PHP xmlrpc.php error

[mlordi]

Does anyone know of a way to block a user from scanning for this file exploit. I do not have the file xmlrpc.php installed anywhere on my web server, but for some reason somebody keeps running a scan for it. Whenever the scan is invoked it seems to crash our www publishing service in iis 5. Does anyone know where I can check or how to block this kind of attack?

[turbosport]

[!--quoteo(post=328795:date=Dec 19 2005, 08:12 PM:name=Mark Lordi)--][div class=\'quotetop\']QUOTE(Mark Lordi @ Dec 19 2005, 08:12 PM) 328795[/snapback][/div][div class=\'quotemain\'][!--quotec--]

Does anyone know of a way to block a user from scanning for this file exploit. I do not have the file xmlrpc.php installed anywhere on my web server, but for some reason somebody keeps running a scan for it. Whenever the scan is invoked it seems to crash our www publishing service in iis 5. Does anyone know where I can check or how to block this kind of attack?

 

I would redirect him somewhere

 

Make a php file called xmlrpc.php

<?php

header("Location: [a href=\"http://www.nastysite.com/");\" target=\"_blank\"]http://www.nastysite.com/");[/a]

?>

 

If you want to get clever you could filter the file in the iislockdown tool:

[a href=\"http://www.microsoft.com/technet/security/tools/locktool.mspx\" target=\"_blank\"]http://www.microsoft.com/technet/security/...s/locktool.mspx[/a]

 

You may want to install the urlscan package which has the iislockdowntool included:

[a href=\"http://www.microsoft.com/technet/security/tools/urlscan.mspx?#g\" target=\"_blank\"]http://www.microsoft.com/technet/security/...urlscan.mspx?#g[/a]

 

You will need to add xmlrpc.php to the [DenyUrlSequences] section in the urlscan.ini file which will be in the \System32\Inetsrv\URLscan folder

 

you can also specify where you send him by including a RejectResponseUrl in the ini file

 

HTH

Clint Gaskin