Tag: ubuntu (page 1 of 2)

WordPress xmlrpc.php attack

Recently, one of my WordPress website has been attacked by thousands of request to the xmlrpc.php file. The attacks came from multiple ip address. Here is my apache access log(/var/apache2/access.log): - - [15/May/2016:21:05:38 +0800] "POST /xmlrpc.php HTTP/1.1" 200 620 "-" "Googlebot/2.1 (+http://www.google.com/bot.html)" - - [15/May/2016:21:05:44 +0800] "POST /xmlrpc.php HTTP/1.1" 200 620 "-" "Googlebot/2.1 (+http://www.google.com/bot.html)" - - [15/May/2016:21:05:39 +0800] "POST /xmlrpc.php HTTP/1.1" 200 620 "-" "Googlebot/2.1 (+http://www.google.com/bot.html)" - - [15/May/2016:21:05:54 +0800] "POST /xmlrpc.php HTTP/1.1" 200 0 "-" "Googlebot/2.1 (+http://www.google.com/bot.html)" - - [15/May/2016:21:05:35 +0800] "POST /xmlrpc.php HTTP/1.1" 200 620 "-" "Googlebot/2.1 (+http://www.google.com/bot.html)" - - [15/May/2016:21:05:39 +0800] "POST /xmlrpc.php HTTP/1.1" 200 620 "-" "Googlebot/2.1 (+http://www.google.com/bot.html)" - - [15/May/2016:21:05:41 +0800] "POST /xmlrpc.php HTTP/1.1" 200 620 "-" "Googlebot/2.1 (+http://www.google.com/bot.html)" - - [15/May/2016:21:05:37 +0800] "POST /xmlrpc.php HTTP/1.1" 200 620 "-" "Googlebot/2.1 (+http://www.google.com/bot.html)" - - [15/May/2016:21:05:39 +0800] "POST /xmlrpc.php HTTP/1.1" 200 620 "-" "Googlebot/2.1 (+http://www.google.com/bot.html)" - - [15/May/2016:21:05:43 +0800] "POST /xmlrpc.php HTTP/1.1" 200 620 "-" "Googlebot/2.1 (+http://www.google.com/bot.html)"

These attacks come and go, and they had took down my site several times over the last few months. I did some google and found out that this kind of attack has been around for a while. It attempts to use the xmlrpc.php file to brute force WordPress logins.


Block IPs with ufw

Most ubuntu server has ufw installed, it can be used to block specific ip address from accessing the server.

I run the following command(reference) to get a list of attacker’s ip addresses:

$ grep xmlrpc /var/log/apache2/access.log | cut -d' ' -f1 | sort | uniq -c | sort -rn | head

// results

Those numbers in front of IPs are the number of times each ip requested the xmlrpc.php file.

Then for each of the IP address, I used the following command to block them using ufw:

sudo ufw deny from // replace with your attacker's ip address

I then ran the list attacker command a few more times after I blocked all IPs. Unfortunately, the access count is still increasing. There seems to be a problem with iptables on Ubuntu, but I couldn’t find a solution. So I tried another method to deal with these attacks.

Modifying Apache Virtual Host Config

Which is adding the following:

    <files xmlrpc.php>
      order allow,deny
      deny from all

to your WordPress apache virtual host config file.
My config file is the standard


Modifying this file will not block the attacker’s request, but reduce the amount of resources the request consumes on your server.

After I reload the apache with

sudo services apache2 restart

I was able to access my WordPress website again.

How to setup Apache Virtual Host on Ubuntu 14.04

These days setting up a website is easy. We can simply buy a domain, get a web host or cloud service, put up a WordPress or other platforms, done. There are tons of tutorials on the internet, and I just happen to have one as well.

Often, after that initial setup, you might realize that you are not utilizing all the computing power of the cloud and the capabilities of your domain. You are not getting that many traffics on your website. In fact, for most of the time your server just sits there, not serving anyone. On the other hand, other than www.example.com, you are not using any of the unlimited subdomains like whatever.example.com that happens to come with your purchase of the example.com.

Now that you realize the potentials of what you already own, you can utilize them. One way to do that is setup another personal blog for yourself or a photo gallery for you and your love ones (There is only 1 love.example.com!). However, doing such thing often requires the use of virtual host or vhost for short. You don’t know how? I am here to help!

What is Virtual Host

host helps you to host website, or several websites on the same computer. I use it to host johnsonsu.com and blog.johnsonsu.com on the same AWS EC2 instance.

Apache vhost Setup for Ubuntu 14.04

Apache comes with vhost by default. In fact, apache is using vhost to host your current website. In Ubuntu 14.04, apache’s vhost related files are located in:


Inside this directory, you should see a 000-default.conf file. This is the default configuration file for apache vhost. The content should look something like this (with out the comments):

    <VirtualHost *:80>

        ServerAdmin [email protected]
        DocumentRoot /var/www

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined


What this does is when someone connects to your server on port 80 (default port for HTTP), apache will handle that request with the things in side /var/www, which is usually your website’s root folder.

Now, we want to host more website on the server, say we a www.example.com and a blog.example.com. To save the hassle, we can simply duplicate the default configuration. We can run the command:

    sudo cp /etc/apache2/site-availabel/000-default.conf www.example.conf     #copy the default config file to a new file called www.example.conf
    sudo cp /etc/apache2/site-available/000-default.conf blog.example.conf     #copy the default config file to another new file called blog.example.conf

Now we have 2 new config file, let’s edit them. We want the www.example.conf to look something like this:

    <VirtualHost *:80>

        ServerAdmin [email protected]
        ServerName example.com
        ServerAlias www.example.com
        DocumentRoot /var/www/wordpress  #You should change this to your main site's root folder

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined


Whereas blog.example.conf should look like this:

    <VirtualHost *:80>

        ServerAdmin [email protected]
        ServerName blog.johnsonsu.com
        DocumentRoot /var/www/blog  #You should change this to your main site's root folder

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined


Notice they are very similar. The only thing you need to make sure is the ServerName and DocumentRoot are correct.

Now you can go to your domain’s DNS manager. For example, if you purchased domain from godaddy, then go to godaddy.com, login, and edit your DNS. You would want to add a new CNAME record with name blog as an alias of example.com and point to the same server IP address. After that save the changes and wait for DNS to update, this can take a while.

Now if you go to blog.example.com, you should see whatever you put in /var/www/blog. Congratulations, you now have another website on your server, without paying any extra!

You can easily create a bunch of WordPress website for your hobby(guitar.example.com), your lover(love.example.com), your family members(family.example.com), even for your dog(you got it!).

Installing HHVM on Ubuntu for Laraval

Recently I have been working on a project on Laravel 4.

As the web application in this project have reached a stable state, I decided to give Facebook’s HipHop VM (HHVM) as try. I have read that it gives a great performance boost to PHP applications, and it supports Laravel 100%.

After all it did turn out nicely, the response time of my application is about 50% shorter than before, and the process of setting it up is not that difficult either. So here is a note about what I did to have Laravel run faster using HHVM on a Ubuntu 14.04 server running Apache.

1. Install the softwares

HHVM requires VirtualBox and Vagrant to run. It’s very simple to install these two software on a Ubuntu 14.04, just use the following commands:

Make sure we have the most updated list of softwares:

$sudo apt-get update

Install Virtualbox:

$sudo apt-get install virtualbox

Install Vagrant:

$sudo apt-get install vagrant

I will assume you already have Apache on your system.

Now that we have the prerequisites, we can install the HHVM:

$ wget -O - http://dl.hhvm.com/conf/hhvm.gpg.key | sudo apt-key add -
$ echo deb http://dl.hhvm.com/ubuntu trusty main | sudo tee /etc/apt/sources.list.d/hhvm.list
$ sudo apt-get update
$ sudo apt-get install hhvm

At the end of HHVM installation, HHVM is nice enough to tell us what to do:

* HHVM is installed.
* Running PHP web scripts with HHVM is done by having your webserver talk to HHVM
* over FastCGI. Install nginx or Apache, and then:
* $ sudo /usr/share/hhvm/install_fastcgi.sh
* $ sudo /etc/init.d/hhvm restart
* (if using nginx) $ sudo /etc/init.d/nginx restart
* (if using apache) $ sudo /etc/init.d/apache restart
* Detailed FastCGI directions are online at:
* https://github.com/facebook/FastCGI
* If you're using HHVM to run web scripts, you probably want it to start at boot:
* $ sudo update-rc.d hhvm defaults
* Running command-line scripts with HHVM requires no special setup:
* $ hhvm whatever.php
* You can use HHVM for /usr/bin/php even if you have php-cli installed:
* $ sudo /usr/bin/update-alternatives --install /usr/bin/php php /usr/bin/hhvm 60

2. Set up HHVM

Now let’s run the commands as we are told.

Let’s install the FastCGI, this is how our webserver talk to HHVM:

$ sudo /usr/share/hhvm/install_fastcgi.sh

And restart HHVM:

$ sudo /etc/init.d/hhvm restart

We will need to restart Apache as well:

$ sudo /etc/init.d/apache restart

If you want to, like I do, you can set hhvm to start at boot:

$ sudo update-rc.d hhvm defaults


Now use your browser and go to your laravel application see if HHVM doing its job.

Trouble Shooting

You can check wether the application is running on HHVM by using the following php code.

if (defined('HHVM_VERSION')) {
// your application is running on hhvm
} else {
// no hhvm

404 Not Found???

If after you installed HHVM, your application suddenly shows 404 Not Found like I did. Don’t panic like I did. Add the following code at the end of /etc/hhvm/server.ini file:


Hopfully this will fix the 404. It’s a problem related to a modified Apache configuration file.