Webfoundry
Verified User
Dear all,
If this is off-topic, please let me know, but I'm puzzled with this one.
Today I received an email from my host malicious activities from my server IP has been noticed.
All reports from Bitninja.io seem to be xmlrpc.php related.
In the DA control panel I don't spot any evidence of any malicious activity, so I don't really know where to start.
Example reports (my IP is mentioned as "Remote connection") :
Url: [###.da###ry.###.au/xmlrpc.php]
Remote connection: [here.is.my.IP:35756]
Headers: [array (
'Host' => '###.da###ry.###.au',
'Accept-Charset' => 'utf-8,ISO-8859-2;q=0.8,*;q=0.7',
'Accept-Language' => 'en-us;q=0.7,en;q=0.3',
'Accept' => 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'User-Agent' => 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36',
'Content-Length' => '344',
'Content-Type' => 'application/x-www-form-urlencoded',
)]
Post data: [Array
(
[<?xml version] => '1.0'?>
<methodCall>
<methodName>wp.getProfile</methodName>
<params>
<param><value><int>0</int></value></param>
<param><value><string>admin</string></value></param>
<param><value><string>admin1234567</string></value></param>
</params>
</methodCall>
)
]
Url: [he###ni.com/xmlrpc.php]
Remote connection: [here.is.my.IP:58394]
Headers: [array (
'Host' => 'he###ni.com',
'Accept-Charset' => 'utf-8,ISO-8859-2;q=0.8,*;q=0.7',
'Accept-Language' => 'en-us;q=0.7,en;q=0.3',
'Accept' => 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'User-Agent' => 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36',
'Content-Length' => '348',
'Content-Type' => 'application/x-www-form-urlencoded',
'BN-Frontend' => 'captcha-https',
'X-Forwarded-Port' => '443',
'X-Forwarded-Proto' => 'https',
'X-Forwarded-For' => '178.79.130.161',
)]
Post data: [Array
(
[<?xml version] => '1.0'?>
<methodCall>
<methodName>wp.getProfile</methodName>
<params>
<param><value><int>0</int></value></param>
<param><value><string>fitni12</string></value></param>
<param><value><string>fitni121234567</string></value></param>
</params>
</methodCall>
)
] v
If this is off-topic, please let me know, but I'm puzzled with this one.
Today I received an email from my host malicious activities from my server IP has been noticed.
All reports from Bitninja.io seem to be xmlrpc.php related.
In the DA control panel I don't spot any evidence of any malicious activity, so I don't really know where to start.
Example reports (my IP is mentioned as "Remote connection") :
Url: [###.da###ry.###.au/xmlrpc.php]
Remote connection: [here.is.my.IP:35756]
Headers: [array (
'Host' => '###.da###ry.###.au',
'Accept-Charset' => 'utf-8,ISO-8859-2;q=0.8,*;q=0.7',
'Accept-Language' => 'en-us;q=0.7,en;q=0.3',
'Accept' => 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'User-Agent' => 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36',
'Content-Length' => '344',
'Content-Type' => 'application/x-www-form-urlencoded',
)]
Post data: [Array
(
[<?xml version] => '1.0'?>
<methodCall>
<methodName>wp.getProfile</methodName>
<params>
<param><value><int>0</int></value></param>
<param><value><string>admin</string></value></param>
<param><value><string>admin1234567</string></value></param>
</params>
</methodCall>
)
]
Url: [he###ni.com/xmlrpc.php]
Remote connection: [here.is.my.IP:58394]
Headers: [array (
'Host' => 'he###ni.com',
'Accept-Charset' => 'utf-8,ISO-8859-2;q=0.8,*;q=0.7',
'Accept-Language' => 'en-us;q=0.7,en;q=0.3',
'Accept' => 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'User-Agent' => 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36',
'Content-Length' => '348',
'Content-Type' => 'application/x-www-form-urlencoded',
'BN-Frontend' => 'captcha-https',
'X-Forwarded-Port' => '443',
'X-Forwarded-Proto' => 'https',
'X-Forwarded-For' => '178.79.130.161',
)]
Post data: [Array
(
[<?xml version] => '1.0'?>
<methodCall>
<methodName>wp.getProfile</methodName>
<params>
<param><value><int>0</int></value></param>
<param><value><string>fitni12</string></value></param>
<param><value><string>fitni121234567</string></value></param>
</params>
</methodCall>
)
] v