XMLRPC - DOS - on site (logs included)

Why would they be doing this? - I should have blocked initially. CPU hit, causing site degradation. What makes it more interesting is that it’s an Android phone?

Log x 100’s - 10-12 POSTS per/min - for 30+ minutes

logName: “projects/xxxxxxxxx/logs/apache-access”
receiveTimestamp: “2020-02-10T15:08:42.378966487Z”
resource: {
labels: {…}
type: “gce_instance”
}
textPayload: "162.158.107.120 - - [10/Feb/2020:15:08:36 +0000] “POST /xmlrpc.php HTTP/1.1” 200 3772 “-” “Mozilla/5.0 (Linux; Android 9; SM-N950F Build/PPR1.180610.011; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/80.0.3987.87 Mobile Safari/537.36 wp-android/14.0"”
timestamp: “2020-02-10T15:08:37.227472604Z”

Source: whois.arin.net
IP Address: 162.158.107.120
Name: CLOUDFLARENET
Handle: NET-162-158-0-0-1
Registration Date: 5/23/13
Range: 162.158.0.0-162.159.255.255

Org: Cloudflare, Inc.
Org Handle: CLOUD14
Address: 101 Townsend Street
City: San Francisco
State/Province: CA
Postal Code: 94107
Country: United States

Who? Cloudflare? Thats not them, you most likely are not rewriting IP addresses, hence the proxy addresses show up in your log.

This topic was automatically closed after 31 days. New replies are no longer allowed.