Is your Wordpress Blog being used as a weapon?

Dealing with the XML-RPC / pingback DDOS attack

If you have a Wordpress blog, there is a decent chance you are unknowingly DDOSing people.

What is DDOSing?

DDOS stands for Distributed Denial of Service, and is used as a way of shutting down a certain website or service being hosted on the internet. Normally this is done when someone controlling a bot net, or other very large amount of servers/internet connections (the distributed part of the acronym) all simultaneously spam a certain server with requests attempting to overload it (The denial of service part of the name).

How does Wordpress play into this?

I came across this very tricky DDOS attack which uses a seemingly innocuous function of the default Wordpress install relating to XML-RPC and specifically the “pingback.ping” function.

I stumbled across the exploit when getting to work on a blog I have hosted on Wordpress. (See more details about the blog setup here) I noticed the site was a bit sluggish, so I took a quick look at the server’s apache logs. After running a tail -f on the log file, I noticed I was getting the following line every second or so.

191.96.249.80 “POST /xmlrpc.php HTTP/1.0” 200 370 “-” “Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)

For some reason this server was spamming my xmlrpc.php endpoint. XML-RPC is a protocol for a computer to request a procedure call remotely. Read more here: Link This means that the intruder was attempting to trigger my server to perform some function. Finding out which function would require a little more digging.

Getting to the bottom of the exploit

At first, I wasn’t able to see what the POST parameters were, so I installed mod_dumpio (Link) which is an apache module which lets you log out more details of the request/response cycle. Checking those logs, I noticed lines of the following format:

dumpio_in (data-HEAP): <?xmlversion=”1.0"?><methodCall><methodName>pingback.ping</methodName><params><param><value><string>http://www.a3laneia.com/</string></value></param><param><value><string>http://vapecasa.io/perfect-halloween-costume-vapers/</string></value></param></params></methodCall>

It’s a bit cryptic looking, but essentially the bot is asking my server to run the pingback command with a target of www.a3laneia.com. The pingback command tells the target domain that the referring domain published content with hyperlinks to the targeted domain. This can be used to automatically publish a comment that the article is being linked to, among other things. See more here: Link

This pingback functionality is the crux of the exploit. The attacker just offloads the work of actually spamming the victims server to hundreds of thousands of different Wordpress blogs making it much harder for the victim to track down, or effectively filter out this spam traffic. Quite a simple and elegant hack.

How to check if your blog is being attacked

It’s quite easy to see if you are being used in this pingback DDOS exploit. The best way to check is to just do a quick grep through your web server’s access logs, and look for any repeated POST requests to /xmlrpc.php.

How to fix the problem

After a bit of digging, it turns out this is a very common exploit for Wordpress installs which leave this XML-RPC endpoint open and unfiltered. There are quite a few blog posts out there with various solutions to the problem.

As for me, I decided to do some minimal patching now, and save the focus on a more robust anti-spam solution for later. I started by just hard banning the offending IP address via iptables. This freed up some server resources allowing me to collect some more data on the exploit. Secondly, I decided to just opt to disable the pingback.ping function from Wordpress’s XML-RPC feature set. A quick an easy way to do this is to install this Wordpress plugin.

What was the common denominator in targeted sites?

Here is a list of all of the sites the bot asked my server to send a pingback request to:

http://177.54.156.113/
http://213.32.16.114/
http://ahmii.buyweb.us/
http://anarchy.minetexas.com/
http://churchofsatan.com/
http://clan-lt.com/community
http://deodat.entmip.fr/
http://dream-community.de
http://dxyy.fx120.net/
http://ent.ac-poitiers.fr/
http://foxcasino9.club/
http://infohomegranada.com
http://mft25.pw/Enter.php
http://nafix.co.il/
http://nextdaygear.biz
http://p.bemanicn.com/
http://plm.zoossoft.net/LR/Chatpre.aspx?id=PLM31671888&amp;lng=cn
http://pr.trinitascollege.nl/
http://ragnapocket.com.br/site/
http://ragnapocket.com.br/
http://royaltypvp.org/forums/index.php?articles/
http://royaltypvp.org/
https://armoowasright.nl/
https://irc.ipredator.se
https://knolpower.nl/
https://mlsmyhome.com
https://soar.gg/
http://star-bkash.com
https://tiboinshape.com/shop/
http://store.royaltypvp.co/
https://www.beastnode.com/
https://www.interasistmen.se/
https://www.worldcannabis.net/
http://techruiz.webs.com/
http://unitymc.us/
http://weedwomen.ca/
http://www.a3laneia.com/
http://www.budgirl.com/
http://www.dumpert.nl/
http://www.edline.net/pages/CCSD93
http://www.fifaproclubs.com/
http://www.knjhair.fr/index.php/tissages-naturels.html
http://www.mc-market.org/
http://www.pukmedia.com/
http://www.scotland.police.uk/
http://www.vg.no/
http://www.xn------ozecp6ar0ag8cvfjklaic7a5e.com/

The internet is a weird place.


If you enjoyed reading this, please follow me for future updates.

Connect with me on Twitter: https://twitter.com/Brian_Ethier

Cheers,

David Brian Ethier