Wordpress Bots, or Reflectors

This is a page about over 2000 Wordpress sites that participated in DDoS attacks and were notified.

These sites are not infected, but are being used to bounce attacks via the Pingback vulnerability.


1. Attack Logs (12-6-13)
2. Notification of EDU Domains
3. Notification of All Domains
4. How to Clean Your Blog (not recommended)
5. Pingback Vulnerability: How to Fix It (Recommended)
6. Analyzing the Attack and Identifying the Attackers
7. NetSpoof Attack Service

1. Attack Logs (12-6-13)

Today Steven Veldkamp sent me data from two DDoS attacks he experienced, one on 12/1/13 and one on 12/4/13.

Here is a complete list of the 2155 Wordpress bots used in this attack:

wpbots-dec1-4-13.htm (348 KB)
They were both from the same botnet of WordPress sites.

There were a lot of bots involved, but I only analyzed the EDU ones for now.

Here are the results from the 12/4 attack, which contained all the EDU bots:

I'll forward this to those schools, so they know they are pwned.

Complete Logs

You can download the whole Apache logs:
dec1.txt (6,651,036 bytes)
ddos4dec13.txt (4,831,724 bytes)

2. Notification of EDU Domains

Here are the addresses I used to notify them:

security@colorado.edu OfficeOfThePresident@cu.edu ranna_farzan@harvard.edu scott_fields@harvard.edu
records@colum.edu skauffman@colum.edu clientservices@colum.edu security@colum.edu
security@creighton.edu info@creighton.edu
chancellor@cuny.edu security@cuny.edu
alison.leary@nyu.edu security@nyu.edu john.sexton@nyu.edu
security@pace.edu jbaez@pace.edu ccapone@pace.edu
4HELP@umich.edu security@umich.edu presoff@umich.edu
security@uoc.edu csigales@uoc.edu
security@upenn.edu presweb@pobox.upenn.edu
chancellor@vanderbilt.edu security@vanderbilt.edu
president@harvard.edu abuse@harvard.edu security@harvard.edu

Notification done 10:07 pm 12-6-13

3. Notification of All Domains

I used Excel to extract the domains, and tried emailing them at abuse@domain.com and security@domain.com, but almost all the emails bounced.

So I used this bash script to extract admin emails from whois:

while read line
      echo $line " " `whois $line | grep "Admin Email:" | cut -d " " -f 3`
done < "$1"
That script stopped after 326 queries on Comcast, so I switched to Sprint through my phone and it completed--apparently Sprint has no whois query limit.

Approximately half the domains had Admin Email addresses. I notified them all, grouping them together in groups of 30, 100, or 200 to make it more efficient. As of 12-9-13, they have all been notified. I got 3 replies from administrators of blogs so far.

One unfortunate aspect of this project is that I have no way to know if it's working, except replies, and from my previous notifications I know replies are very rare and do not necessarily indicate that the infection will be fixed.

4. How to Clean Your Blog (not recommended)

Here's what one blog administrator told me.

I don't recommend it anymore, because most blogs are not in fact infected; what you need to do is disable the Pingback feature, as detailed below.

Hi Sam,

Unfortunately, the only way to clean the site was to wipe the install and reinstall WP from scratch. It looks like the malware (unidentified) was injected into some javascript files that were a part of WP's core library. Sadly, Sucuri does not have a name for it - I'm guessing it exploited some vulnerability in either the JavaScript

This is what worked for me:
1. Scanning the website with http://sitecheck.sucuri.net/scanner/ and making sure that there was an infection.
2. Backing up my wordpress install.
3. Moving any important files out of the install (e.g. /wp-content/uploads, /wp-content/themes/) to a separate folder on my web host.
4. Making a note of the username, password, database name and hostname in wp-config.php (super important)
5. Deleting the wordpress folder, downloading the current version of Wordpress, and reinstalling it. I used the username and password from step 4.
6. Moving files from step 3 back into their proper places.

After that, it's a case of reinstalling plugins. I ran Sucuri site scanner again, and the site was now clean of malware.

The entire process takes less than an hour. Hardening the site against future infections requires a whole lot of other work.

hope that helps,
Chris Lepine

5. Pingback Vulnerability: How to Fix It (Recommended)

It is possible that these blogs are being used to reflect an attack, without actually being compromised.

Details and how to fix it are here:

Fixing With a Plug-In

Ahhh gotcha. This plugin for WP solves this new vuln:


(better than deleting xmlrpc.php, which will get reinstalled when WP core is upgraded)

From Chris Lepine

Fixing with Permissions

@0xMatt said:
Just use facl to remove all rwx entirely on xmlrpc.php - can't be used OR replaced during upgrades. Easy fix.
WordPress Default Pingback Exploitable To DDoS -- FIX EXPLAINED HERE


WordPress Default Leaves Millions of Sites Exploitable for DDoS Attacks


WordPress Bug Report, 7 years old, closed :(

6. Analyzing the Attack and Identifying the Attackers

Evidence for PINGBACK

@jkleske sent me this via Twitter:
@sambowne @Fantastikk @akrabat my server load showed a strong demand on the xmlrpc.php for that time. That's how I found out about it.
Another blog administrator sent me this by email:
This looks to have been the xmlrpc pingback exploit. I've disabled the xmlrpc.php script...
And this!
The originating IP making the requests is, FWIW. Go yell at them.
More info about the attacker:
We've seen our logs as well but the request size is always too small to carry an actual payload, I think it's just a bot that scans for xmlrpc's. Also this IP showed up immediately in my honeypot and lacks any get or post parameters. - - [30/Nov/2013:22:24:06 -0500] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" "-" - - [30/Nov/2013:22:24:47 -0500] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" "-"

mysql> SELECT * FROM `log` WHERE `ipaddress` LIKE ''\G

*************************** 1. row ***************************

id: 32


datetime: 2013-12-09 12:22:49

vhost: www.hostingcon.com

uri: /xmlrpc.php

get: []

post: []

cookie: []

*************************** 2. row ***************************

id: 33


datetime: 2013-12-09 12:22:51

vhost: www.hostingcon.com

uri: /xmlrpc.php

get: []

post: []

cookie: []

2 rows in set (0.00 sec)

The actual attacker appears to be

The two logs that make this apparent: - - [30/Nov/2013:22:22:24 -0500] "GET /blog/explore-ways-grow-hosting-company/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Hostingcon+(HostingCon) HTTP/1.0" 200 9238 "http://www.hostingcon.com/" "Mozilla/5.0 (iPad; CPU OS 6_1_3 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10B329 Safari/8536.25" "-" - - [30/Nov/2013:22:22:25 -0500] "POST /xmlrpc.php HTTP/1.0" 200 212 "http://www.hostingcon.com/blog/explore-ways-grow-hosting-company/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Hostingcon+(HostingCon)" "PHP/5.2.10"

The user agent change was what first alerted me. The timestamp also coincides with the first time one of our IPs shows up in your log file

From Mat Sumpter

Another report of the attacking IP address:
I will speak to my webhost but I can see from looking at my logs that xmlrpc.php has been requested ~80,000 times from IP address

I will disable pingbacks and take a look at that WP plugin you suggest in your blogpost

7. NetSpoof Attack Service

A test conducted by a third party revealed that NetSpoof, a commercial DDoS service, produces similar traffic from the same blogs, and is the most likely source of the attacks.

The tool is advertised on

HackForums.net (registration required)

Here is the ad I saw:

Here's the tool's home: Netspoof.com

Posted 12-6-13 by Sam Bowne
Updated with HTML list of bots 12:05 pm 12-7-13
Image added 7:32 pm 12-7-13
Complete notifications added 12-9-13 7:50 am
Cleaning instructions added 9:26 am 12-9-13
Pingback links added 12-9-13 10:48 am
Pingback evidence added 1:16 PM 12-9-13
More information, up to the logs from Mat Sumpter added 1:52 pm 12-9-13
Another reference link and the permissions fix added 7:56 pm 12-9-13
Reference to the 7-year-old WordPress bug report added 10:42 am 12-13-13
NetSpoof info added, reorganized with directory, 11:37 am 12-13-13