xmlrpc.php的请求。 167.114.89.173 - - [22/Nov/2015:04:52:29 +0800] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)" 192.99.196.123 - - [22/Nov/2015:04:52:33 +0800] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)" 192.99.196.123 - - [22/Nov/2015:04:52:39 +0800] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)" 167.114.89.173 - - [22/Nov/2015:04:52:41 +0800] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)" 167.114.89.173 - - [22/Nov/2015:04:52:49 +0800] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)" 167.114.89.168 - - [22/Nov/2015:04:52:49 +0800] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)" 192.99.196.123 - - [22/Nov/2015:04:52:51 +0800] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)" 192.99.196.123 - - [22/Nov/2015:04:52:58 +0800] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)" 167.114.89.168 - - [22/Nov/2015:04:52:58 +0800] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)" 167.114.89.168 - - [22/Nov/2015:04:52:58 +0800] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)" 167.114.89.173 - - [22/Nov/2015:04:53:04 +0800] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)" 167.114.89.173 - - [22/Nov/2015:04:53:07 +0800] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)" 之前也看到过类似的请求,第一眼看到User-Agent包含Googlebot/2.1,http://www.google.com/bot.html等关键字,以为是google的爬虫,没有太留意。今天仔细看了下,发现并非如此,这样的访问是大量连续存在的,而且存在多个ip地址。都是POST请求到xmlrpc.php。抓包看内容完全一样的。百度下ip大都是芬兰啊,加拿大等国外的,也没有迹象表明是google的ip。google爬虫也应该不是这样的行为,所以果断屏蔽。之前使用虚拟机,只能在apache和php层。这次使用的独立主机,最直接的的方式就是在防火墙上屏蔽它们。 ...