Jump to content


Photo

PHP xmlrpc.php error


  • Please log in to reply
1 reply to this topic

#1 mlordi

mlordi
  • New Members
  • Pip
  • Newbie
  • 1 posts

Posted 19 December 2005 - 08:12 PM

Does anyone know of a way to block a user from scanning for this file exploit. I do not have the file xmlrpc.php installed anywhere on my web server, but for some reason somebody keeps running a scan for it. Whenever the scan is invoked it seems to crash our www publishing service in iis 5. Does anyone know where I can check or how to block this kind of attack?

#2 turbosport

turbosport
  • Members
  • Pip
  • Newbie
  • 9 posts

Posted 14 January 2006 - 12:50 AM

[!--quoteo(post=328795:date=Dec 19 2005, 08:12 PM:name=Mark Lordi)--][div class=\'quotetop\']QUOTE(Mark Lordi @ Dec 19 2005, 08:12 PM) View Post[/div][div class=\'quotemain\'][!--quotec--]
Does anyone know of a way to block a user from scanning for this file exploit. I do not have the file xmlrpc.php installed anywhere on my web server, but for some reason somebody keeps running a scan for it. Whenever the scan is invoked it seems to crash our www publishing service in iis 5. Does anyone know where I can check or how to block this kind of attack?
[/quote]

I would redirect him somewhere ;)

Make a php file called xmlrpc.php
<?php
header("Location: [a href=\"http://www.nastysite.com/");\" target=\"_blank\"]http://www.nastysite.com/");[/a]
?>

If you want to get clever you could filter the file in the iislockdown tool:
[a href=\"http://www.microsoft.com/technet/security/tools/locktool.mspx\" target=\"_blank\"]http://www.microsoft.com/technet/security/...s/locktool.mspx[/a]

You may want to install the urlscan package which has the iislockdowntool included:
[a href=\"http://www.microsoft.com/technet/security/tools/urlscan.mspx?#g\" target=\"_blank\"]http://www.microsoft.com/technet/security/...urlscan.mspx?#g[/a]

You will need to add xmlrpc.php to the [DenyUrlSequences] section in the urlscan.ini file which will be in the \System32\Inetsrv\URLscan folder

you can also specify where you send him by including a RejectResponseUrl in the ini file

HTH
Clint Gaskin




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users