Power Washing and Roof Cleaning Forum

Barry R · Veteran Member

Wordpress DDoS exploit

Ed Thompson · Approved Exterior Cleaner

Thanks Barry

Liberty SoftWash · PWS Vender

Thanks for the heads up Barry!

Brian C Jackson · Approved Exterior Cleaner

Thanks for being on top of all this Barry

SprayWash · Approved Exterior Cleaner

Thank you.... This is waaaayyyy above my pay grade and comprehension!

Art O · Approved Exterior Cleaner

Barry do you have a simple way to explain this to us?

Barry R · Veteran Member

Art O wrote:
Barry do you have a simple way to explain this to us?

It's a lot more complex than this but to simplify a bit, think of a DDoS code as instructions for your "to do" list for tomorrow....

To Do list:

1. Shower

2. Dress

3. Brush teeth

4. email To Do list to 1 other employee

5. begin To Do list

To Do list:

1. Shower

2. Dress

3. Brush teeth

4. email To Do list to 1 other employee

5. begin To Do list

To Do list:

1. Shower

2. Dress

3. Brush teeth

4. email To Do list to 1 other employee

5. begin To Do list

To Do list:

1. Shower

2. Dress

3. Brush teeth

4. email To Do list to 1 other employee

5. begin To Do list

(repeat 5,000 times)

Now imagine you have and unlimited number of employees

Now imagine if steps 1-5 were thus:

1. random proxy server login

2. find random wordpress site IP + start new bot

3. open 20 connections

4. run hack xmlrpc until server crash

5. begin To Do list

This is a sample alert from my server last week that shows the exponential attack....13 processes (PID = Process ID)

User:trump1 PID:30340 PPID:30232 Run Time:11(secs) Memory:43688(kb) exe:/usr/bin/php cmd:/usr/bin/php /home/trump1/public_html/xmlrpc.php
User:trump1 PID:30352 PPID:30335 Run Time:10(secs) Memory:43688(kb) exe:/usr/bin/php cmd:/usr/bin/php /home/trump1/public_html/xmlrpc.php
User:trump1 PID:30358 PPID:30130 Run Time:9(secs) Memory:43688(kb) exe:/usr/bin/php cmd:/usr/bin/php /home/trump1/public_html/xmlrpc.php
User:trump1 PID:30364 PPID:29851 Run Time:9(secs) Memory:43688(kb) exe:/usr/bin/php cmd:/usr/bin/php /home/trump1/public_html/xmlrpc.php
User:trump1 PID:30365 PPID:30304 Run Time:9(secs) Memory:43688(kb) exe:/usr/bin/php cmd:/usr/bin/php /home/trump1/public_html/xmlrpc.php
User:trump1 PID:30370 PPID:30332 Run Time:8(secs) Memory:43688(kb) exe:/usr/bin/php cmd:/usr/bin/php /home/trump1/public_html/xmlrpc.php
User:trump1 PID:30378 PPID:28704 Run Time:7(secs) Memory:43688(kb) exe:/usr/bin/php cmd:/usr/bin/php /home/trump1/public_html/xmlrpc.php
User:trump1 PID:30387 PPID:29155 Run Time:6(secs) Memory:43688(kb) exe:/usr/bin/php cmd:/usr/bin/php /home/trump1/public_html/xmlrpc.php
User:trump1 PID:30392 PPID:30333 Run Time:5(secs) Memory:43688(kb) exe:/usr/bin/php cmd:/usr/bin/php /home/trump1/public_html/xmlrpc.php
User:trump1 PID:30396 PPID:28383 Run Time:5(secs) Memory:43688(kb) exe:/usr/bin/php cmd:/usr/bin/php /home/trump1/public_html/xmlrpc.php
User:trump1 PID:30409 PPID:30252 Run Time:4(secs) Memory:43688(kb) exe:/usr/bin/php cmd:/usr/bin/php /home/trump1/public_html/xmlrpc.php
User:trump1 PID:30415 PPID:30314 Run Time:3(secs) Memory:43688(kb) exe:/usr/bin/php cmd:/usr/bin/php /home/trump1/public_html/xmlrpc.php
User:trump1 PID:30421 PPID:30270 Run Time:2(secs) Memory:43688(kb) exe:/usr/bin/php cmd:/usr/bin/php /home/trump1/public_html/xmlrpc.php
User:trump1 PID:30425 PPID:30289 Run Time:1(secs) Memory:43688(kb) exe:/usr/bin/php cmd:/usr/bin/php /home/trump1/public_html/xmlrpc.php
User:trump1 PID:30430 PPID:30269 Run Time:0(secs) Memory:43688(kb) exe:/usr/bin/php cmd:/usr/bin/php /home/trump1/public_html/xmlrpc.php
User:trump1 PID:30442 PPID:30329 Run Time:0(secs) Memory:36824(kb) exe:/usr/bin/php cmd:/usr/bin/php /home/trump1/public_html/xmlrpc.php

Another....

User:tomb PID:14427 PPID:14152 Run Time:13(secs) Memory:44788(kb) exe:/usr/bin/php cmd:/usr/bin/php /home/tomb/public_html/xmlrpc.php
User:tomb PID:14435 PPID:14370 Run Time:12(secs) Memory:44584(kb) exe:/usr/bin/php cmd:/usr/bin/php /home/tomb/public_html/xmlrpc.php
User:tomb PID:14466 PPID:13933 Run Time:10(secs) Memory:44584(kb) exe:/usr/bin/php cmd:/usr/bin/php /home/tomb/public_html/xmlrpc.php
User:tomb PID:14478 PPID:12834 Run Time:9(secs) Memory:44584(kb) exe:/usr/bin/php cmd:/usr/bin/php /home/tomb/public_html/xmlrpc.php
User:tomb PID:14480 PPID:14468 Run Time:9(secs) Memory:44784(kb) exe:/usr/bin/php cmd:/usr/bin/php /home/tomb/public_html/xmlrpc.php
User:tomb PID:14481 PPID:14469 Run Time:9(secs) Memory:44584(kb) exe:/usr/bin/php cmd:/usr/bin/php /home/tomb/public_html/xmlrpc.php
User:tomb PID:14487 PPID:14475 Run Time:8(secs) Memory:44584(kb) exe:/usr/bin/php cmd:/usr/bin/php /home/tomb/public_html/xmlrpc.php
User:tomb PID:14489 PPID:14362 Run Time:7(secs) Memory:44584(kb) exe:/usr/bin/php cmd:/usr/bin/php /home/tomb/public_html/xmlrpc.php
User:tomb PID:14507 PPID:13896 Run Time:3(secs) Memory:44788(kb) exe:/usr/bin/php cmd:/usr/bin/php /home/tomb/public_html/xmlrpc.php
User:tomb PID:14510 PPID:14474 Run Time:2(secs) Memory:44788(kb) exe:/usr/bin/php cmd:/usr/bin/php /home/tomb/public_html/xmlrpc.php
User:tomb PID:14513 PPID:14382 Run Time:2(secs) Memory:44788(kb) exe:/usr/bin/php cmd:/usr/bin/php /home/tomb/public_html/xmlrpc.php
User:tomb PID:14520 PPID:13736 Run Time:0(secs) Memory:40320(kb) exe:/usr/bin/php cmd:/usr/bin/php /home/tomb/public_html/xmlrpc.php
User:tomb PID:14523 PPID:14387 Run Time:0(secs) Memory:37220(kb) exe:/usr/bin/php cmd:/usr/bin/php /home/tomb/public_html/xmlrpc.php

Dave O · Retired Member

Thanks for the warning Barry! I use WP.

Barry R · Veteran Member

Dave O wrote:
Thanks for the warning Barry! I use WP.

Update WP and install the plugin and you should be ok from anything harmful.I'm still seeing the attempts but the logs are showing a 301 (redirect) when they try to use the xmlrpc.php exploit.

I'd also suggest you use a login limiting plugin...set to 5 failed login attempts.

Diamond Roof Cleaning · Approved Exterior Cleaner

Barry call me when you can.