Are urls included in DDOS xmlrpc attacks passive, compromised participants or active participants?

161 Views Asked by At

My (Linux/Apache) server has ben under attack for a few weeks now - via xmlrpc.php and wp-login.php - both Wordpress script files.

I took the liberty of adding some code to email me the POST data, etc.

What I am seeing for the xmlrpc attacks is POST XML that identifies some pingback urls that look suspicious.

For example:

<?xmlversion="1.0"?><methodCall><methodName>pingback.ping</methodName><params><param> <value><string>http://absolutehacks.com/forum</string></value></param><param><value><string>http://www.__my_domain__.com/__a blog url on my site__/</string></value></param></params></methodCall>

and

<?xmlversion="1.0"?><methodCall><methodName>pingback.ping</methodName><params><param><value><string> http://sinfulexp.net/forum</string></value></param><param><value><string>http://www.__my_domain__.com/__a blog url on my site__/</string></value></param></params></methodCall>

I may be wrong, but just by their names - absolutehacks.com, sinfulexp.net - I believe that they are not simply passive, compromised participants in these attacks.

Any comments leading to enlightenment will be appreciated.

Colin G

0

There are 0 best solutions below