Tag: wordpress

WordPress xmlrpc.php attack

Recently, one of my WordPress website has been attacked by thousands of request to the xmlrpc.php file. The attacks came from multiple ip address. Here is my apache access log(/var/apache2/access.log):

62.141.35.242 - - [15/May/2016:21:05:38 +0800] "POST /xmlrpc.php HTTP/1.1" 200 620 "-" "Googlebot/2.1 (+http://www.google.com/bot.html)"
188.120.41.8 - - [15/May/2016:21:05:44 +0800] "POST /xmlrpc.php HTTP/1.1" 200 620 "-" "Googlebot/2.1 (+http://www.google.com/bot.html)"
62.141.35.242 - - [15/May/2016:21:05:39 +0800] "POST /xmlrpc.php HTTP/1.1" 200 620 "-" "Googlebot/2.1 (+http://www.google.com/bot.html)"
188.120.41.8 - - [15/May/2016:21:05:54 +0800] "POST /xmlrpc.php HTTP/1.1" 200 0 "-" "Googlebot/2.1 (+http://www.google.com/bot.html)"
188.120.41.8 - - [15/May/2016:21:05:35 +0800] "POST /xmlrpc.php HTTP/1.1" 200 620 "-" "Googlebot/2.1 (+http://www.google.com/bot.html)"
62.141.35.242 - - [15/May/2016:21:05:39 +0800] "POST /xmlrpc.php HTTP/1.1" 200 620 "-" "Googlebot/2.1 (+http://www.google.com/bot.html)"
62.141.35.242 - - [15/May/2016:21:05:41 +0800] "POST /xmlrpc.php HTTP/1.1" 200 620 "-" "Googlebot/2.1 (+http://www.google.com/bot.html)"
62.141.35.242 - - [15/May/2016:21:05:37 +0800] "POST /xmlrpc.php HTTP/1.1" 200 620 "-" "Googlebot/2.1 (+http://www.google.com/bot.html)"
62.141.35.242 - - [15/May/2016:21:05:39 +0800] "POST /xmlrpc.php HTTP/1.1" 200 620 "-" "Googlebot/2.1 (+http://www.google.com/bot.html)"
62.141.35.242 - - [15/May/2016:21:05:43 +0800] "POST /xmlrpc.php HTTP/1.1" 200 620 "-" "Googlebot/2.1 (+http://www.google.com/bot.html)"

These attacks come and go, and they had took down my site several times over the last few months. I did some google and found out that this kind of attack has been around for a while. It attempts to use the xmlrpc.php file to brute force WordPress logins.

Solution

Block IPs with ufw

Most ubuntu server has ufw installed, it can be used to block specific ip address from accessing the server.

I run the following command(reference) to get a list of attacker’s ip addresses:

$ grep xmlrpc /var/log/apache2/access.log | cut -d' ' -f1 | sort | uniq -c | sort -rn | head

// results
6039 62.141.35.242
1566 154.16.63.40
1411 188.120.41.8
 248 195.2.252.132

Those numbers in front of IPs are the number of times each ip requested the xmlrpc.php file.

Then for each of the IP address, I used the following command to block them using ufw:

sudo ufw deny from 62.141.35.242 // replace with your attacker's ip address

I then ran the list attacker command a few more times after I blocked all IPs. Unfortunately, the access count is still increasing. There seems to be a problem with iptables on Ubuntu, but I couldn’t find a solution. So I tried another method to deal with these attacks.

Modifying Apache Virtual Host Config

Which is adding the following:

<VirtualHost>
…    
    <files xmlrpc.php>
      order allow,deny
      deny from all
    </files>
</VirtualHost>

to your WordPress apache virtual host config file.
My config file is the standard

/etc/apache2/sites-available/000-default.conf

Modifying this file will not block the attacker’s request, but reduce the amount of resources the request consumes on your server.

After I reload the apache with

sudo services apache2 restart

I was able to access my WordPress website again.

WordPress on AWS EC2 Ubuntu 14.04 Tutorial Part 2

In part 1, we have successfully deployed our AWS EC2 server, running Ubuntu 14.04. Now, we can move to the next step, server configurations and software installations.

SSH To Server

We will run our WordPress on a LAMP server, which stands for Linux+Apache+MySQL+PHP. These software did not come with the Ubuntu we installed, fortunately, the installation process is pretty simple. We will use ssh to connect to our server, which will require the key (.pem file) we saved earlier. We can now fire up the terminal, and enter the following code:

ssh -i pem_file_location [email protected]_ip_address

where pem_file_location should be the absolute path to the pem file, and server_ip_address is the public ip address that you see on the ec2 instance table. If you got an error reply from server please make sure you have open the ssh port (port 22) on your AWS security group. There is also a chance that you need to change the permission of your pem file, you can use:

chmod go-rwx pem_file_location

to set the proper permission of the key file.

Installing Software

To install the LAMP setup, simply type the following command in the ssh session:

sudo tasksel install lamp-server

This command will do all the job for you. During the installation process, you will be asked to give your mysql database a password. Again, please remember this information.

Create WordPress Database

After the LAMP server is installed, we can now access our MySQL database with the following command:

mysql -u root -p

You will be asked for you MySQL database password, which is the one you “remembered” earlier. Once you are inside mysql, simply create a database with a name of your choice, for example “wordpress”:

CREATE DATABASE wordpress;

Don’t forget the colon at the end. If you get the message:

Query OK, 1 row affected (0.00 sec)

Congratulation, you have created your database. The next step is to setup a database user for WordPress to access this database. We will use the following commands:

CREATE USER [email protected] identified by 'password';

GRANT ALL PRIVILEGES ON wordpress.* TO [email protected];

FLUSH PRIVILEGES;

You should use a password other than ‘password’ here, and remember that for later.

Download WordPress

We now have our database and server setup, we can go ahead and download WordPress on the server remotely, with the command:

wget https://wordpress.org/latest.tar.gz

This will download the compressed WordPress in your present working directory. To install it, we need to uncompress the file first:

tar xzvf latest.tar.gz

This will uncompress the file and create a “wordpress” directory at your pwd (present working directory if you haven’t notice, it is also a command).

Next we need to edit some configuration files. To move into the newly created “wordpress” directory, we do:

cd wordpress

And make a copy of the wordpress sample configuration file and rename it an actual configuration file:

cp wp-config-sample.php wp-config.php

Now we can use our favourite text editor to change the database information inside that file. I recommend using (and learning) vim:

vim wp-config.php

If you just want a simple editor then nano will do the job nicely:

nano wp-config.php

Now we need to find the following information in the file, it’s at the beginning:

// ** MySQL settings - You can get this info from your web host ** //

/** The name of the database for WordPress */ define('DB_NAME', 'wordpress');

/** MySQL database username */ define('DB_USER', 'wordpress');

/** MySQL database password */ define('DB_PASSWORD', 'password');

Modify the bolded text with the your information. Next we will move the whole directory to the /var/www directory, that will be the directory which apache will run at.

mv ../wordpress /var/www/

After that, we need to change the permission of the www directory, which will allow WordPress to update and install stuff:

sudo chown www-data:www-data -R /var/www

This will change the ownership of all directory and file inside /var/www to user and group www-data, which apache runs at.

Start WordPress

Now if you open your favourite browser and type in your server public ip, you will be seeing your own WordPress.

WordPress on AWS EC2 Ubuntu 14.04 Tutorial Part 1

Just helped someone to set up another WordPress blog on the AWS EC2 server, running Ubuntu 14.04.

Since I have done this a few times already, I thought that maybe I should write a simple tutorial to write down the instruction. This may save myself you some time whenever we need to do it (again).

Register AWS Account

Before we do anything, we need to deploy an EC2 server on the AWS. To do so, we need to register a account on the AWS. There is a 12 months free tire available to you after registration, but you still need a credit card for registration. You will also need a phone number and a phone because a robot will call you (not kidding).

Deploying The EC2 Sever

After you got your account, sign in, and go to the AWS Management Console. Once you are in the console, you can switch your region on the top right corner. This time, I used Singapore, because my friend wanted a faster access in the Asia region.

With the region setup, we can now go to the EC2 section and create a EC2 instance.

Screen Shot 2014-10-18 at 2.38.57 PM

We can go ahead and click that EC2, this will take us to the EC2 Dashborad.

Since we are deploying for the first time, we will need to create a security group. All the instances you deployed in the same security group have the same level of security. So we click on the security group button on the left panel.
Screen Shot 2014-10-18 at 2.44.26 PM

 

Now at the top of right panel, we can go and “Create Security Group”, and we want the security setting to look like this:

Screen Shot 2014-10-18 at 2.43.28 PMHTTP the port 80 is for accessing your WordPress website. SSH the port 22 is for remote ssh so you can set up your server later. If you want more security, you can set the Source of your SSH port to be your IP address. This will limit the access to people in your network. Once you are done, click save. Then we can move on to creating key pairs.

You don’t need to do much for the key pairs. Just navigate to key pair on the left panel, just below security group. Once there, create a key pair, give it a name. You will get a download response, make sure you save that file, because that is your key to your server later. Make sure you keep it save on your computer and don’t lose it.

Now we have a security group and a key, we can deploy our server. Go back to the dashboard and click “launch instance”. We will be using the Ubuntu Server 14.04, so go ahead and select that:

Screen Shot 2014-10-18 at 2.57.36 PM

Now we will be asked for instance type, we will choose the free tire for now. Select that and click “Next: Configure Instance Detail”.Screen Shot 2014-10-18 at 3.00.35 PM

 

This section we can just stick with the default settings. Click “Next: Add Storage”.

Screen Shot 2014-10-18 at 3.04.06 PM

 

The default 8GB General Purpose SSD will be more than enough for starting a simple WordPress Blog, so we go the the “Next: Instance Tag”. The “Instance Tag” is useful for managing large number of servers, which for now we can skip, click “Next: Configure Security Group”. We will use the security group we created before for this server, so choose “Selecting an existing security group” and then the one we create. Finally, we can now “Review and Launch”.

This section will be simple review of what we selected. Take a look and click “Launch”. You will be asked to select a key, we will choose “Choose an existing key pair” and select the one we created before.Check the “I acknowledge…”, it is important to keep that pem file you download. Now we can really launch our instance by clicking “Launch Instances”.

After that it will take a while, because AWS is creating your server and installing Ubuntu for you. After a few minutes, you should be able to view your instance in the your “Instances” tab.

You need take a note of your Public IP Address, because you will be using that later.

With your EC2 Server deployed, your server key (the pem file) and your IP address, you can go ahead to part 2 of the tutorial, and setup your Ubuntu Server and Install WordPress.