Avoiding wordpress xmlrpc attack. How to mitigate?

This entry was unintended. Thanks to the people that yesterday launch an attack over an updated wordpress. I have noticed this attack few hours later from its start when i see the consumption of server CPU resources:

 

That's the time and consumption of resources.
That’s the time and consumption of resources.

It is strange and a clear sign that something is not being regular, so next step is view logs and filter some network packets with ngrep, a fantastic tool for real packet monitoring. In this process you can realize from where are the requests because you know  web server is pointing directly over this consumption resources. I have tweeted an image of the attack containing the xmlrpc’s requests.

xmlrpc requests
xmlrpc requests

 

What is xmlrpc.php and what is it used?

In WordPress there is a pingback functionality that allows bloggers linking content from different people and other interesting methods. if you have used mobile apps for check comments or publish content, you have used XML-RPC. I’m not going to discuss if this is secure or not (obviosuly not) and at the end of the post i will link of a expermiental plugin called secure-xmlrpc that adds a authorization layer. But, what is the request – response xml structure of this multifunctional file?  Let’s see an example of retrieve the user posts:

<?xml version="1.0"?>
<methodCall>
  <methodName>wp.getPosts</methodName>
  <params>
    <param>
      <value><i4>1</i4></value>
    </param>
    <param>
      <value><string></string></value>
    </param>
    <param>
      <value><string></string></value>
    </param>
  </params>
</methodCall>

Simple. A method call, method name and params-value inside. xmlrpc only accept POST requests and well formatted data. As far as we know we are not discovering nothing. The interesting part for the attacker perspective is to abuse of its behavior. We see in the screenshot that a lot of requesting POST on xmlrpc.php. That exactly we need to start to stop the attack. Let’s see how.

 1. Unable xmlrpc.php

a) Move the file to another filename. The attack don’t stop but they have a 404 not found, so in the case of they are abusing to stole your credentials you have achieve an important thing: they don’t get any credentials. But in the other way, your server consumes so many resources and this is bad. That’s the case that bad guys are abusing xmlrpc.php to launch ddos attacks against other, some more important, target than you.

b) Tell wordpress  don’t want to use xmlrpc by adding filter unset on function’s theme. Let’s see how, inside wp-content/theme/theme_name/functions.php:

add_filter( ‘xmlrpc_methods’, function( $methods ) {
   unset( $methods['pingback.ping'] );
   return $methods;
} );

2. Start to ban the zombies

Now that attacker probably notice the change it’s time to tell them they are not welcome. If you are familiar with fail2ban, sure you are, you know you can add jails and filters, so let’s see what want ban in the filter and apply. Add a new jail vim /etc/fail2ban/jail.conf:

[xmlrpc]
enabled  = true
filter   = xmlrpc
action   = iptables[name=xmlrpc, port=http, protocol=tcp]
logpath = /some/path/*/to/statistics/logs/access_log
bantime = 43600
maxretry = 1

Change logpath to match with yours. This is the config of the jail but need a filter to trigger the action with iptables. Let’s edit and configure. Remember we have a lot of request to POST xmlrpc.php ? Yes, this is what we need in our regular expression in /etc/fail2ban/filter.d/xmlrpc.conf.

[Definition]
failregex = ^<HOST> .*POST .*xmlrpc\.php.*
ignoreregex =

That’s it. Restart fail2ban and see the log adding the new jail. In my case after an hour the attack cease. More than 25.000 bodies from some kind of botnet was laying down all over the ciberspace. Become into carrion. Ha-Ha. Next time better luck.

Conclusions

It’s very important to understand how software works, you can abuse it and / or you can help to protect it. This kind of attack is well-known and as i mentioned before you can replace xmlrpc method with this plugin (https://github.com/ericmann/secure-xmlrpc). The solution to disable xml rpc is temporally because you need it for wordpress updates and other commented functionality.

Other important thing is xmlrpc attack happens even you have the latest wordpress version patched with the latest plugins. It’s true that 3.9.2 have changed XML-RPC behavior, but not completely.

To finish i have say ngrep is fantastic and help monitor all the process, this way:

ngrep -q -W byline "GET|POST HTTP"

UPDATE: More clear graphic about server goes back to the normality.

server goes back to the normality
server goes back to the normality

Enjoy!

 

No hay contenido relacionado



3 comentarios

  1. TK8

    you can also use a Htaccess rule like

    # Rules to redirect the xmlrpc to noexist ip
    RewriteRule ^(.*)xmlrpc(.*)$ «http\:\/\/0\.0\.0\.0\/» [R=301,L]

    to block incoming request and send the traffic to a nonexistent IP to remove stress from your server

Deja una respuesta

Este sitio usa Akismet para reducir el spam. Aprende cómo se procesan los datos de tus comentarios.