National Softwash Alliance

Wordpress DDoS exploit

Barry R said
Aug 8, 2014

I just emailed Ed Thompson about this and thought I should share it on some of the forums.

There is a current exploit (XML quadratic blowup attack) that is running throughout the WordPress and Drupal world. It uses the XMLRPC.PHP (pingbacks) to overload the system.

Other possible vulnerabilities:

Intel gathering — attacker may probe for specific ports in the target’s internal network
Port scanning — attacker may port-scan hosts in the internal network
DoS attacks — attacker may pingback via large number of sites for DoS attack
Router hacking — attacker may reconfigure an internal router on the network

Info here: http://www.breaksec.com/?p=6362

and here they explain how it's used to turn your site into part of their army: http://blog.sucuri.net/2014/03/more-than-162000-wordpress-sites-used-for-distributed-denial-of-service-attack.html

Solutions...(do both)

WP just released an update...if you don't have automatic updates set, make sure to do it from the admin panel

Install this plugin http://downloads.wordpress.org/plugin/disable-xml-rpc-pingback.1.0.zip

My server is 100% WP sites and the combined attacks have been spiking my server load, triggering alerts and actually took the whole server down for 4 minutes this morning. No site has been hacked but DDoS isn't an internal security issue. If you have an account on my server, I will be checking each site and updating those that haven't already.

Barry

Ed Thompson said
Aug 8, 2014

Thanks Barry

Liberty SoftWash said
Aug 8, 2014

Thanks for the heads up Barry!

Brian C Jackson said
Aug 10, 2014

Thanks for being on top of all this Barry

SprayWash said
Aug 10, 2014

Thank you.... This is waaaayyyy above my pay grade and comprehension!

Art O said
Aug 10, 2014

Barry do you have a simple way to explain this to us?

Barry R said
Aug 10, 2014

Art O wrote:
Barry do you have a simple way to explain this to us?

It's a lot more complex than this but to simplify a bit, think of a DDoS code as instructions for your "to do" list for tomorrow....

To Do list:

1. Shower

2. Dress

3. Brush teeth

4. email To Do list to 1 other employee

5. begin To Do list

To Do list:

1. Shower

2. Dress

3. Brush teeth

4. email To Do list to 1 other employee

5. begin To Do list

To Do list:

1. Shower

2. Dress

3. Brush teeth

4. email To Do list to 1 other employee

5. begin To Do list

To Do list:

1. Shower

2. Dress

3. Brush teeth

4. email To Do list to 1 other employee

5. begin To Do list

(repeat 5,000 times)

Now imagine you have and unlimited number of employees

Now imagine if steps 1-5 were thus:

1. random proxy server login

2. find random wordpress site IP + start new bot

3. open 20 connections

4. run hack xmlrpc until server crash

5. begin To Do list

This is a sample alert from my server last week that shows the exponential attack....13 processes (PID = Process ID)

User:trump1 PID:30340 PPID:30232 Run Time:11(secs) Memory:43688(kb) exe:/usr/bin/php cmd:/usr/bin/php /home/trump1/public_html/xmlrpc.php
User:trump1 PID:30352 PPID:30335 Run Time:10(secs) Memory:43688(kb) exe:/usr/bin/php cmd:/usr/bin/php /home/trump1/public_html/xmlrpc.php
User:trump1 PID:30358 PPID:30130 Run Time:9(secs) Memory:43688(kb) exe:/usr/bin/php cmd:/usr/bin/php /home/trump1/public_html/xmlrpc.php
User:trump1 PID:30364 PPID:29851 Run Time:9(secs) Memory:43688(kb) exe:/usr/bin/php cmd:/usr/bin/php /home/trump1/public_html/xmlrpc.php
User:trump1 PID:30365 PPID:30304 Run Time:9(secs) Memory:43688(kb) exe:/usr/bin/php cmd:/usr/bin/php /home/trump1/public_html/xmlrpc.php
User:trump1 PID:30370 PPID:30332 Run Time:8(secs) Memory:43688(kb) exe:/usr/bin/php cmd:/usr/bin/php /home/trump1/public_html/xmlrpc.php
User:trump1 PID:30378 PPID:28704 Run Time:7(secs) Memory:43688(kb) exe:/usr/bin/php cmd:/usr/bin/php /home/trump1/public_html/xmlrpc.php
User:trump1 PID:30387 PPID:29155 Run Time:6(secs) Memory:43688(kb) exe:/usr/bin/php cmd:/usr/bin/php /home/trump1/public_html/xmlrpc.php
User:trump1 PID:30392 PPID:30333 Run Time:5(secs) Memory:43688(kb) exe:/usr/bin/php cmd:/usr/bin/php /home/trump1/public_html/xmlrpc.php
User:trump1 PID:30396 PPID:28383 Run Time:5(secs) Memory:43688(kb) exe:/usr/bin/php cmd:/usr/bin/php /home/trump1/public_html/xmlrpc.php
User:trump1 PID:30409 PPID:30252 Run Time:4(secs) Memory:43688(kb) exe:/usr/bin/php cmd:/usr/bin/php /home/trump1/public_html/xmlrpc.php
User:trump1 PID:30415 PPID:30314 Run Time:3(secs) Memory:43688(kb) exe:/usr/bin/php cmd:/usr/bin/php /home/trump1/public_html/xmlrpc.php
User:trump1 PID:30421 PPID:30270 Run Time:2(secs) Memory:43688(kb) exe:/usr/bin/php cmd:/usr/bin/php /home/trump1/public_html/xmlrpc.php
User:trump1 PID:30425 PPID:30289 Run Time:1(secs) Memory:43688(kb) exe:/usr/bin/php cmd:/usr/bin/php /home/trump1/public_html/xmlrpc.php
User:trump1 PID:30430 PPID:30269 Run Time:0(secs) Memory:43688(kb) exe:/usr/bin/php cmd:/usr/bin/php /home/trump1/public_html/xmlrpc.php
User:trump1 PID:30442 PPID:30329 Run Time:0(secs) Memory:36824(kb) exe:/usr/bin/php cmd:/usr/bin/php /home/trump1/public_html/xmlrpc.php

Another....

User:tomb PID:14427 PPID:14152 Run Time:13(secs) Memory:44788(kb) exe:/usr/bin/php cmd:/usr/bin/php /home/tomb/public_html/xmlrpc.php
User:tomb PID:14435 PPID:14370 Run Time:12(secs) Memory:44584(kb) exe:/usr/bin/php cmd:/usr/bin/php /home/tomb/public_html/xmlrpc.php
User:tomb PID:14466 PPID:13933 Run Time:10(secs) Memory:44584(kb) exe:/usr/bin/php cmd:/usr/bin/php /home/tomb/public_html/xmlrpc.php
User:tomb PID:14478 PPID:12834 Run Time:9(secs) Memory:44584(kb) exe:/usr/bin/php cmd:/usr/bin/php /home/tomb/public_html/xmlrpc.php
User:tomb PID:14480 PPID:14468 Run Time:9(secs) Memory:44784(kb) exe:/usr/bin/php cmd:/usr/bin/php /home/tomb/public_html/xmlrpc.php
User:tomb PID:14481 PPID:14469 Run Time:9(secs) Memory:44584(kb) exe:/usr/bin/php cmd:/usr/bin/php /home/tomb/public_html/xmlrpc.php
User:tomb PID:14487 PPID:14475 Run Time:8(secs) Memory:44584(kb) exe:/usr/bin/php cmd:/usr/bin/php /home/tomb/public_html/xmlrpc.php
User:tomb PID:14489 PPID:14362 Run Time:7(secs) Memory:44584(kb) exe:/usr/bin/php cmd:/usr/bin/php /home/tomb/public_html/xmlrpc.php
User:tomb PID:14507 PPID:13896 Run Time:3(secs) Memory:44788(kb) exe:/usr/bin/php cmd:/usr/bin/php /home/tomb/public_html/xmlrpc.php
User:tomb PID:14510 PPID:14474 Run Time:2(secs) Memory:44788(kb) exe:/usr/bin/php cmd:/usr/bin/php /home/tomb/public_html/xmlrpc.php
User:tomb PID:14513 PPID:14382 Run Time:2(secs) Memory:44788(kb) exe:/usr/bin/php cmd:/usr/bin/php /home/tomb/public_html/xmlrpc.php
User:tomb PID:14520 PPID:13736 Run Time:0(secs) Memory:40320(kb) exe:/usr/bin/php cmd:/usr/bin/php /home/tomb/public_html/xmlrpc.php
User:tomb PID:14523 PPID:14387 Run Time:0(secs) Memory:37220(kb) exe:/usr/bin/php cmd:/usr/bin/php /home/tomb/public_html/xmlrpc.php

Dave O said
Aug 11, 2014

Thanks for the warning Barry! I use WP.

Barry R said
Aug 11, 2014

Dave O wrote:
Thanks for the warning Barry! I use WP.

Update WP and install the plugin and you should be ok from anything harmful.I'm still seeing the attempts but the logs are showing a 301 (redirect) when they try to use the xmlrpc.php exploit.

I'd also suggest you use a login limiting plugin...set to 5 failed login attempts.

Diamond Roof Cleaning said
Aug 11, 2014

Barry call me when you can.

Post Reply

National Soft Wash Alliance