Strange use of XMLRPC in logs to create files. Have I been pwned?

  • Resolved idonteatmeat

    (@idonteatmeat)


    6 years, 4 months ago

    Hi there,

    I am receiving daily updates from the server of one of my clients that notifies me of every change made to their servers filesystem as well as the script which was executed to make that change. It’s calles siteguard.

    They are running 4 WordPress Installations off that one webspace/root directory (don’t ask me about that…). Each of course with different urls pointed at their respective folder. Since finding out about NinjaFirewall I installed NF on all of their WordPress sites to pitch the Pro version to them.

    First everything was fine. I received updates via fileguard notifying me that php created and modified wp-content/nfwlog/firewall_2018-07.php for instance for each of their sites. That looks something like this:

    July 17 01:43:14
executing script: /usr/bin/php56
file:     path/to/virutal/host/site1/wp-content/nfwlog/firewall_2018-07.php
case:              open

    Then the since a few days ago for two of their sites it changed to:

    Juli 17 00:47:44
executing script: path/to/virutal/host/site1/xmlrpc.php 
file:     path/to/virutal/host/site1/wp-content/nfwlog/firewall_
case:              create
    Juli 17 00:47:44
executing script: path/to/virutal/host/site1/xmlrpc.php 
file:     path/to/virutal/host/site1/wp-content/nfwlog/firewall_
case:              open

    I dunno why now xmlrpc.php create/open those files. Or is that happening, when I open them in WordPress backend? Or are those hints that they are modified from somewhere outside? I couldn’t find any trace of use of xmlrpc in the NF source code but I am no php expert by no means and could have overlooked something.

    Furthermore, xmlrpc should be disabled by NF. At least that’s how I configured it.

    Thanks for help or clarification.

    Btw, really a nice piece of software!

Viewing 6 replies - 1 through 6 (of 6 total)
  • Plugin Author nintechnet

    (@nintechnet)

    Hi,

    NinjaFirewall has several policies/rules related to the xmlrpc, for instance:
    -Block any access to the file.
    -Block non-POST requests.
    -Brute-force attack protection
    -etc

    If any of them is enabled and you access the xmlrpc.php script, the firewall will block the request and write the incident to its log (firewall_2018-07.php).
    Unless I’m mistaken, this is what I see in your message. Did you check the firewall log? You should see those incidents.

    Thread Starter idonteatmeat

    (@idonteatmeat)

    Hi there!

    thank you for writing in. Sadly there is no correlation to be found between xmlrpc events in NF and those entries associated with xmlrpc in these siteguard log files.

    For me it reads like: firewall_2018-07.php was created BY the script ‘xmlrpc.php’.

    there is also logging about wp-cron going on for instance when updraftplus fires. It’s always => hey, that file did this to them.

    For settings, I left your software mostly on default, just restricted access to xmlrpc and REST API as well as activated File Check, File Guard and Login Protection.

    File guard does not notice these changes. Ninja Scanner sadly never finishes.

    Plugin Author nintechnet

    (@nintechnet)

    When xmlrpc.php, or any other PHP script, is called, it loads the firewall which can write to the firewall log (“firewall_2018-07.php”). The log can also be created at that time, for instance if the “Auto-delete log” option is enabled, or after the monthly log rotation etc. I don’t see anything wrong with that.
    The “/wp-content/nfwlog/” folder is used the NinjaFirewall for its logs and cached files too. There’s a lot of file I/O in that folder.

    File guard does not notice these changes.

    That’s normal: it does not detect changes, it detects when someone accessed a file that was modified or created recently. None of the files from the “/wp-content/nfwlog/” can be accessed, they are protected by the firewall.

    Ninja Scanner sadly never finishes.

    Did you try its new “Attempt to force-restart the scan using an alternate method.” option?

    Thread Starter idonteatmeat

    (@idonteatmeat)

    Ok I see. Thank you. Regarding Ninjascanner, yeah, I tried that option, but it also never terminates. When I use it without incremental scanning than it just terminates without giving any report. I cannot get NinjaScanner to work on most of my customers sites. That is really sad. I find it so awesome on those sites where it does work.

    Plugin Author nintechnet

    (@nintechnet)

    Some hosts have very tough restrictions in place, that’s not too good unfortunately.
    Did you try other antivirus plugin from the repo to see if they fail too?

    Thread Starter idonteatmeat

    (@idonteatmeat)

    I’ll mark this as resolved. The other question is off topic. I will open another thread. Thank you for your kind help.

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Strange use of XMLRPC in logs to create files. Have I been pwned?’ is closed to new replies.