By nkro
Howdy-- I’ve taken some steps, updated some plugins, etc. to help prevent the XML-RPH attack. I know there’s more I can do. Really my question is more concerning the IP Range that it is coming from. All from the US, and all from the 192.0 subnet which is even more odd. Is there something this indicates on my end? Have I been hacked?
Thanks!
This if from the Apache access log:
192.0.102.45 - - [24/Sep/2017:07:47:16 +0000] “POST /xmlrpc.php?for=jetpack&token=3OU%40vqC%29qRUdnxjqTB4u3rQDu7aaGBr%24%3A1%3A1×tamp=1506239236&nonce=prJ39QyYNZ&body-hash=tAMmIbgk9hZf%2BB32y6n62MhaCvc%3D&signature=izVAPyMS6o3nwv%2BHAzlGKv5lOQ0%3D HTTP/1.1” 200 3948 “https://xxxxxxx.com/xmlrpc.php?for=jetpack&token=3OU%40vqC)qRUdnxjqTB4u3rQDu7aaGBr%24%3A1%3A1×tamp=1506239236&nonce=prJ39QyYNZ&body-hash=tAMmIbgk9hZf%2BB32y6n62MhaCvc%3D&signature=izVAPyMS6o3nwv%2BHAzlGKv5lOQ0%3D” “Jetpack by WordPress.com” 192.0.102.39 - - [24/Sep/2017:07:47:16 +0000] “POST /xmlrpc.php?for=jetpack&token=3OU%40vqC%29qRUdnxjqTB4u3rQDu7aaGBr%24%3A1%3A1×tamp=1506239236&nonce=ZezTPlmQZn&body-hash=hntkJlfD8VQSSlEJAuk0PtruOWA%3D&signature=nZbtDWoNI7HR0tvgfhk9BCiiF0Y%3D HTTP/1.1” 200 3952 “https://xxxxxxxxxxxxx.com/xmlrpc.php?for=jetpack&token=3OU%40vqC)qRUdnxjqTB4u3rQDu7aaGBr%24%3A1%3A1×tamp=1506239236&nonce=ZezTPlmQZn&body-hash=hntkJlfD8VQSSlEJAuk0PtruOWA%3D&signature=nZbtDWoNI7HR0tvgfhk9BCiiF0Y%3D” “Jetpack by WordPress.com” 192.0.101.101 - - [24/Sep/2017:07:47:17 +0000] “POST /xmlrpc.php?for=jetpack&token=3OU%40vqC%29qRUdnxjqTB4u3rQDu7aaGBr%24%3A1%3A1×tamp=1506239237&nonce=C1Xq4sp289&body-hash=igba%2BoMXu48iiAfQxRZDcW62voA%3D&signature=RfzC84DPvSlKIiIE3L8BaNX1j8I%3D HTTP/1.1” 200 3949 “https://xxxxxxxxxx.com/xmlrpc.php?for=jetpack&token=3OU%40vqC)qRUdnxjqTB4u3rQDu7aaGBr%24%3A1%3A1×tamp=1506239237&nonce=C1Xq4sp289&body-hash=igba%2BoMXu48iiAfQxRZDcW62voA%3D&signature=RfzC84DPvSlKIiIE3L8BaNX1j8I%3D” “Jetpack by WordPress.com” 192.0.99.28 - - [24/Sep/2017:07:47:18 +0000] “POST /xmlrpc.php?for=jetpack&token=3OU%40vqC%29qRUdnxjqTB4u3rQDu7aaGBr%24%3A1%3A1×tamp=1506239237&nonce=WxPnqGwr8b&body-hash=iuV6PLHvgfPvDxcYoZFmJ6pNZEM%3D&signature=NXq6%2F1n3wRJkRqj065IJapYRfaw%3D HTTP/1.1” 200 3950 “https://xxxxxxxxxxxxxxxx.com/xmlrpc.php?for=jetpack&token=3OU%40vqC)qRUdnxjqTB4u3rQDu7aaGBr%24%3A1%3A1×tamp=1506239237&nonce=WxPnqGwr8b&body-hash=iuV6PLHvgfPvDxcYoZFmJ6pNZEM%3D&signature=NXq6%2F1n3wRJkRqj065IJapYRfaw%3D” “Jetpack by WordPress.com” 192.0.100.17 - - [24/Sep/2017:07:47:18 +0000] “POST /xmlrpc.php?for=jetpack&token=3OU%40vqC%29qRUdnxjqTB4u3rQDu7aaGBr%24%3A1%3A1×tamp=1506239238&nonce=rQUzZUPd3d&body-hash=g1S%2FQ%2FSlynI25ho%2FRnbxhMKzcis%3D&signature=6n4HIb1DbWz6pr6rkQ40yRKAmzE%3D HTTP/1.1” 200 3953 “https://xxxxxxxxxxxxxx.com/xmlrpc.php?for=jetpack&token=3OU%40vqC)qRUdnxjqTB4u3rQDu7aaGBr%24%3A1%3A1×tamp=1506239238&nonce=rQUzZUPd3d&body-hash=g1S%2FQ%2FSlynI25ho%2FRnbxhMKzcis%3D&signature=6n4HIb1DbWz6pr6rkQ40yRKAmzE%3D” “Jetpack by WordPress.com” 192.0.101.162 - - [24/Sep/2017:07:47:18 +0000] “POST /xmlrpc.php?for=jetpack&token=3OU%40vqC%29qRUdnxjqTB4u3rQDu7aaGBr%24%3A1%3A1×tamp=1506239238&nonce=1lWp7gFKWg&body-hash=ZFJt2PVkMt4D87tETUINY7DuPXI%3D&signature=IXotHggGZyt7UQUf%2BeSORvGLxcM%3D HTTP/1.1” 200 3952 “https://xxxxxxxxxxxxxxx.com/xmlrpc.php?for=jetpack&token=3OU%40vqC)qRUdnxjqTB4u3rQDu7aaGBr%24%3A1%3A1×tamp=1506239238&nonce=1lWp7gFKWg&body-hash=ZFJt2PVkMt4D87tETUINY7DuPXI%3D&signature=IXotHggGZyt7UQUf%2BeSORvGLxcM%3D” “Jetpack by WordPress.com” 192.0.101.53 - - [24/Sep/2017:07:47:19 +0000] “POST /xmlrpc.php?for=jetpack&token=3OU%40vqC%29qRUdnxjqTB4u3rQDu7aaGBr%24%3A1%3A1×tamp=1506239239&nonce=Zb2yzR6fhL&body-hash=qYl06LhXEMp1BpvdF6rWs36gdJ0%3D&signature=lxDhf5enEy00r9V4tNzXdBr7V0A%3D HTTP/1.1” 200 3953 “https://xxxxxxxxxxxxx.com/xmlrpc.php?for=jetpack&token=3OU%40vqC)qRUdnxjqTB4u3rQDu7aaGBr%24%3A1%3A1×tamp=1506239239&nonce=Zb2yzR6fhL&body-hash=qYl06LhXEMp1BpvdF6rWs36gdJ0%3D&signature=lxDhf5enEy00r9V4tNzXdBr7V0A%3D” “Jetpack by WordPress.com” 192.0.100.197 - - [24/Sep/2017:07:47:19 +0000] “POST /xmlrpc.php?for=jetpack&token=3OU%40vqC%29qRUdnxjqTB4u3rQDu7aaGBr%24%3A1%3A1×tamp=1506239239&nonce=IBAaMZJ6uB&body-hash=ECW3agCmjEoMwfpJUngcpHmZxzg%3D&signature=FnupFVnPADRaMJujEsb6qkWHjhk%3D HTTP/1.1” 200 3952 “https://xxxxxxxxxxxxx.com/xmlrpc.php?for=jetpack&token=3OU%40vqC)qRUdnxjqTB4u3rQDu7aaGBr%24%3A1%3A1×tamp=1506239239&nonce=IBAaMZJ6uB&body-hash=ECW3agCmjEoMwfpJUngcpHmZxzg%3D&signature=FnupFVnPADRaMJujEsb6qkWHjhk%3D” “Jetpack by WordPress.com” 192.0.102.47 - - [24/Sep/2017:07:47:19 +0000] “POST /xmlrpc.php?for=jetpack&token=3OU%40vqC%29qRUdnxjqTB4u3rQDu7aaGBr%24%3A1%3A1×tamp=1506239239&nonce=JAlKmhIcYh&body-hash=ZRE5p8Ej2QLMekiko5WrFVLxIhQ%3D&signature=gJMs%2Bnph4LLa0bUIxEyZPXivNCA%3D HTTP/1.1” 200 4700 “https://xxxxxxxxxxxx.com/xmlrpc.php?for=jetpack&token=3OU%40vqC)qRUdnxjqTB4u3rQDu7aaGBr%24%3A1%3A1×tamp=1506239239&nonce=JAlKmhIcYh&body-hash=ZRE5p8Ej2QLMekiko5WrFVLxIhQ%3D&signature=gJMs%2Bnph4LLa0bUIxEyZPXivNCA%3D” “Jetpack by WordPress.com”
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
192.0.99.28 is a perfectly valid IP, it belongs to Automattic, which runs wordpress.com.
Check https://en.wikipedia.org/wiki/Reserved_IP_addresses for actual private IPs.
Become a contributor for community
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
DigitalOcean Documentation
Full documentation for every DigitalOcean product.
Resources for startups and SMBs
The Wave has everything you need to know about building a business, from raising funding to marketing your product.
The developer cloud
Scale up as you grow — whether you're running one virtual machine or ten thousand.
Get started for free
Sign up and get $200 in credit for your first 60 days with DigitalOcean.*
*This promotional offer applies to new accounts only.