A look inside March 15th

**Jeffro** · 03-17-2010, 10:06 PM

March 15th is when I experienced yet another attack and before I left AnHosting, I grabbed the raw access log file for that day. Thanks to Kim Parsell, I've been able to review the log file in Notepad++ and there is some interesting stuff in it, notably, this "The Incutio XML-RPC PHP Library" this is a sampling of the log file.

When performing a search for that bolded set of terms, they appear in the log file 438 times in very close increments, mostly by one ip address but from a variety as well. Here is a sampling of the log file.

Line 2: 174.120.195.194 - - [15/Mar/2010:20:57:31 -0500] "POST /xmlrpc.php HTTP/1.0" 500 812 "-" "The Incutio XML-RPC PHP Library"
Line 45: 74.53.67.2 - - [15/Mar/2010:20:58:39 -0500] "POST /xmlrpc.php HTTP/1.0" 500 812 "-" "The Incutio XML-RPC PHP Library"
Line 106: 174.120.195.194 - - [15/Mar/2010:21:01:29 -0500] "POST /xmlrpc.php HTTP/1.0" 500 812 "-" "The Incutio XML-RPC PHP Library"
Line 107: 174.120.195.194 - - [15/Mar/2010:21:01:34 -0500] "POST /xmlrpc.php HTTP/1.0" 500 812 "-" "The Incutio XML-RPC PHP Library"
Line 115: 174.120.195.194 - - [15/Mar/2010:21:02:25 -0500] "POST /xmlrpc.php HTTP/1.0" 500 812 "-" "The Incutio XML-RPC PHP Library"
Line 145: 69.56.174.146 - - [15/Mar/2010:21:04:26 -0500] "POST /xmlrpc.php HTTP/1.0" 500 812 "-" "The Incutio XML-RPC PHP Library"
Line 146: 69.56.174.146 - - [15/Mar/2010:21:04:39 -0500] "POST /xmlrpc.php HTTP/1.0" 500 812 "-" "The Incutio XML-RPC PHP Library"
Line 199: 174.120.203.2 - - [15/Mar/2010:21:08:02 -0500] "POST /xmlrpc.php HTTP/1.0" 500 812 "-" "The Incutio XML-RPC PHP Library"
Line 201: 174.120.203.2 - - [15/Mar/2010:21:08:12 -0500] "POST /xmlrpc.php HTTP/1.0" 500 812 "-" "The Incutio XML-RPC PHP Library"
Line 205: 174.120.201.66 - - [15/Mar/2010:21:08:22 -0500] "POST /xmlrpc.php HTTP/1.0" 500 812 "-" "The Incutio XML-RPC PHP Library"
Line 222: 174.120.195.194 - - [15/Mar/2010:21:09:45 -0500] "POST /xmlrpc.php HTTP/1.0" 500 812 "-" "The Incutio XML-RPC PHP Library"
Line 223: 174.120.203.2 - - [15/Mar/2010:21:09:45 -0500] "POST /xmlrpc.php HTTP/1.0" 500 812 "-" "The Incutio XML-RPC PHP Library"
Line 233: 174.120.203.2 - - [15/Mar/2010:21:10:52 -0500] "POST /xmlrpc.php HTTP/1.0" 500 812 "-" "The Incutio XML-RPC PHP Library"
Line 234: 174.120.195.194 - - [15/Mar/2010:21:10:56 -0500] "POST /xmlrpc.php HTTP/1.0" 500 812 "-" "The Incutio XML-RPC PHP Library"
Line 244: 174.120.195.194 - - [15/Mar/2010:21:12:14 -0500] "POST /xmlrpc.php HTTP/1.0" 500 812 "-" "The Incutio XML-RPC PHP Library"

It goes on and on like this until early March 16th. This range of IP Addresses were definitely hammering the xmlrpc.php file and this probably explains all the trackbacks I saw in my Akismet queue.

**film_girl** · 03-17-2010, 11:38 PM

I'm not even remotely an expert (or even all that knowledgeable) about this kind of attack (if it was even intentional, which I'm still unsure if it was -- part of me thinks that something got stuck in a loop (not your fault but something somewhere that might not have actually been targeted) but WordPress's own XML-RPC file is based on the Incutio one, so that fits with you getting hammered by trackbacks and pingbacks from other WordPress blogs.

Once you feel relatively stable on your new host, you need to install Bad Behavior. It's easy to use, requires basically no setup (just use the default options) and it will actively keep known bad servers from even accessing your site -- and it also will let you blacklist certain sites.

**Jeffro** · 03-18-2010, 06:40 AM

This all started when I published the review of Backup Buddy and after searching the log file for that post, it's clear now which IP address is mostly responsible for at least a hundred or so trackbacks that I received during that day. I've removed the http://www from the links to de-activate them.

Line 1721: 174.120.195.194 - - [15/Mar/2010:22:40:10 -0500] "GET /backup-buddy-is-a-home-run HTTP/1.0" 500 812 "-" "WordPress/2.9.1; asenetpro.net"
Line 1789: 174.120.195.194 - - [15/Mar/2010:22:43:55 -0500] "GET /backup-buddy-is-a-home-run HTTP/1.0" 500 812 "-" "WordPress/2.8.6; mydogkennelsupplies.com"
Line 1860: 174.120.195.194 - - [15/Mar/2010:22:47:31 -0500] "GET /backup-buddy-is-a-home-run HTTP/1.0" 500 812 "-" "WordPress/2.8.6; utahmomz.com"
Line 1999: 174.120.195.194 - - [15/Mar/2010:22:51:30 -0500] "GET /backup-buddy-is-a-home-run HTTP/1.0" 500 812 "-" "WordPress/2.8.6; studentprivateloansonline.com"
Line 2076: 174.120.195.194 - - [15/Mar/2010:22:55:24 -0500] "GET /backup-buddy-is-a-home-run HTTP/1.0" 500 812 "-" "WordPress/2.9.1; asenetpro.net"
Line 2237: 174.120.195.194 - - [15/Mar/2010:23:02:55 -0500] "GET /backup-buddy-is-a-home-run HTTP/1.0" 500 812 "-" "WordPress/2.8.6; utahmomz.com"
Line 2263: 174.120.195.194 - - [15/Mar/2010:23:04:47 -0500] "GET /backup-buddy-is-a-home-run HTTP/1.0" 500 812 "-" "WordPress/2.8.6; mydogkennelsupplies.com"
Line 2359: 174.120.195.194 - - [15/Mar/2010:23:10:08 -0500] "GET /backup-buddy-is-a-home-run HTTP/1.0" 500 812 "-" "WordPress/2.8.6; studentprivateloansonline.com"
Line 2369: 174.120.195.194 - - [15/Mar/2010:23:11:03 -0500] "GET /backup-buddy-is-a-home-run HTTP/1.0" 500 812 "-" "WordPress/2.9.1; asenetpro.net"

**andrea_r** · 03-18-2010, 08:57 AM

Yeah, block the IP range for starts. Also, find out what host that is and report it. Slows them down a little. (if they are on a host that actually cares)

**Jeffro** · 03-18-2010, 09:23 AM

What makes me angry is that AnHostings super duper automated firewall failed to pick up on all the GET requests from at least that specific IP address and allowed the attack to happen. Then they tell me there is nothing they can do about such attacks. Makes me wonder just what the hell I would need to do in order to trigger the firewall.

**Kim** · 03-18-2010, 11:15 AM

@andrea_r: That IP and the domain name both point to a HostGator server, so Jeff would be reporting them to his new host.

The trackbacks are from 2 different WordPress installs. Domain names are registered to Richard Ryan from Brush Prarie, WA.

I checked one site. It's called House of Tools, Bandsaw Tools To Black And Decker Tools. Doesn't sound like a WordPress-oriented site does it?

**Cais** · 03-18-2010, 11:20 AM

What @Kim said ...

The forum is not responding all that well to my clicks :(

**Jeffro** · 03-18-2010, 11:43 AM

I believe there is a severe routing issue to WPTavern.com which is hosted on a box located within ThePlanet data center. After doing a few visual trace routes, it shows some severe hops located within the Data Center itself. I've had a few other people test this and they also report ThePlanet as being a bad hop.

This would explain why some page loads are fine while others encounter significant loading times.

**Jeffro** · 03-18-2010, 11:47 AM

This issue has driven me bonkers. Just when everything else works, I get this piece of crap problem. Really not in the mood to move to yet another web host.

**chipbennett** · 03-18-2010, 12:07 PM

Have you installed Bad Behavior yet? :p

Thread: A look inside March 15th

LinkBack

Thread Tools

Display

A look inside March 15th

Posting Permissions