Question

XML-RPH Attack IP Range Odd (192.0.x.x)

Howdy-- I’ve taken some steps, updated some plugins, etc. to help prevent the XML-RPH attack. I know there’s more I can do. Really my question is more concerning the IP Range that it is coming from. All from the US, and all from the 192.0 subnet which is even more odd. Is there something this indicates on my end? Have I been hacked?

Thanks!

This if from the Apache access log:

192.0.102.45 - - [24/Sep/2017:07:47:16 +0000] “POST /xmlrpc.php?for=jetpack&token=3OU%40vqC%29qRUdnxjqTB4u3rQDu7aaGBr%24%3A1%3A1&timestamp=1506239236&nonce=prJ39QyYNZ&body-hash=tAMmIbgk9hZf%2BB32y6n62MhaCvc%3D&signature=izVAPyMS6o3nwv%2BHAzlGKv5lOQ0%3D HTTP/1.1” 200 3948 “https://xxxxxxx.com/xmlrpc.php?for=jetpack&token=3OU%40vqC)qRUdnxjqTB4u3rQDu7aaGBr%24%3A1%3A1&timestamp=1506239236&nonce=prJ39QyYNZ&body-hash=tAMmIbgk9hZf%2BB32y6n62MhaCvc%3D&signature=izVAPyMS6o3nwv%2BHAzlGKv5lOQ0%3D” “Jetpack by WordPress.com” 192.0.102.39 - - [24/Sep/2017:07:47:16 +0000] “POST /xmlrpc.php?for=jetpack&token=3OU%40vqC%29qRUdnxjqTB4u3rQDu7aaGBr%24%3A1%3A1&timestamp=1506239236&nonce=ZezTPlmQZn&body-hash=hntkJlfD8VQSSlEJAuk0PtruOWA%3D&signature=nZbtDWoNI7HR0tvgfhk9BCiiF0Y%3D HTTP/1.1” 200 3952 “https://xxxxxxxxxxxxx.com/xmlrpc.php?for=jetpack&token=3OU%40vqC)qRUdnxjqTB4u3rQDu7aaGBr%24%3A1%3A1&timestamp=1506239236&nonce=ZezTPlmQZn&body-hash=hntkJlfD8VQSSlEJAuk0PtruOWA%3D&signature=nZbtDWoNI7HR0tvgfhk9BCiiF0Y%3D” “Jetpack by WordPress.com” 192.0.101.101 - - [24/Sep/2017:07:47:17 +0000] “POST /xmlrpc.php?for=jetpack&token=3OU%40vqC%29qRUdnxjqTB4u3rQDu7aaGBr%24%3A1%3A1&timestamp=1506239237&nonce=C1Xq4sp289&body-hash=igba%2BoMXu48iiAfQxRZDcW62voA%3D&signature=RfzC84DPvSlKIiIE3L8BaNX1j8I%3D HTTP/1.1” 200 3949 “https://xxxxxxxxxx.com/xmlrpc.php?for=jetpack&token=3OU%40vqC)qRUdnxjqTB4u3rQDu7aaGBr%24%3A1%3A1&timestamp=1506239237&nonce=C1Xq4sp289&body-hash=igba%2BoMXu48iiAfQxRZDcW62voA%3D&signature=RfzC84DPvSlKIiIE3L8BaNX1j8I%3D” “Jetpack by WordPress.com” 192.0.99.28 - - [24/Sep/2017:07:47:18 +0000] “POST /xmlrpc.php?for=jetpack&token=3OU%40vqC%29qRUdnxjqTB4u3rQDu7aaGBr%24%3A1%3A1&timestamp=1506239237&nonce=WxPnqGwr8b&body-hash=iuV6PLHvgfPvDxcYoZFmJ6pNZEM%3D&signature=NXq6%2F1n3wRJkRqj065IJapYRfaw%3D HTTP/1.1” 200 3950 “https://xxxxxxxxxxxxxxxx.com/xmlrpc.php?for=jetpack&token=3OU%40vqC)qRUdnxjqTB4u3rQDu7aaGBr%24%3A1%3A1&timestamp=1506239237&nonce=WxPnqGwr8b&body-hash=iuV6PLHvgfPvDxcYoZFmJ6pNZEM%3D&signature=NXq6%2F1n3wRJkRqj065IJapYRfaw%3D” “Jetpack by WordPress.com” 192.0.100.17 - - [24/Sep/2017:07:47:18 +0000] “POST /xmlrpc.php?for=jetpack&token=3OU%40vqC%29qRUdnxjqTB4u3rQDu7aaGBr%24%3A1%3A1&timestamp=1506239238&nonce=rQUzZUPd3d&body-hash=g1S%2FQ%2FSlynI25ho%2FRnbxhMKzcis%3D&signature=6n4HIb1DbWz6pr6rkQ40yRKAmzE%3D HTTP/1.1” 200 3953 “https://xxxxxxxxxxxxxx.com/xmlrpc.php?for=jetpack&token=3OU%40vqC)qRUdnxjqTB4u3rQDu7aaGBr%24%3A1%3A1&timestamp=1506239238&nonce=rQUzZUPd3d&body-hash=g1S%2FQ%2FSlynI25ho%2FRnbxhMKzcis%3D&signature=6n4HIb1DbWz6pr6rkQ40yRKAmzE%3D” “Jetpack by WordPress.com” 192.0.101.162 - - [24/Sep/2017:07:47:18 +0000] “POST /xmlrpc.php?for=jetpack&token=3OU%40vqC%29qRUdnxjqTB4u3rQDu7aaGBr%24%3A1%3A1&timestamp=1506239238&nonce=1lWp7gFKWg&body-hash=ZFJt2PVkMt4D87tETUINY7DuPXI%3D&signature=IXotHggGZyt7UQUf%2BeSORvGLxcM%3D HTTP/1.1” 200 3952 “https://xxxxxxxxxxxxxxx.com/xmlrpc.php?for=jetpack&token=3OU%40vqC)qRUdnxjqTB4u3rQDu7aaGBr%24%3A1%3A1&timestamp=1506239238&nonce=1lWp7gFKWg&body-hash=ZFJt2PVkMt4D87tETUINY7DuPXI%3D&signature=IXotHggGZyt7UQUf%2BeSORvGLxcM%3D” “Jetpack by WordPress.com” 192.0.101.53 - - [24/Sep/2017:07:47:19 +0000] “POST /xmlrpc.php?for=jetpack&token=3OU%40vqC%29qRUdnxjqTB4u3rQDu7aaGBr%24%3A1%3A1&timestamp=1506239239&nonce=Zb2yzR6fhL&body-hash=qYl06LhXEMp1BpvdF6rWs36gdJ0%3D&signature=lxDhf5enEy00r9V4tNzXdBr7V0A%3D HTTP/1.1” 200 3953 “https://xxxxxxxxxxxxx.com/xmlrpc.php?for=jetpack&token=3OU%40vqC)qRUdnxjqTB4u3rQDu7aaGBr%24%3A1%3A1&timestamp=1506239239&nonce=Zb2yzR6fhL&body-hash=qYl06LhXEMp1BpvdF6rWs36gdJ0%3D&signature=lxDhf5enEy00r9V4tNzXdBr7V0A%3D” “Jetpack by WordPress.com” 192.0.100.197 - - [24/Sep/2017:07:47:19 +0000] “POST /xmlrpc.php?for=jetpack&token=3OU%40vqC%29qRUdnxjqTB4u3rQDu7aaGBr%24%3A1%3A1&timestamp=1506239239&nonce=IBAaMZJ6uB&body-hash=ECW3agCmjEoMwfpJUngcpHmZxzg%3D&signature=FnupFVnPADRaMJujEsb6qkWHjhk%3D HTTP/1.1” 200 3952 “https://xxxxxxxxxxxxx.com/xmlrpc.php?for=jetpack&token=3OU%40vqC)qRUdnxjqTB4u3rQDu7aaGBr%24%3A1%3A1&timestamp=1506239239&nonce=IBAaMZJ6uB&body-hash=ECW3agCmjEoMwfpJUngcpHmZxzg%3D&signature=FnupFVnPADRaMJujEsb6qkWHjhk%3D” “Jetpack by WordPress.com” 192.0.102.47 - - [24/Sep/2017:07:47:19 +0000] “POST /xmlrpc.php?for=jetpack&token=3OU%40vqC%29qRUdnxjqTB4u3rQDu7aaGBr%24%3A1%3A1&timestamp=1506239239&nonce=JAlKmhIcYh&body-hash=ZRE5p8Ej2QLMekiko5WrFVLxIhQ%3D&signature=gJMs%2Bnph4LLa0bUIxEyZPXivNCA%3D HTTP/1.1” 200 4700 “https://xxxxxxxxxxxx.com/xmlrpc.php?for=jetpack&token=3OU%40vqC)qRUdnxjqTB4u3rQDu7aaGBr%24%3A1%3A1&timestamp=1506239239&nonce=JAlKmhIcYh&body-hash=ZRE5p8Ej2QLMekiko5WrFVLxIhQ%3D&signature=gJMs%2Bnph4LLa0bUIxEyZPXivNCA%3D” “Jetpack by WordPress.com


Submit an answer

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

192.0.99.28 is a perfectly valid IP, it belongs to Automattic, which runs wordpress.com.

Check https://en.wikipedia.org/wiki/Reserved_IP_addresses for actual private IPs.

Most likely it’s IP spoofing. Keep xmlrpc.php is not safely!