My (Linux/Apache) server has ben under attack for a few weeks now – via xmlrpc.php and wp-login.php – both WordPress script files.
I took the liberty of adding some code to email me the POST data, etc.
What I am seeing for the xmlrpc attacks is POST XML that identifies some pingback urls that look suspicious.
For example:
<?xmlversion="1.0"?><methodCall><methodName>pingback.ping</methodName><params><param> <value><string>http://absolutehacks.com/forum</string></value></param><param><value><string>http://www.__my_domain__.com/__a blog url on my site__/</string></value></param></params></methodCall>
and
<?xmlversion="1.0"?><methodCall><methodName>pingback.ping</methodName><params><param><value><string> http://sinfulexp.net/forum</string></value></param><param><value><string>http://www.__my_domain__.com/__a blog url on my site__/</string></value></param></params></methodCall>
I may be wrong, but just by their names – absolutehacks.com, sinfulexp.net – I believe that they are not simply passive, compromised participants in these attacks.
Any comments leading to enlightenment will be appreciated.
Colin G
