After the disclosure of a recent Denial of Service (DoS) tactic involving legitimate websites using WordPress, Symantec MSS has been applying additional scrutiny to customers that may have been involved. According to a blog post from Sucuri, “a large DDOS attack that leveraged thousands of unsuspecting WordPress websites as indirect source amplification vectors” has been uncovered in the wild. We’ve discovered continuing attempts by attackers to leverage a legitimate feature called “pingback” found in many WordPress configurations in our customer environments.
While the concept of “pingback” abuse isn’t new, the scale of this most recent episode is larger than previously seen. All impacted MSS customers have been notified of this activity. This blog entry aims to highlight the issue of innocuous application features being abused by attackers from the perspective of Managed Security Services.
What is WordPress?
WordPress is a popular, open source Content Management System (CMS) in use by millions of websites and blogs. Its versatile and extensible nature as well as zero cost make it a widely deployed solution for businesses and individuals alike. It is powered primarily by PHP and MySQL, relying on any number of standard web servers (IIS, Apache, Nginx, etc.) and operating systems.
Since its inception, WordPress has been a common target for attackers due to its relative complexity and use of third party themes and plugins which are often vulnerable to web-based attacks.
What is a pingback?
From WordPress Support -> “A pingback is a type of comment that’s created when you link to another blog post where pingbacks are enabled. The best way to think about pingbacks is as remote comments:
- Person A posts something on his blog.
- Person B posts on her own blog, linking to Person A’s post. This automatically sends a pingback to Person A when both have pingback enabled blogs.
- Person A’s blog receives the pingback, then automatically goes to Person B’s post to confirm that the pingback did, in fact, originate there.”
From a malicious perspective, the “pingback” mechanism allows attackers to relay requests off of legitimate WordPress websites to victim destinations of their choice. To accomplish this task, no user, root, or other access is required to intermediary sites. The vast majority of the WordPress sites observed forwarding this traffic are not compromised or otherwise insecure (beyond processing crafted pingback requests). This activity is allowed in current, up to date versions of WordPress.
Technical Details and Analysis:
WordPress implements an XML-RPC API function that is responsible for pingbacks. When invoked, this function will send a request to the site to which the attacker would like to send a "pingback". By default, this feature is enabled in all WordPress installs.
The initial pingback request is sent as an HTTP POST to the /xmlrpc.php file on an intermediary website. Contained within this POST is a "pingback.ping" request followed by the victim URL.
At this point, intermediary WordPress sites that support pingbacks will "relay" this request to the victim site by forming an HTTP GET request. This GET request will appear as "/?2043286=9492803" (random pair of 7-digits) toward the victim website. This style of request will force a full page reload by bypassing cache, which can prove detrimental to the victim site (leading to a DoS condition).
A quick search for "xmlrpc.php" on Shodan or some creative Google hacks will yield numerous WordPress sites able to be used as intermediaries for this activity.
Example single host traffic pattern (outbound):
The following is an average example of malicious outbound pingbacks that Symantec MSS has observed from a single customer’s WordPress site. The server in question is being used by malicious third parties to participate in a denial of service attack. While the traffic quantity in this example is not extreme enough to significantly impact this intermediary site, it poses a liability to its owners.
MSS detection:
- [MSS URL Detection] Potential WordPress Pingback DDoS activity (outbound)
Recommendations:
- While originally intended as a legitimate feature, the “pingback” functionality in WordPress can be disabled to prevent this DoS activity. The WordPress support page has contains several methods for doing this.
- Check the Sucuri “Is my WordPress Site DDOS'ing others?” tool for the presence of any WordPress powered websites in your environment. This tool contains a collection of logs from a live sample of “pingback” DDoS traffic.
References:
- Sucuri Blog: “More Than 162,000 WordPress Sites Used for Distributed Denial of Service Attack” – March 10, 2014
- Incapsula Blog: “WordPress Default Leaves Millions of Sites Exploitable for DDoS Attacks” – April 30, 2013
- Wordpress.com / Wordpress.org