These sites are not infected, but are being used to bounce attacks via the Pingback vulnerability.
1. Attack Logs (12-6-13)
2. Notification of EDU Domains
3. Notification of All Domains
4. How to Clean Your Blog (not recommended)
5. Pingback Vulnerability: How to Fix It (Recommended)
6. Analyzing the Attack and Identifying the Attackers
7. NetSpoof Attack Service
Here is a complete list of the 2155 Wordpress bots used in this attack:
wpbots-dec1-4-13.htm (348 KB)They were both from the same botnet of WordPress sites.
There were a lot of bots involved, but I only analyzed the EDU ones for now.
Here are the results from the 12/4 attack, which contained all the EDU bots:
I'll forward this to those schools, so they know they are pwned.
dec1.txt (6,651,036 bytes)
ddos4dec13.txt (4,831,724 bytes)
email@example.com firstname.lastname@example.org email@example.com firstname.lastname@example.org
email@example.com firstname.lastname@example.org email@example.com
firstname.lastname@example.org email@example.com firstname.lastname@example.org
4HELP@umich.edu email@example.com firstname.lastname@example.org
email@example.com firstname.lastname@example.org email@example.com
Notification done 10:07 pm 12-6-13
So I used this bash script to extract admin emails from whois:
That script stopped after 326 queries on Comcast, so I switched to Sprint through my phone and it completed--apparently Sprint has no whois query limit.
while read line
echo $line " " `whois $line | grep "Admin Email:" | cut -d " " -f 3`
done < "$1"
Approximately half the domains had Admin Email addresses. I notified them all, grouping them together in groups of 30, 100, or 200 to make it more efficient. As of 12-9-13, they have all been notified. I got 3 replies from administrators of blogs so far.
One unfortunate aspect of this project is that I have no way to know if it's working, except replies, and from my previous notifications I know replies are very rare and do not necessarily indicate that the infection will be fixed.
I don't recommend it anymore, because most blogs are not in fact infected; what you need to do is disable the Pingback feature, as detailed below.
This is what worked for me:
1. Scanning the website with http://sitecheck.sucuri.net/scanner/ and making sure that there was an infection.
2. Backing up my wordpress install.
3. Moving any important files out of the install (e.g. /wp-content/uploads, /wp-content/themes/) to a separate folder on my web host.
4. Making a note of the username, password, database name and hostname in wp-config.php (super important)
5. Deleting the wordpress folder, downloading the current version of Wordpress, and reinstalling it. I used the username and password from step 4.
6. Moving files from step 3 back into their proper places.
After that, it's a case of reinstalling plugins. I ran Sucuri site scanner again, and the site was now clean of malware.
The entire process takes less than an hour. Hardening the site against future infections requires a whole lot of other work.
hope that helps,
Details and how to fix it are here:
Ahhh gotcha. This plugin for WP solves this new vuln:
(better than deleting xmlrpc.php, which will get reinstalled when WP core is upgraded)
From Chris Lepine
Just use facl to remove all rwx entirely on xmlrpc.php - can't be used OR replaced during upgrades. Easy fix.WordPress Default Pingback Exploitable To DDoS -- FIX EXPLAINED HERE
DDOS ATTACK -- THIS BLOG VIA XMLRPC.PHP
WordPress Default Leaves Millions of Sites Exploitable for DDoS Attacks
YOUR BLOG HAS BEEN HACKED. ACTUALLY, MAYBE NOT. THE PINGBACK EXPLOIT
WordPress Bug Report, 7 years old, closed :(
@sambowne @Fantastikk @akrabat my server load showed a strong demand on the xmlrpc.php for that time. That's how I found out about it.Another blog administrator sent me this by email:
This looks to have been the xmlrpc pingback exploit. I've disabled the xmlrpc.php script...And this!
The originating IP making the requests is 220.127.116.11, FWIW. Go yell at them.More info about the attacker:
We've seen 18.104.22.168 our logs as well but the request size is always too small to carry an actual payload, I think it's just a bot that scans for xmlrpc's. Also this IP showed up immediately in my honeypot and lacks any get or post parameters.Another report of the attacking IP address:
22.214.171.124 - - [30/Nov/2013:22:24:06 -0500] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" "-"
126.96.36.199 - - [30/Nov/2013:22:24:47 -0500] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" "-"
mysql> SELECT * FROM `log` WHERE `ipaddress` LIKE '188.8.131.52'\G
*************************** 1. row ***************************
datetime: 2013-12-09 12:22:49
*************************** 2. row ***************************
datetime: 2013-12-09 12:22:51
2 rows in set (0.00 sec)
The actual attacker appears to be 184.108.40.206
The two logs that make this apparent:
220.127.116.11 - - [30/Nov/2013:22:22:24 -0500] "GET /blog/explore-ways-grow-hosting-company/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Hostingcon+(HostingCon) HTTP/1.0" 200 9238 "http://www.hostingcon.com/" "Mozilla/5.0 (iPad; CPU OS 6_1_3 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10B329 Safari/8536.25" "-"
18.104.22.168 - - [30/Nov/2013:22:22:25 -0500] "POST /xmlrpc.php HTTP/1.0" 200 212 "http://www.hostingcon.com/blog/explore-ways-grow-hosting-company/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Hostingcon+(HostingCon)" "PHP/5.2.10"
The user agent change was what first alerted me. The timestamp also coincides with the first time one of our IPs shows up in your log file
From Mat Sumpter
I will speak to my webhost but I can see from looking at my logs that xmlrpc.php has been requested ~80,000 times from IP address 22.214.171.124
I will disable pingbacks and take a look at that WP plugin you suggest in your blogpost
The tool is advertised on
HackForums.net (registration required)
Here is the ad I saw:
Here's the tool's home: Netspoof.com