Howdy– I’ve taken some steps, updated some plugins, etc. to help prevent the XML-RPH attack. I know there’s more I can do. Really my question is more concerning the IP Range that it is coming from. All from the US, and all from the 192.0 subnet which is even more odd. Is there something this indicates on my end? Have I been hacked?

Thanks!

This if from the Apache access log:

192.0.102.45 - - [24/Sep/2017:07:47:16 +0000] “POST /xmlrpc.php?for=jetpack&token=3OU%40vqC%29qRUdnxjqTB4u3rQDu7aaGBr%24%3A1%3A1&timestamp=1506239236&nonce=prJ39QyYNZ&body-hash=tAMmIbgk9hZf%2BB32y6n62MhaCvc%3D&signature=izVAPyMS6o3nwv%2BHAzlGKv5lOQ0%3D HTTP/1.1” 200 3948 “https://xxxxxxx.com/xmlrpc.php?for=jetpack&token=3OU%40vqC%29qRUdnxjqTB4u3rQDu7aaGBr%24%3A1%3A1&timestamp=1506239236&nonce=prJ39QyYNZ&body-hash=tAMmIbgk9hZf%2BB32y6n62MhaCvc%3D&signature=izVAPyMS6o3nwv%2BHAzlGKv5lOQ0%3D” “Jetpack by WordPress.com”
192.0.102.39 - - [24/Sep/2017:07:47:16 +0000] “POST /xmlrpc.php?for=jetpack&token=3OU%40vqC%29qRUdnxjqTB4u3rQDu7aaGBr%24%3A1%3A1&timestamp=1506239236&nonce=ZezTPlmQZn&body-hash=hntkJlfD8VQSSlEJAuk0PtruOWA%3D&signature=nZbtDWoNI7HR0tvgfhk9BCiiF0Y%3D HTTP/1.1” 200 3952 “https://xxxxxxxxxxxxx.com/xmlrpc.php?for=jetpack&token=3OU%40vqC%29qRUdnxjqTB4u3rQDu7aaGBr%24%3A1%3A1&timestamp=1506239236&nonce=ZezTPlmQZn&body-hash=hntkJlfD8VQSSlEJAuk0PtruOWA%3D&signature=nZbtDWoNI7HR0tvgfhk9BCiiF0Y%3D” “Jetpack by WordPress.com”
192.0.101.101 - - [24/Sep/2017:07:47:17 +0000] “POST /xmlrpc.php?for=jetpack&token=3OU%40vqC%29qRUdnxjqTB4u3rQDu7aaGBr%24%3A1%3A1&timestamp=1506239237&nonce=C1Xq4sp289&body-hash=igba%2BoMXu48iiAfQxRZDcW62voA%3D&signature=RfzC84DPvSlKIiIE3L8BaNX1j8I%3D HTTP/1.1” 200 3949 “https://xxxxxxxxxx.com/xmlrpc.php?for=jetpack&token=3OU%40vqC%29qRUdnxjqTB4u3rQDu7aaGBr%24%3A1%3A1&timestamp=1506239237&nonce=C1Xq4sp289&body-hash=igba%2BoMXu48iiAfQxRZDcW62voA%3D&signature=RfzC84DPvSlKIiIE3L8BaNX1j8I%3D” “Jetpack by WordPress.com”
192.0.99.28 - - [24/Sep/2017:07:47:18 +0000] “POST /xmlrpc.php?for=jetpack&token=3OU%40vqC%29qRUdnxjqTB4u3rQDu7aaGBr%24%3A1%3A1&timestamp=1506239237&nonce=WxPnqGwr8b&body-hash=iuV6PLHvgfPvDxcYoZFmJ6pNZEM%3D&signature=NXq6%2F1n3wRJkRqj065IJapYRfaw%3D HTTP/1.1” 200 3950 “https://xxxxxxxxxxxxxxxx.com/xmlrpc.php?for=jetpack&token=3OU%40vqC%29qRUdnxjqTB4u3rQDu7aaGBr%24%3A1%3A1&timestamp=1506239237&nonce=WxPnqGwr8b&body-hash=iuV6PLHvgfPvDxcYoZFmJ6pNZEM%3D&signature=NXq6%2F1n3wRJkRqj065IJapYRfaw%3D” “Jetpack by WordPress.com”
192.0.100.17 - - [24/Sep/2017:07:47:18 +0000] “POST /xmlrpc.php?for=jetpack&token=3OU%40vqC%29qRUdnxjqTB4u3rQDu7aaGBr%24%3A1%3A1&timestamp=1506239238&nonce=rQUzZUPd3d&body-hash=g1S%2FQ%2FSlynI25ho%2FRnbxhMKzcis%3D&signature=6n4HIb1DbWz6pr6rkQ40yRKAmzE%3D HTTP/1.1” 200 3953 “https://xxxxxxxxxxxxxx.com/xmlrpc.php?for=jetpack&token=3OU%40vqC%29qRUdnxjqTB4u3rQDu7aaGBr%24%3A1%3A1&timestamp=1506239238&nonce=rQUzZUPd3d&body-hash=g1S%2FQ%2FSlynI25ho%2FRnbxhMKzcis%3D&signature=6n4HIb1DbWz6pr6rkQ40yRKAmzE%3D” “Jetpack by WordPress.com”
192.0.101.162 - - [24/Sep/2017:07:47:18 +0000] “POST /xmlrpc.php?for=jetpack&token=3OU%40vqC%29qRUdnxjqTB4u3rQDu7aaGBr%24%3A1%3A1&timestamp=1506239238&nonce=1lWp7gFKWg&body-hash=ZFJt2PVkMt4D87tETUINY7DuPXI%3D&signature=IXotHggGZyt7UQUf%2BeSORvGLxcM%3D HTTP/1.1” 200 3952 “https://xxxxxxxxxxxxxxx.com/xmlrpc.php?for=jetpack&token=3OU%40vqC%29qRUdnxjqTB4u3rQDu7aaGBr%24%3A1%3A1&timestamp=1506239238&nonce=1lWp7gFKWg&body-hash=ZFJt2PVkMt4D87tETUINY7DuPXI%3D&signature=IXotHggGZyt7UQUf%2BeSORvGLxcM%3D” “Jetpack by WordPress.com”
192.0.101.53 - - [24/Sep/2017:07:47:19 +0000] “POST /xmlrpc.php?for=jetpack&token=3OU%40vqC%29qRUdnxjqTB4u3rQDu7aaGBr%24%3A1%3A1&timestamp=1506239239&nonce=Zb2yzR6fhL&body-hash=qYl06LhXEMp1BpvdF6rWs36gdJ0%3D&signature=lxDhf5enEy00r9V4tNzXdBr7V0A%3D HTTP/1.1” 200 3953 “https://xxxxxxxxxxxxx.com/xmlrpc.php?for=jetpack&token=3OU%40vqC%29qRUdnxjqTB4u3rQDu7aaGBr%24%3A1%3A1&timestamp=1506239239&nonce=Zb2yzR6fhL&body-hash=qYl06LhXEMp1BpvdF6rWs36gdJ0%3D&signature=lxDhf5enEy00r9V4tNzXdBr7V0A%3D” “Jetpack by WordPress.com”
192.0.100.197 - - [24/Sep/2017:07:47:19 +0000] “POST /xmlrpc.php?for=jetpack&token=3OU%40vqC%29qRUdnxjqTB4u3rQDu7aaGBr%24%3A1%3A1&timestamp=1506239239&nonce=IBAaMZJ6uB&body-hash=ECW3agCmjEoMwfpJUngcpHmZxzg%3D&signature=FnupFVnPADRaMJujEsb6qkWHjhk%3D HTTP/1.1” 200 3952 “https://xxxxxxxxxxxxx.com/xmlrpc.php?for=jetpack&token=3OU%40vqC%29qRUdnxjqTB4u3rQDu7aaGBr%24%3A1%3A1&timestamp=1506239239&nonce=IBAaMZJ6uB&body-hash=ECW3agCmjEoMwfpJUngcpHmZxzg%3D&signature=FnupFVnPADRaMJujEsb6qkWHjhk%3D” “Jetpack by WordPress.com”
192.0.102.47 - - [24/Sep/2017:07:47:19 +0000] “POST /xmlrpc.php?for=jetpack&token=3OU%40vqC%29qRUdnxjqTB4u3rQDu7aaGBr%24%3A1%3A1&timestamp=1506239239&nonce=JAlKmhIcYh&body-hash=ZRE5p8Ej2QLMekiko5WrFVLxIhQ%3D&signature=gJMs%2Bnph4LLa0bUIxEyZPXivNCA%3D HTTP/1.1” 200 4700 “https://xxxxxxxxxxxx.com/xmlrpc.php?for=jetpack&token=3OU%40vqC%29qRUdnxjqTB4u3rQDu7aaGBr%24%3A1%3A1&timestamp=1506239239&nonce=JAlKmhIcYh&body-hash=ZRE5p8Ej2QLMekiko5WrFVLxIhQ%3D&signature=gJMs%2Bnph4LLa0bUIxEyZPXivNCA%3D” “Jetpack by WordPress.com”

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
2 answers

192.0.99.28 is a perfectly valid IP, it belongs to Automattic, which runs wordpress.com.

Check https://en.wikipedia.org/wiki/ReservedIPaddresses for actual private IPs.

Most likely it’s IP spoofing. Keep xmlrpc.php is not safely!

Submit an Answer