Tag Archive: xmlrpc.php


A few days ago, Polonus posted about the relationships between unknown html and xmlrpc.php malware. Recently, Essexboy, Polonus, and I had the opportunity to help out a website owner that was infected by his own site. Check out the avast! topic.

At first, the website appeared ok. However, with a search referral, I was shown a 302 (redirect) in the header.

HTTP/1.1 302 Moved Temporarily
Date: Thu, 28 Feb 2013 19:29:17 GMT
Server: Apache
Location: hXtp://fpert.qpoe.com/
Vary: Accept-Encoding,User-Agent
Content-Encoding: gzip
Content-Length: 20
Connection: close
Content-Type: text/html

Also see: urlQuery Report & Sucuri Results

So then, I wondered, what was the root cause behind the redirect? At first, I thought it was an .htaccess redirect, but later, Polonus discovered that it was an xmlrpc.php redirect.

Always keep your WordPress up-to-date,
~!Donovan

More xmlrpc.php malware

Recently, there has been a number of cases involving mxlrpc.php. It appears that these xmlrpc ‘exploits’ are caused by outdated versions of WordPress. Consider reading this RSI Diary post. Although it dates back to 2005, my friend Polonus is finding occurrences of this exploit in 2013.

Read more on the avast! forums,
~!Donovan