Today I noticed an interesting, and hitherto unseen, attack from 220.127.116.11 which is owned by cloud provider redstation.com (or redstation.co.uk if you prefer). The attack started with this request:
POST /xmlrpc.php HTTP/1.0 Host: www.skepticism.us Content-Type: application/x-www-form-urlencoded Content-Length: 101 <?xml version="1.0"?><methodCall><methodName>demo.sayHello</methodName><params></params></methodCall>
Note the ancient HTTP/1.0 protocol specification. The
methodCall is also ill-formed causing PHP to issue a notice and warning messages about
Undefined index: VALUE and
Invalid argument supplied for foreach().
That request was followed by another
POST /xmlrpc.php that attempted to use the
system.multicall method; something I’ve never seen in an attack before now. The “multicall” methods were all
wp.getCategories invocations with my user ID and various passwords. In the past six months (as far as my logs go) I only started seeing attempts to exploit
wp.getCategories two days ago. And this attack was the first one to do so by using
system.multicall to reduce the number of requests it had to make to test which, if any, of large number of passwords was valid
system.multicallmethod to execute
wp.getCategoriesmultiples times in a single request. That attack was from ttnetdc.com in Turkey. That attack was very different. First, it was not preceded by the
demo.sayHellorequest. Second, the
wp.getCategoriescalls all used the generic
adminaccount rather than my account. Third, the XML was formatted in a more or less human readable form rather than the tightly packed sequence of tokens from the attack I saw this morning and talk about above.
Thus it appears that a general approach about how to efficiently test for valid WordPress credentials was recently documented and we’re now seeing various hackers attempt to exploit that advice.