nkro
By:
nkro

XML-RPH Attack IP Range Odd (192.0.x.x)

September 24, 2017 126 views
WordPress Security Ubuntu 16.04

Howdy-- I've taken some steps, updated some plugins, etc. to help prevent the XML-RPH attack. I know there's more I can do. Really my question is more concerning the IP Range that it is coming from. All from the US, and all from the 192.0 subnet which is even more odd. Is there something this indicates on my end? Have I been hacked?

Thanks!

This if from the Apache access log:

192.0.102.45 - - [24/Sep/2017:07:47:16 +0000] "POST /xmlrpc.php?for=jetpack&token=3OU%40vqC%29qRUdnxjqTB4u3rQDu7aaGBr%24%3A1%3A1&timestamp=1506239236&nonce=prJ39QyYNZ&body-hash=tAMmIbgk9hZf%2BB32y6n62MhaCvc%3D&signature=izVAPyMS6o3nwv%2BHAzlGKv5lOQ0%3D HTTP/1.1" 200 3948 "https://xxxxxxx.com/xmlrpc.php?for=jetpack&token=3OU%40vqC%29qRUdnxjqTB4u3rQDu7aaGBr%24%3A1%3A1&timestamp=1506239236&nonce=prJ39QyYNZ&body-hash=tAMmIbgk9hZf%2BB32y6n62MhaCvc%3D&signature=izVAPyMS6o3nwv%2BHAzlGKv5lOQ0%3D" "Jetpack by WordPress.com"
192.0.102.39 - - [24/Sep/2017:07:47:16 +0000] "POST /xmlrpc.php?for=jetpack&token=3OU%40vqC%29qRUdnxjqTB4u3rQDu7aaGBr%24%3A1%3A1&timestamp=1506239236&nonce=ZezTPlmQZn&body-hash=hntkJlfD8VQSSlEJAuk0PtruOWA%3D&signature=nZbtDWoNI7HR0tvgfhk9BCiiF0Y%3D HTTP/1.1" 200 3952 "https://xxxxxxxxxxxxx.com/xmlrpc.php?for=jetpack&token=3OU%40vqC%29qRUdnxjqTB4u3rQDu7aaGBr%24%3A1%3A1&timestamp=1506239236&nonce=ZezTPlmQZn&body-hash=hntkJlfD8VQSSlEJAuk0PtruOWA%3D&signature=nZbtDWoNI7HR0tvgfhk9BCiiF0Y%3D" "Jetpack by WordPress.com"
192.0.101.101 - - [24/Sep/2017:07:47:17 +0000] "POST /xmlrpc.php?for=jetpack&token=3OU%40vqC%29qRUdnxjqTB4u3rQDu7aaGBr%24%3A1%3A1&timestamp=1506239237&nonce=C1Xq4sp289&body-hash=igba%2BoMXu48iiAfQxRZDcW62voA%3D&signature=RfzC84DPvSlKIiIE3L8BaNX1j8I%3D HTTP/1.1" 200 3949 "https://xxxxxxxxxx.com/xmlrpc.php?for=jetpack&token=3OU%40vqC%29qRUdnxjqTB4u3rQDu7aaGBr%24%3A1%3A1&timestamp=1506239237&nonce=C1Xq4sp289&body-hash=igba%2BoMXu48iiAfQxRZDcW62voA%3D&signature=RfzC84DPvSlKIiIE3L8BaNX1j8I%3D" "Jetpack by WordPress.com"
192.0.99.28 - - [24/Sep/2017:07:47:18 +0000] "POST /xmlrpc.php?for=jetpack&token=3OU%40vqC%29qRUdnxjqTB4u3rQDu7aaGBr%24%3A1%3A1&timestamp=1506239237&nonce=WxPnqGwr8b&body-hash=iuV6PLHvgfPvDxcYoZFmJ6pNZEM%3D&signature=NXq6%2F1n3wRJkRqj065IJapYRfaw%3D HTTP/1.1" 200 3950 "https://xxxxxxxxxxxxxxxx.com/xmlrpc.php?for=jetpack&token=3OU%40vqC%29qRUdnxjqTB4u3rQDu7aaGBr%24%3A1%3A1&timestamp=1506239237&nonce=WxPnqGwr8b&body-hash=iuV6PLHvgfPvDxcYoZFmJ6pNZEM%3D&signature=NXq6%2F1n3wRJkRqj065IJapYRfaw%3D" "Jetpack by WordPress.com"
192.0.100.17 - - [24/Sep/2017:07:47:18 +0000] "POST /xmlrpc.php?for=jetpack&token=3OU%40vqC%29qRUdnxjqTB4u3rQDu7aaGBr%24%3A1%3A1&timestamp=1506239238&nonce=rQUzZUPd3d&body-hash=g1S%2FQ%2FSlynI25ho%2FRnbxhMKzcis%3D&signature=6n4HIb1DbWz6pr6rkQ40yRKAmzE%3D HTTP/1.1" 200 3953 "https://xxxxxxxxxxxxxx.com/xmlrpc.php?for=jetpack&token=3OU%40vqC%29qRUdnxjqTB4u3rQDu7aaGBr%24%3A1%3A1&timestamp=1506239238&nonce=rQUzZUPd3d&body-hash=g1S%2FQ%2FSlynI25ho%2FRnbxhMKzcis%3D&signature=6n4HIb1DbWz6pr6rkQ40yRKAmzE%3D" "Jetpack by WordPress.com"
192.0.101.162 - - [24/Sep/2017:07:47:18 +0000] "POST /xmlrpc.php?for=jetpack&token=3OU%40vqC%29qRUdnxjqTB4u3rQDu7aaGBr%24%3A1%3A1&timestamp=1506239238&nonce=1lWp7gFKWg&body-hash=ZFJt2PVkMt4D87tETUINY7DuPXI%3D&signature=IXotHggGZyt7UQUf%2BeSORvGLxcM%3D HTTP/1.1" 200 3952 "https://xxxxxxxxxxxxxxx.com/xmlrpc.php?for=jetpack&token=3OU%40vqC%29qRUdnxjqTB4u3rQDu7aaGBr%24%3A1%3A1&timestamp=1506239238&nonce=1lWp7gFKWg&body-hash=ZFJt2PVkMt4D87tETUINY7DuPXI%3D&signature=IXotHggGZyt7UQUf%2BeSORvGLxcM%3D" "Jetpack by WordPress.com"
192.0.101.53 - - [24/Sep/2017:07:47:19 +0000] "POST /xmlrpc.php?for=jetpack&token=3OU%40vqC%29qRUdnxjqTB4u3rQDu7aaGBr%24%3A1%3A1&timestamp=1506239239&nonce=Zb2yzR6fhL&body-hash=qYl06LhXEMp1BpvdF6rWs36gdJ0%3D&signature=lxDhf5enEy00r9V4tNzXdBr7V0A%3D HTTP/1.1" 200 3953 "https://xxxxxxxxxxxxx.com/xmlrpc.php?for=jetpack&token=3OU%40vqC%29qRUdnxjqTB4u3rQDu7aaGBr%24%3A1%3A1&timestamp=1506239239&nonce=Zb2yzR6fhL&body-hash=qYl06LhXEMp1BpvdF6rWs36gdJ0%3D&signature=lxDhf5enEy00r9V4tNzXdBr7V0A%3D" "Jetpack by WordPress.com"
192.0.100.197 - - [24/Sep/2017:07:47:19 +0000] "POST /xmlrpc.php?for=jetpack&token=3OU%40vqC%29qRUdnxjqTB4u3rQDu7aaGBr%24%3A1%3A1&timestamp=1506239239&nonce=IBAaMZJ6uB&body-hash=ECW3agCmjEoMwfpJUngcpHmZxzg%3D&signature=FnupFVnPADRaMJujEsb6qkWHjhk%3D HTTP/1.1" 200 3952 "https://xxxxxxxxxxxxx.com/xmlrpc.php?for=jetpack&token=3OU%40vqC%29qRUdnxjqTB4u3rQDu7aaGBr%24%3A1%3A1&timestamp=1506239239&nonce=IBAaMZJ6uB&body-hash=ECW3agCmjEoMwfpJUngcpHmZxzg%3D&signature=FnupFVnPADRaMJujEsb6qkWHjhk%3D" "Jetpack by WordPress.com"
192.0.102.47 - - [24/Sep/2017:07:47:19 +0000] "POST /xmlrpc.php?for=jetpack&token=3OU%40vqC%29qRUdnxjqTB4u3rQDu7aaGBr%24%3A1%3A1&timestamp=1506239239&nonce=JAlKmhIcYh&body-hash=ZRE5p8Ej2QLMekiko5WrFVLxIhQ%3D&signature=gJMs%2Bnph4LLa0bUIxEyZPXivNCA%3D HTTP/1.1" 200 4700 "https://xxxxxxxxxxxx.com/xmlrpc.php?for=jetpack&token=3OU%40vqC%29qRUdnxjqTB4u3rQDu7aaGBr%24%3A1%3A1&timestamp=1506239239&nonce=JAlKmhIcYh&body-hash=ZRE5p8Ej2QLMekiko5WrFVLxIhQ%3D&signature=gJMs%2Bnph4LLa0bUIxEyZPXivNCA%3D" "Jetpack by WordPress.com"

2 Answers

192.0.99.28 is a perfectly valid IP, it belongs to Automattic, which runs wordpress.com.

Check https://en.wikipedia.org/wiki/ReservedIPaddresses for actual private IPs.

  • That's what I thought-
    So is this not an attack? It just seems like a high volume all at the same time. As a result the server has been crashing over and over again.

    • Seeing as it's from a Automattic IP which created JetPack, I'm sure it's legit. Ask them.

Most likely it's IP spoofing. Keep xmlrpc.php is not safely!

Have another answer? Share your knowledge.