March 13, 2014

On Wednesday, KrebsOnSecurity was hit with a fairly large attack which leveraged a feature in more than 42,000 blogs running the popular WordPress content management system (this blog runs on WordPress). This post is an effort to spread the word to other WordPress users to ensure their blogs aren’t used in attacks going forward.

armyAt issue is the “pingback” function, a feature built into WordPress and plenty of other CMS tools that is designed to notify (or ping) a site that you linked to their content. Unfortunately, like most things useful on the Web, the parasites and lowlifes of the world are turning pingbacks into a feature to be disabled, lest it be used to attack others.

And that is exactly what’s going on. Earlier this week, Web site security firm Sucuri Security warned that it has seen attackers abusing the pingback function built into more than 160,000 WordPress blogs to launch crippling attacks against other sites.

“Any WordPress site with Pingback enabled (which is on by default) can be used in DDOS attacks against other sites,” Sucuri’s Daniel Cid wrote. “One attacker can use thousands of popular and clean WordPress sites to perform their DDOS attack, while being hidden in the shadows, and that all happens with a simple ping back request.”

Bloggers can disable pingback on posts by clicking “Settings” then “Discussion”, and then unchecking the following options if they are checked:

-Attempt to notify any blogs linked to from the article
-Allow link notifications from other blogs (pingbacks and trackbacks)

Unfortunately, Cid said, this only appears to prevent pingbacks on new blog posts and does nothing to disable pingbacks on posts that are already published for which pingback was previously enabled. There is, however, a highly-rated WordPress plugin that disables the pingback functionality.

As Sucuri notes, for the gearheads who don’t trust plugins, one easy way to block your WordPress blog from participating in these attacks is to create your own plugin that incorporates the following code:

add_filter( ‘xmlrpc_methods’, function( $methods ) {
unset( $methods[‘pingback.ping’] );
return $methods;
} );

Sucuri has declined to release the list of WordPress sites that are being used in these attacks, but it has posted an online tool that blog administrators can use to learn if their blogs have shown up in attack logs.

My hosting provider shared with me a list of the WordPress blogs that were used in the attack on this blog. I’m sharing it here to get the attention of WordPress administrators. I realize that some readers will view this as providing a roadmap for attacks, but I’m hopeful that making this information public will decrease the number of blogs that can be used in future such attacks.

The guys over at OpenDNS have more raw data on these attacks in a blog post that’s worth a read.


52 thoughts on “Blogs of War: Don’t Be Cannon Fodder

  1. JM

    Curious as to how they got those IPs, since there’s a number of RFC1918 addresses in your list…

    1. Articulus Rex

      If I had to guess, I’d say that Brian’s hosting provider is hosting the WP sites that have the RFC1918s.

  2. Canuck

    Another way to disable xmlrpc can be found here:

    wpengineer.com/2484/xml-rpc-enabled-by-default-in-wordpress-3-5/

  3. Ed Hamilton

    Thanks. I had read about this but didn’t know how it affected me or what to do about it.
    They didn’t use me to get you. I’ll disable pingbacks tonight or tomorrow.

  4. boondox

    Interesting list.

    There’s one (ISC)2 chapter website on it, with one CEH chapter page. Lots of other Security Consultants, too.

    Plus, what would the Internet be without porn?

    1. Infosec Geek

      Also, the Israel Internet Association.

      More bleeding edge stuff from BK, as usual.

  5. Nate

    Was this blog used to attack any other sites or did you already have pingbacks disabled?

  6. Jon

    Can you say when the attack started? Several actors are claiming it, and given the evidence that someone is weaponizing blogs, if I can rule out certain groups, then I can focus my assets to gather better indicators and warnings for my company.
    I would greatly appreciate the time hacks.
    Peace

  7. TheOreganoRouter.onion.it

    That might explain the “”Error establishing a database connection” I was seeing yesterday

  8. Caleb

    “Securi has declined to release the list of WordPress sites that are being used in these attacks, but it has posted an online tool that blog administrators can use to learn if their blogs have shown up in attack logs.”

    I just figured I would let you know you spelled Sucuri in this paragraph and used an e instead of a u.

    1. Shawn

      As a professional courtesy you should email authors of articles if there is a typo and not advertise it in a comment. Brian makes his email address available to you. Nobody is perfect and pointing out an innocent typo in front of the world isn’t polite. I’m sure you would not like someone standing you on the 50yd line of the NFL playoffs with a spot light and telling you that you screwed up. If you had an email listed, I would have emailed you too instead.

      1. Caleb

        Shawn,

        I didn’t even think of that… thanks for reminding me about that for the future. Sorry if I offended anyone.

        Cheers,
        Caleb

  9. Wintermute

    Thanks for this post. My blog wasn’t used in the DDoS, but I did have pingback enabled. Taken care of now, though 🙂

  10. Mark

    My blog was used against you (according to your list, and I believe it), and I’ve since changed those settings and turned off pingback for all previous posts and pages by editing the rows in the database directly. (Discussed here: http://wordpress.org/support/topic/globally-disable-pingback-and-trackback)

    I had been seeing a few “SERVER-WEBAPP xmlrpc.php post attempt” log entries in my Snort logs lately, but wasn’t quite sure what was going on, since I don’t have full packet capture running on my network, and I don’t capture POST data in my Apache logs.

    You quoted Daniel Cid as saying “One attacker can use thousands of popular and clean WordPress sites to perform their DDOS attack, while being hidden in the shadows, and that all happens with a simple ping back request.” — this is accurate in so far as you (the attacked) can’t see who the actor is, since the “attackers” generating traffic in your logs are legitimate blogs who don’t intend to do you harm. However, as a legitimate blog who was doing you harm (unintentionally), I *can* see where those requests are coming from, since the real attacker has to POST to my site over HTTP via TCP in order to reflect the attack toward you. That can’t be spoofed. If you’re interested in my Apache and/or Snort logs from the time of the attack, I would be more than happy to provide them. They may just lead you back to a member of a botnet, but, then again, they may not.

    I don’t really have the resources to hunt down these kinds of leads, alone, but you might have some luck if you can aggregate some logs from several of the blogs used in the attack against you.

    Keep fighting the good fight, Brian. We all appreciate it.

    1. ogginok

      Mark: all it takes is proxying the http posts and you cant see diddlysquat…

    1. Robert

      Thanks for the WP tutorial. The bulk edit was what I needed for the older posts!

  11. Wladimir Palant

    That’s an interesting twist. If I understand correctly, the attackers faked a pingback request coming from your blog. In order to verify that the pingback request is valid the vulnerable WordPress blogs then tried to download your blog article.

    I can see why this attack was chosen as opposed to DNS or NTP amplification – these amplification attacks are trivially blocked on the firewall level and won’t reach your blog. Still, “hidden in the shadows” in an exaggeration. This attack uses TCP which means that the source address cannot be faked and will be visible in the logs of the WordPress instances used in the attack.

    Did you try to reach the administrators for some of these blogs? They should be able to look up the IP address of the real attacker in their logs. Even if it is some proxy, the chain can simply be followed further. It should be very hard to hide your traces with this kind of attack.

    1. Neej

      Eh?

      Perhaps I’m missing something (quite possible in my case) but why can’t the attacker just use an relatively untraceable proxy in this situation such as open public proxy servers, Tor or hijacked PC proxy?

      1. Wladimir Palant

        Most regular proxies have logs. Usually they aren’t meant to allow anonymous access but have been simply misconfigured. So in case of a criminal offense committed through that proxy these logs can be requested.

        Tor is a different thing of course but its throughput is simply too low to launch a significant attack, even with the help of thousands of WordPress instances.

        As to hijacked PCs – somebody who has access to a botnet doesn’t need help from WordPress, it’s easier to launch the attack directly from these PCs.

    2. The Big C

      … it would be very hard …

      No, actually, it wouldn’t be hard at all. TOR anyone?

      Sorry, I don’t mean to poop in the corn flakes, but it doesn’t get any easier than the Tor browser bundle.

      1. Wladimir Palant

        Feel free to read my response right above yours. This kind of attack doesn’t provide much amplification and you would need to bring up significant bandwidth on your end – something that is hardly possible when using Tor.

  12. Evgueni

    Aha!.. Now it makes sense… the attackers called their attack method “SDoS”. So I guess the “S” stands for “Social Media”.

  13. grayslady

    Thanks for the information. I have almost always disabled pingbacks on my WordPress blog just because I find them a nuisance. Now I have another reason to do so. My blog was not on the list, but I didn’t expect it to be given that I usually turn off the pingback feature.

  14. Katrina Lowe

    Thanks for the info!

    Our website runs on WordPress as well, and we didn’t know about this issue. Going to look into installing those plug-ins ASAP.

  15. Ahazuarus

    Wow, I might have missed this on my own site. Thanks for the heads up!

  16. Si

    these setting were not ticked by default on my install.

    Also JM is right, why’s your ISP allowing RFC1918 addresses (private addresses) to route your site?

  17. Saint Aardvark the Carpeted

    Thanks for posting this. I’ve disabled XMLRPC on the personal sites I administer. A number of sites from the university where I work are in your list, and I’ve contacted our security officer about this.

    A couple of things for fellow sysadmins: the plugin listed above (https://wordpress.org/plugins/disable-xml-rpc/) is about the simplest possible wrapper around the code sample from Securi, and I don’t think there’s any reason to be wary of it. I’ve installed it on my personal sites without problems, and I’ll be doing so at work as well. Second, have a look at wp-cli (http://wp-cli.org); it’s a command-line utility for Linux/Unix servers to manage WordPress installations, including installing and activating plugins like this. I’m always a little nervous when installation instructions say “Here, wget this binary!”…but the code is up on GitHub, and I’ve used it on my personal sites without problems. I’ll be evaluating it more closely for work.

  18. Bob

    So why does WordPress incorporate a feature that can be harmful? What about if some of the pinbacks were genuine? You are affectively proposing to stop pinbacks.

    Furthermore, I do not understand how you got pinbacks from some many websites unless they wrote an article that links to your blog. Were all those websites compromised to include a link to your blog?

    1. timeless

      People rarely design features intending for them to be harmful. Unfortunately, they also rarely consider all possible abuses.

      Pingbacks were designed as a way to allow bloggers to have conversations spanning blogs.

      Instead of me allowing anyone to comment on my blog, I could require them to post their opinions on their own blog and pingback to my blog entry.

      The design meant that I didn’t have to curate my blog (this has been and still is a problem).

      It also meant that any links in their opinions wouldn’t earn the link weight from my blog.

      * I never used WordPress. Brian’s blog has a much higher page rank than mine.

      This design actually exists today in Twitter. Both Facebook and Google+ also support it (you have to disable comments to encourage it, just like with WordPress).

      Unfortunately, the implementation has various flaws.

      Magnification attacks (where the attacker sends a small/ cheap packet to one party and the victim is required to reply with expensive / larger packets) are not one of the early considerations when designing for security or even designing protocols. There’s a general assumption that a response will be larger than a request. I’m not even sure how much research has been done in this area. Most of it is under a category “Proof of Work” which has been proposed for fixing email spam and is also used in BitCoin **.

      ** While BitCoin may be mostly a Ponzi scheme, some of the ideas behind its design are actually useful.

    2. Maureen

      I can see why they would provide the feature, as it is valuable in networking across blogs and subjects, but I wish platforms would make you choose features rather than have them enabled by default and you have to go disable the feature. I have a couple of wordpress blogs I abandoned long ago (insert long and boring story of lost passwords, changed emails, etc.), and I never used the pingback. Thankfully, I don’t see them on that list, but to think that a feature I didn’t choose to use can use my blog to attack others…so so sad.

  19. Matt Stratton

    I’ve disabled the issue on my site that was showing up in the logs (dev.arresteddevops.com), and the last timestamp in your logs is 3/9.

    Problem is, everyone is searching this tool and “telling” us we are infected, even though we’ve fixed it. Maybe something could be added to point out that just because a site shows up here, the important thing is to look at the last date in the logs?

    Thanks for the help though. So useful and embarrassing at the same time.

  20. Panix

    I’m wondering the scope of this problem.

    Can this only be used to ddos other wordpress sites? Does the victim have to be running httpd?

    1. Wladimir Palant

      No, one should be able to attack any website this way. It might even be possible to run the attack on non-HTTP ports but it really depends on what is running there.

  21. Panix

    I’m wondering the scope of this problem.

    Does the victim have to be wordpress or can this be used against anyone?

  22. JB

    Looks like the New Yorker subscription website got hacked. They sent out an email recommending users change their passwords — as well as on any other site where that same password is used. I can forward you their email if you provide an address.

  23. Andrew

    Intriguing article. However, this part puzzles me:

    ” . . . this only appears to prevent pingbacks on new blog posts and does nothing to disable pingbacks on posts that are already published for which pingback was previously enabled. There is, however, a highly-rated WordPress plugin that disables the pingback functionality.”

    Perhaps I’m not understanding the problem fully. But can’t I go into Posts -> All Posts, and then select all my posts with the first/topmost checkbox, and then using the “Edit” option under the “Bulk Actions” menu, just turn off the Pingbacks on my previously published posts by changing the ping setting to “Do Not Allow”?

    Or is that a different feature entirely (e.g. outbound vs. inbound)?

  24. Russ

    Doesn’t look like mine or my friends (who I host) wordpress install where used against you, but I have gone ahead and changed the settings to prevent them from being used.

    Side note – nice meeting you at the VeriFone event. Lot’s of good information! Thanks!

  25. AlphaCentauri

    I’m not completely clear how this is done. Do the attackers have to post a comment with a link to your site to do this? How many times does a WordPress site send a pingback when there is a link posted? Do the attackers have to post thousands of near-simultaneous comments with links to make this work?

    I don’t see any WordPress sites I know of on the list, but they all require comments to be moderated before being posted, and some don’t permit live links at all. Is that sufficient to prevent pingbacks from being exploited for use in a DDoS?

  26. S Scott

    Any one have any ideas about what percentage of total internet traffic is actually legit?

    1. IA Eng

      I’d say 5-10 percent on days when there is little to no “epic events” unfolding. The trends tend to send the internet into a tailspin and the criminals simply amp up efforts to create more hate and discontent.

      5-10% legit of everything ; with the amount of potential spam daily, and adding in that some electronic devices in the home may be trying to phone home or spew spam, and all the infected PC’s know or unknown that are doing the same. Its definately jacked up.

  27. Ikari

    Huh. Our WP site isn’t even live yet, but I’ve made the change to disable the function. Thanks for the tip.

Comments are closed.