Security and Technology Ramblings…

Topic: Using OSSEC to detect / block the XMLRPC.PHP attack.

The basis of this post came from this persons blog. A big thanks to he/she/it for the info!

Link: Void.GR

For my purposes however, I made a couple small changes.

First, for some reason, the Apache log was being tagged a a pureftp-transfer decode. Since I dont run PureFTP, I simply disabled this decoder and removed the pure xml config file from ossec.conf.

I added the below config to the local rules file, but also included the group name to make sure it was added to web,accesslog.


<group name="web,accesslog,">
   <rule id="100167" level="1">
    <if_sid>31108</if_sid>
    <url>xmlrpc.php</url>
    <match>POST</match>
    <description>WordPress xmlrpc attempt.</description>
  </rule>

  <rule id="100168" level="10" frequency="2" timeframe="600">
    <if_matched_sid>100167</if_matched_sid>
    <same_source_ip />
    <description>WordPress xmlrpc attack.</description>
    <group>attack,</group>
   </rule>
</group> <!-- Web access log -->

Leave a Reply