Need to block this ASAP

four0four · October 25, 2010, 3:27am

In my log files, I’ve been receiving thousands of requests that look like the following:


"POST / HTTP/1.0" 200 18890 "-" The Incutio XML-RPC PHP Library -- WordPress/3.0.1"

It’s so bad that the shared server that I’m on crashed.

Can someone help me block these types of requests?

Thanks!

four0four · October 25, 2010, 6:41am

I’m not sure if that’s the user agent.

The only thing it shows in my logs is the following:

IP ADDRESS - - [DATE] “POST / HTTP/1.0” 200 18890 “-” The Incutio XML-RPC PHP Library – WordPress/3.0.1"

I’m guessing “The Incutio XML-RPC PHP Library – WordPress/3.0.1” is the user agent, right?

If that IS the user agent, can I just block these requests the same way bots/spiders are blocked?

dklynn · October 25, 2010, 3:52am

404,

Do you have the IP address? That’s easiest to block. USER_AGENT? Do you even have mod_rewrite available to you?

On the other hand, this looks like you may have installed “The Incutio XML-RPC PHP Library” in your WP installation. Disable it until you can find out how to run it properly.

Regards,

DK

SpacePhoenix · October 25, 2010, 3:52am

Are they all coming from a single IP?

four0four · October 25, 2010, 4:03am

All from different IPs. Thousands from all over the world.

I don’t use WordPress or the Incutio XML-RPC PHP Library either.

It looks like someone added my site to a WordPress plugin that tries to ping my website using the XML-RPC interface.

Can I create a simple .htaccess file that blocks anything with “Incutio XML-RPC PHP Library” in the request?

I’m pretty sure I have mod_rewrite available too.

dklynn · October 25, 2010, 9:59am

404,

Yup! There was a recent thread about blocking bot* and *bot which would have code you SHOULD look at for this.

Regards,

DK

dklynn · October 25, 2010, 6:03am

404,

Is “Incutio XML-RPC PHP Library” part of the {USER_AGENT} string? If not, what is being recorded?

Regards,

DK

four0four · October 26, 2010, 12:50am

OK, instead of blocking the user agent, I’ve decided to use a different approach.

All of these requests are POST requests (which is something I’d like to block for other bots/spiders as well), so I came up with this:


RewriteEngine on
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{HTTP_HOST} !.*mydomain.com.*
RewriteRule ^.* - [F,L]

but for some reason it doesn’t work. Any ideas?

I’d like to block all POST requests to my site, yet allow all POST requests from within my site.

dklynn · October 26, 2010, 4:23am

404,

You’re looking at your own server’s details, not the {HTTP_REFERER}.

Regards,

DK

Topic		Replies	Views
Massive wp spammer PHP	5	642	April 18, 2010
IS SOMEONE IS TRYING TO HACK MY BLOG - Help Me Server Config security	10	1425	October 8, 2014
Anyone familiar with XML-RPC for PHP? HTML & CSS xml	1	1229	October 8, 2014
.htaccess Modification to Block User Agent? Server Config	5	4137	October 8, 2014
Whack-a-mole issue and HTACCESS file blocking Server Config security	4	1802	June 26, 2015

Need to block this ASAP

Related topics