With the Christmas break and holidays upon us I usually get a few days to tend to the digital upkeep of my little fiefdom. The plan this year was to add HTTPS/SSL capability to my blog with a wildcard SSL certificate from RapidSSL. While I was installing the certificate I noticed a large number of odd POST requests in the logs;
::ffff:89.248.172.6 - - [26/Dec/2015:18:53:22 +0000] "POST /xmlrpc.php HTTP/1.0" 499 0 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)" ::ffff:89.248.172.6 - - [26/Dec/2015:18:53:22 +0000] "POST /xmlrpc.php HTTP/1.0" 499 0 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)" ::ffff:89.248.172.6 - - [26/Dec/2015:18:53:22 +0000] "POST /xmlrpc.php HTTP/1.0" 499 0 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)" ::ffff:89.248.172.6 - - [26/Dec/2015:18:53:22 +0000] "POST /xmlrpc.php HTTP/1.0" 499 0 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)" ::ffff:89.248.172.6 - - [26/Dec/2015:18:53:22 +0000] "POST /xmlrpc.php HTTP/1.0" 499 0 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)" ::ffff:89.248.172.6 - - [26/Dec/2015:18:53:24 +0000] "POST /xmlrpc.php HTTP/1.0" 499 0 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)" ::ffff:89.248.172.6 - - [26/Dec/2015:18:53:25 +0000] "POST /xmlrpc.php HTTP/1.0" 499 0 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)" ::ffff:89.248.172.6 - - [26/Dec/2015:18:53:25 +0000] "POST /xmlrpc.php HTTP/1.0" 499 0 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)" ::ffff:89.248.172.6 - - [26/Dec/2015:18:53:25 +0000] "POST /xmlrpc.php HTTP/1.0" 499 0 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)"
I was naturally curious and started digging through my logs, I found 427,358 requests from that IP network over the past two weeks. Using whois I was able to identify the network and hosting provider where the requests were originating from.
[root@moon logs]# whois 89.248.172.6 [Querying whois.ripe.net] [whois.ripe.net] % This is the RIPE Database query service. % The objects are in RPSL format. % % The RIPE Database is subject to Terms and Conditions. % See http://www.ripe.net/db/support/db-terms-conditions.pdf % Note: this output has been filtered. % To receive output for a database update, use the "-B" flag. % Information related to '89.248.172.0 - 89.248.172.57' % Abuse contact for '89.248.172.0 - 89.248.172.57' is 'abuse@ecatel.net' inetnum: 89.248.172.0 - 89.248.172.57 netname: SC-QUASI40 descr: QUASI country: SC admin-c: QNL1-RIPE tech-c: QNL1-RIPE status: ASSIGNED PA mnt-by: QUASINETWORKS-MNT mnt-lower: QUASINETWORKS-MNT mnt-routes: QUASINETWORKS-MNT created: 2008-06-21T17:49:26Z last-modified: 2015-11-09T13:20:10Z source: RIPE # Filtered role: Quasi Networks LTD address: Suite 1, Second Floor address: Sound & Vision House, Francis Rachel Street address: Victoria, Mahe, SEYCHELLES remarks: ***************************************************************************** remarks: IMPORTANT INFORMATION remarks: ***************************************************************************** remarks: We are a high bandwidth network provider offering bandwidth solutions. remarks: Government agencies can sent their requests to gov.request@quasinetworks.com remarks: Please only use abuse@quasinetworks.com for abuse reports. remarks: For all other requests, please see the details on our website. remarks: ***************************************************************************** abuse-mailbox: abuse@quasinetworks.com nic-hdl: QNL1-RIPE mnt-by: QUASINETWORKS-MNT created: 2015-11-07T22:43:04Z last-modified: 2015-11-07T23:04:49Z source: RIPE # Filtered % Information related to '89.248.172.0/23as29073' route: 89.248.172.0/23 descr: Quasi Networks LTD (IBC) origin: as29073 mnt-by: QUASINETWORKS-MNT created: 2007-11-19T14:34:49Z last-modified: 2015-11-09T13:24:19Z source: RIPE # Filtered % This query was served by the RIPE Database Query Service version 1.83.1 (DB-1)
I had never heard of Seychelles before, but Google pointed out that it’s a collection of islands off the east coast of Africa. I would personally think that bandwidth would be expensive there but I’m guessing the miscreants don’t mind paying for it.
It was pretty clear from the logs that this IP address was trying infiltrate the XMLRPC service in WordPress while hoping to avoid detection by using the Googlebot agent string. If anything using the Googlebot agent string actually draws attention to the request.
While not a foolproof solution, I’ve added another IP network into my server firewall tables.
I did a quick scan of the logs and found 38 distinct IP addresses had tried to login to my WordPress blog a total of 359 times since midnight. A number of IP addresses were from proxy and VPN providers of which the majority were based in the continental United States. There were 104 attempts from 104.193.120.218 which belongs to a service provider in Farmington Hills, MI and resolves to solutionslick.net which is a front to adult porn sites.
I’d love to spend more time pouring over my log files but I just don’t have the time or energy.
Cheers!