More Than 162,000 WordPress Sites Used for Distributed Denial of Service Attack

3 minute read

Distributed Denial of Service (DDOS) attacks are becoming a common trend on our blog lately, and that’s OK because it’s a very serious issue for every website owner. Today I want to talk about a large DDOS attack that leveraged thousands of unsuspecting WordPress websites as indirect amplification vectors.

Any WordPress site with XML-RPC enabled (which is on by default) can be used in DDOS attacks against other sites. Note that XMLRPC is used for ping backs, trackbacks, remote access via mobile devices and many other features you’re likely very fond of. But, it can also be heavily misused like what we are seeing.

The story

It all happened against a popular WordPress site that had gone down for many hours due to a DDOS. As the attack increased in size, their host shut them down, and then they decided to ask for help and subscribed to our CloudProxy Website Firewall.

Once the DNS was ported we were able to see what was going on, it was a large HTTP-based (layer 7) distributed flood attack, sending hundreds of requests per second to their server. The requests looked like this:

74.86.132.186 - - [09/Mar/2014:11:05:27 -0400] "GET /?4137049=6431829 HTTP/1.0" 403 0 "-" "WordPress/3.8; http://www.mtbgearreview.com"
121.127.254.2 - - [09/Mar/2014:11:05:27 -0400] "GET /?4758117=5073922 HTTP/1.0" 403 0 "-" "WordPress/3.4.2; http://www.kschunvmo.com" 
217.160.253.21 - - [09/Mar/2014:11:05:27 -0400] "GET /?7190851=6824134 HTTP/1.0" 403 0 "-" "WordPress/3.8.1; http://www.intoxzone.fr" 
193.197.34.216 - - [09/Mar/2014:11:05:27 -0400] "GET /?3162504=9747583 HTTP/1.0" 403 0 "-" "WordPress/2.9.2; http://www.verwaltungmodern.de" 
..

If you notice, all queries had a random value (like “?4137049=643182″) that bypassed their cache and force a full page reload every single time. It was killing their server pretty quickly.

But the most interesting part is that all the requests were coming from valid and legitimate WordPress sites. Yes, other WordPress sites were sending that random requests at a very large scale and bringing the site down.

WordPress Insecure Default Option = Very Large Botnet

Just in the course of a few hours, over 162,000 different and legitimate WordPress sites tried to attack his site. We would likely have detected a lot more sites, but we decided we had seen enough and blocked the requests at the edge firewall, mostly to avoid filling the logs with junk.

Can you see how powerful it can be? One attacker can use thousands of popular and clean WordPress sites to perform their DDOS attack, while being hidden in the shadows, and that all happens with a simple ping back request to the XML-RPC file:

$ curl -D -  "www.anywordpresssite.com/xmlrpc.php" -d 'pingback.pinghttp://victim.comwww.anywordpresssite.com/postchosen'

Yes, that simple command on Linux can start it all.

Is your site attacking others?

It might be and you have no idea. To verify, look through your logs for any POST requests to the XML-RPC file, similar to the one below. If you see a pingback to a random URL, you know your site is being misused.

93.174.93.72 - - [09/Mar/2014:20:11:34 -0400] "POST /xmlrpc.php HTTP/1.0" 403 4034 "-" "-" "POSTREQUEST:x0Ax0Apingback.pingx0Ax0A x0A  x0A   http://fastbet99.com/?1698491=8940641x0A  x0A x0A x0A  x0A   yoursite.comx0A  x0A x0Ax0Ax0A"

94.102.63.238 – - [09/Mar/2014:23:21:01 -0400] "POST /xmlrpc.php HTTP/1.0" 403 4034 "-" "-" "POSTREQUEST:x0Ax0Apingback.pingx0Ax0A x0A x0A http://www.guttercleanerlondon.co.uk/?7964015=3863899x0A x0A x0A x0A x0A yoursite.comx0A x0A x0Ax0Ax0A"

In these case above, someone tried to use one of our honeypots to DDOS fastbet99.com and guttercleanerlondon.co.uk (a site we don’t know or service).

To stop your WordPress website from being misused, you will need to disable the XML-RPC (pingback) functionality on your site. You can do this by removing the file, xmlrpc.php, or you can disable notifications in your settings. The biggest challenge you’ll find with removing the file is that on an update it’ll come right back, annoying, I know. Some preliminary tests are showing that we’re able to bypass the disable notification setting but we are still investigating.

Lastly, if you prefer, we could take care of it for you via our CloudProxy Website Firewall; existing clients are already protected from this misuse.

This is a well known issue within WordPress and the core team is aware of it, it’s not something that will be patched though. In many cases this same issue is categorized as a feature, one that many plugins use, so in there lies the dilemma.

Online Tool to Check if your site was misused

Because of how prevalent an issue this is becoming, we’ve put together a little scanner that will check if your website has shown up in our logs. This scanner is only looking to see if your site has used to attack anyone within our network.

Use our WordPress DDOS Scanner to check if your site is DDOS’ing other websites.

Try it out and do your part making the Internet a safer place for everyone.

</img>

You may also enjoy

Spotlight on Women in Cybersecurity

less than 1 minute read

Sucuri is committed to helping women develop their careers in technology. On International Women’s Day, Sucuri team members share their insights into workin...

Hacked Website Trend Report – 2018

less than 1 minute read

We are proud to be releasing our latest Hacked Website Trend Report for 2018. This report is based on data collected and analyzed by the GoDaddy Security / ...

Facebook
Google plus
Pinterest
RSS
Spotlight on Women in Cybersecurity
How to Add SSL & Move WordPress from HTTP to HTTPS
Hacked Website Trend Report – 2018
Fake Browser Updates Push Ransomware and Bank Malware
Google Analytics and Angular in Magento Credit Card Stealing Scripts