Hello Ben! There is no login attempts coming from that IPs. The problem is that they are trying to connect to xmlrpc.php in a way mod_security detects as supicious, and it's blocking it. It's not something at WordPress level, it's rather at server level.
These are the last logs for one of the domains being "badly pinged". We will refer to it as DOMAIN1.com.ar:
[Tue Feb 04 00:26:41.837789 2014] [:error] [pid 32763] [client 192.0.81.122] ModSecurity: Access denied with code 400 (phase 2). Pattern match "\\\\%(?!$|\\\\W|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" at ARGS:token. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "52"] [id "950107"] [msg "URL Encoding Abuse Attack Attempt"] [severity "WARNING"] [hostname "DOMAIN1.com.ar"] [uri "/xmlrpc.php"] [unique_id "UvBd8dGMEo4AAH-7zhcAAAAZ"]
[Tue Feb 04 01:29:03.960670 2014] [:error] [pid 23713] [client 192.0.81.122] ModSecurity: Access denied with code 400 (phase 2). Pattern match "\\\\%(?!$|\\\\W|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" at ARGS:token. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "52"] [id "950107"] [msg "URL Encoding Abuse Attack Attempt"] [severity "WARNING"] [hostname "DOMAIN1.com.ar"] [uri "/xmlrpc.php"] [unique_id "UvBsj9GMEo4AAFyhc9EAAAAI"]
[Tue Feb 04 08:27:38.551482 2014] [:error] [pid 14055] [client 192.0.81.122] ModSecurity: Access denied with code 400 (phase 2). Pattern match "\\\\%(?!$|\\\\W|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" at ARGS:token. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "52"] [id "950107"] [msg "URL Encoding Abuse Attack Attempt"] [severity "WARNING"] [hostname "DOMAIN1.com.ar"] [uri "/xmlrpc.php"] [unique_id "UvDOqtGMEo4AADbnVvwAAAAW"]
[Tue Feb 04 11:28:37.580930 2014] [:error] [pid 15837] [client 192.0.81.122] ModSecurity: Access denied with code 400 (phase 2). Pattern match "\\\\%(?!$|\\\\W|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" at ARGS:token. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "52"] [id "950107"] [msg "URL Encoding Abuse Attack Attempt"] [severity "WARNING"] [hostname "DOMAIN1.com.ar"] [uri "/xmlrpc.php"] [unique_id "UvD5FdGMEo4AAD3dczYAAAAE"]
[Tue Feb 04 12:27:37.558461 2014] [:error] [pid 7652] [client 192.0.81.122] ModSecurity: Access denied with code 400 (phase 2). Pattern match "\\\\%(?!$|\\\\W|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" at ARGS:token. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "52"] [id "950107"] [msg "URL Encoding Abuse Attack Attempt"] [severity "WARNING"] [hostname "DOMAIN1.com.ar"] [uri "/xmlrpc.php"] [unique_id "UvEG6dGMEo4AAB3k8NcAAAAM"]
[Tue Feb 04 14:26:14.614623 2014] [:error] [pid 23771] [client 192.0.81.122] ModSecurity: Access denied with code 400 (phase 2). Pattern match "\\\\%(?!$|\\\\W|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" at ARGS:token. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "52"] [id "950107"] [msg "URL Encoding Abuse Attack Attempt"] [severity "WARNING"] [hostname "DOMAIN1.com.ar"] [uri "/xmlrpc.php"] [unique_id "UvEittGMEo4AAFzbUlEAAAAT"]And these are the last logs for the other, which we will call http://www.DOMAIN2.org
[Tue Feb 04 15:52:56 2014] [error] [client 192.0.81.13] ModSecurity: Access denied with code 400 (phase 2). Pattern match "\\\\%(?!$|\\\\W|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" at ARGS:token. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "52"] [id "950107"] [msg "URL Encoding Abuse Attack Attempt"] [severity "WARNING"] [hostname "www.DOMAIN2.org"] [uri "/xmlrpc.php"] [unique_id "UvE3CNHZ864AAEbPS08AAAAI"]
[Tue Feb 04 15:53:21 2014] [error] [client 192.0.81.13] ModSecurity: Access denied with code 400 (phase 2). Pattern match "\\\\%(?!$|\\\\W|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" at ARGS:token. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "52"] [id "950107"] [msg "URL Encoding Abuse Attack Attempt"] [severity "WARNING"] [hostname "www.DOMAIN2.org"] [uri "/xmlrpc.php"] [unique_id "UvE3IdHZ864AAEbhUtsAAAAa"]
[Tue Feb 04 16:53:39 2014] [error] [client 192.0.81.13] ModSecurity: Access denied with code 400 (phase 2). Pattern match "\\\\%(?!$|\\\\W|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" at ARGS:token. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "52"] [id "950107"] [msg "URL Encoding Abuse Attack Attempt"] [severity "WARNING"] [hostname "www.DOMAIN2.org"] [uri "/xmlrpc.php"] [unique_id "UvFFQ9HZ864AADTiWT4AAAAa"]
[Tue Feb 04 17:52:51 2014] [error] [client 192.0.81.13] ModSecurity: Access denied with code 400 (phase 2). Pattern match "\\\\%(?!$|\\\\W|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" at ARGS:token. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "52"] [id "950107"] [msg "URL Encoding Abuse Attack Attempt"] [severity "WARNING"] [hostname "www.DOMAIN2.org"] [uri "/xmlrpc.php"] [unique_id "UvFTI9HZ864AACdEO-MAAAAD"]
[Tue Feb 04 18:39:22 2014] [error] [client 192.0.81.13] ModSecurity: Access denied with code 400 (phase 2). Pattern match "\\\\%(?!$|\\\\W|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" at ARGS:token. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "52"] [id "950107"] [msg "URL Encoding Abuse Attack Attempt"] [severity "WARNING"] [hostname "www.DOMAIN2.org"] [uri "/xmlrpc.php"] [unique_id "UvFeCtHZ864AAHQmi@4AAAAC"]
[Tue Feb 04 18:51:47 2014] [error] [client 192.0.81.13] ModSecurity: Access denied with code 400 (phase 2). Pattern match "\\\\%(?!$|\\\\W|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" at ARGS:token. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "52"] [id "950107"] [msg "URL Encoding Abuse Attack Attempt"] [severity "WARNING"] [hostname "www.DOMAIN2.org"] [uri "/xmlrpc.php"] [unique_id "UvFg89HZ864AAA04Ao0AAAAP"]I double checked the server logs, and your IPs are the only ones breaking the 950107 mod_security rule of note:
# Check encodings
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "@validateUrlEncoding" "chain, deny,log,auditlog,status:400,msg:'URL Encoding Abuse Attack Attempt',id:'950107',severity:'4'"
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "\%(?!$|\W|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})"I could obviously delete that rule and forgive the problem, but at the end of the day, this may be a bug in something within JetPack.
The rule begun being broken and flooding the logs here since the past Oct 18th, 2013. This is somewhere between JetPack 2.6 and 2.6.1, where you launched Monitor. I guess you started testing it one month before within wordpress.com. May these pings belong to the Monitor feature?
DOMAIN1.com.ar is the head domain of a multisite install running under PHP 5.4. It has the following JetPack modules active:
- Stats
- JetPack comments
- Subscriptions
- Contact form
- Enhanced Distribution
- I never used Monitor on this site
- This site use W3 Total Cache and Amazon Cloudfront as CDN
http://www.DOMAIN2.org is a standalone WP site running under PHP 5.2. It has the following JetPack modules active:
- Stats
- Subscriptions
- Custom CSS
- Photon
- Enhanced Distribution
- I tested Monitor on this site. I deactivated it about a week ago to debug all this thing.
- This site use WP Super Cache and CloduFlare as CDN
It's of note that I manage almost 15 WP sites distributed in both servers and I use to set every one with almost same configuration and active modules (all of them have JetPack's wordPress.com Stats module activated) and none of these have triggered mod_security alerts.
I checked all of them today and no one is using Monitor.
So, what's going on? Can you tell?