Security and Technology Ramblings…

Topic: Using OSSEC to detect / block the XMLRPC.PHP attack.

The basis of this post came from this persons blog. A big thanks to he/she/it for the info!

Link: Void.GR

For my purposes however, I made a couple small changes.

First, for some reason, the Apache log was being tagged a a pureftp-transfer decode. Since I dont run PureFTP, I simply disabled this decoder and removed the pure xml config file from ossec.conf.

I added the below config to the local rules file, but also included the group name to make sure it was added to web,accesslog.

<group name="web,accesslog,">
   <rule id="100167" level="1">
    <description>WordPress xmlrpc attempt.</description>

  <rule id="100168" level="10" frequency="2" timeframe="600">
    <same_source_ip />
    <description>WordPress xmlrpc attack.</description>
</group> <!-- Web access log -->

Leave a Reply