Click Here to Request a FREE Quote to Develop an iPhone App or Android App

Slow Web Day!

What do you do when your website is running slowly, or not responding?

I had to deal with this situation today, when someone pointed out they couldn’t see my home page.

My first action was to wait a bit – sometimes transient internet glitches occur, so simply waiting a few minutes can save a lot of wasted effort, trying to get to the bottom of a problem which doesn’t exist.

Waiting didn’t help in this case, so my next step was to examine the server logs, to find clues as to what was happening.

I immediately found the problem – thousands upon thousands of requests, for a file called xmlrpc.php.


89.248.168.46 – – [24/Sep/2014:10:00:27 +0000] “POST /xmlrpc.php HTTP/1.0” 200 370 “-” “Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)”
195.154.127.19 – – [24/Sep/2014:10:00:26 +0000] “POST /xmlrpc.php HTTP/1.0” 200 370 “-” “Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)”
195.154.127.19 – – [24/Sep/2014:10:00:28 +0000] “POST /xmlrpc.php HTTP/1.0” 200 370 “-” “Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)”
195.154.127.19 – – [24/Sep/2014:10:00:26 +0000] “POST /xmlrpc.php HTTP/1.0” 200 370 “-” “Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)”
89.248.168.46 – – [24/Sep/2014:10:00:37 +0000] “POST /xmlrpc.php HTTP/1.0” 200 370 “-” “Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)”
80.82.65.17 – – [24/Sep/2014:10:00:41 +0000] “POST /xmlrpc.php HTTP/1.0” 200 370 “-” “Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)”

xmlrpc.php is a legitimate web file, which helps some servers communicate with web pages. But these web requests were clearly not legitimate – my web server does not use xmlrpc.php. These web requests are incoming attacks from computers which are infected by a computer worm.

The attacks aren’t targeting the Desirable Apps website specifically – they are infected computers blindly attacking any other machines they can find, in the hope of infecting a new host. But there are currently so many computers infected by this worm, the effort of trying to respond to all the legitimate looking requests from infected machines is (or was) overloading my website, preventing legitimate visitors from getting a response.

The solution was, in this case, very straightforward. Since I don’t use xmlrpc.php, I modified the web server configuration to immediately reject any request which referenced xmlrpc.php, without attempting in any way to process it.

Desirable Apps is still being attacked – but it is now rejecting the attack requests far more efficiently, so the web server is now able to respond normally to legitimate visitors.

Leave a Reply

Your email address will not be published. Required fields are marked *