O hai let me wanna-be!

Wednesday, 24 September, Year 6 d.Tr. | Author: Mircea Popescu

Being as I am the realisation of their idealized image of the self as well as the icon of the father they always wanted but never had plus that beloved older brother they had a nonsexual crush on, of course I'd hear from each and every wanna-be kid on the Internet. The self-avowed hacker, the grandiose expert, the pro-professional, the many plurious things a recent birth with no power, no knowledge and no importance tends to vacuously ascribe himself.

Without even going into the piles and layers accumulated back while I was writing in Romanian, and without bothering to notice that Jeff Berwick is still working on something better than "I just read the story I made up on your blog and it doesn't sound as convincing as I thought it did", let's have some quick examples : O hai let me verify your identity! ; O hai. I was justing doing a penetration test of your site. ; MIRCEA POPESCU IS AN ASSHOLE! etc etc etc.

So then it comes as no surprise that :

kakobrekla: Pasted per request; http://dpaste.com/0DQZB8W.txti
mircea_popescu: So was BitBet actually down ?

kakobrekla: Well BitBet was sort of down and assbot suffered the most.
Apocalyptic: Hard to tell if guy was serious or trolling.
kakobrekla: I dont know, I saw 'low orbit ion cannons cannons' and got scared.
mircea_popescu: Apocalyptic that's the new generation. Sorta half-ass doing things and being "ironic" about them at the same time as a sort of multi-hedged insurance agaisnt the scary world. Can't say he's not tried. Can't say he's really tried, either. Can't say he's a faggot, not really, can't say anything. Aderpynymous!

kakobrekla: Imagine cannons shooting out whole cannons
* kakobrekla runs in the basement to hide.

[after a break]

mircea_popescu: You know your secret agent reddit/4chan guy tried to "ddos" Trilema earlier too. He... failed. "Number of simultaneously running php and cgi scripts, as well as cron jobs and shell sessions: 65724(max)." That's not SO BAD is it ?

Turns out the logs on Trilema actually had a story to tell. It goes like this :

54.215.115.74 - - [24/Sep/2014:02:34:37 -0400] "GET / HTTP/1.0" 200 26649 "-" "WordPress/3.9; http://ec2-54-215-115-74.us-west-1.compute.amazonaws.com; verifying pingback from 43.254.40.25"

The complete file weighs in at 25 Mb. That's 183`902 lines worth of (served!) requests for Trilema pages, sent by various WordPress blog installations. 95`651 of them include the "verifying pingback from 43.254.40.25" line, 3`731 show a different IPii, the rest omit the source.iii All this happened from 02:34:37 -0400 to 2:55-ish, with a few stragglers all the way to 3:00.

Obviously this is not what "LOIC" means. Nevertheless, it's perhaps a usable reflected DDOS attack. All you need is a host that'll let you do it, WordPress is dumb enough to go for it, and now that you have the list...

Enjoy. Or fix it, whatever, I don't care.

UPDATE, September 28th : Failure breeds insistence in the narcissistically wounded, so here we are again, doing the same thing only bigger this time. <sarcasm>Because that totally works, if you fail it's not time to try a new tack, it's time to try harder. The time to try a new tack is when you succeed. </sarcasm>

The splendiferous haxxor at that difficult age doesn't think the foregoing should apply to him, of course, because he thinks he should get a say in what applies to him and what doesn't, because that's democraticfairnormalrapetriggersomgbbq or whateveriv, and so here we are.

This time there's a grand total of 2`211`833 lines, more than ten times the size of the previous attempt. The complete list is here. Of some interest are the first five lines,

50.62.208.39 - - [28/Sep/2014:02:35:39 -0400] "HEAD /2014/today-is-the-international-day-of-remembering-how-mirce$
50.62.208.39 - - [28/Sep/2014:02:35:40 -0400] "HEAD /2013/the-greatest-smartphone-app/#comment-91767 HTTP/1.0" 40$
50.62.208.39 - - [28/Sep/2014:02:50:36 -0400] "HEAD /2014/today-is-the-international-day-of-remembering-how-mirce$
50.62.208.39 - - [28/Sep/2014:02:50:37 -0400] "HEAD /2013/the-greatest-smartphone-app/#comment-91767 HTTP/1.0" 40$
97.88.208.209 - - [28/Sep/2014:02:51:37 -0400] "GET / HTTP/1.0" 500 - "-" "WordPress/3.0.4; http://diehoch.net"
54.201.25.164 - - [28/Sep/2014:02:51:37 -0400] "GET / HTTP/1.0" 500 - "-" "WordPress/3.9.2; http://54.201.25.164;$
107.170.18.6 - - [28/Sep/2014:02:51:37 -0400] "GET / HTTP/1.0" 500 - "-" "WordPress/4.0; http://authenticorepilat$

Obviously 50.62.208.39 knew what was about to happen seconds before it actually did. It's an abused GoDaddy IP (which have, of course, been notified, and which, of course, still suck). The list of originating IPs (appearing after the "verifying pingback from" built-in header) is significantly shorter than last time.v This, coupled with the pathetic appeals to mercy proffered by the "hacker", with the significant increase in the list of abused blogs and with the frequent repeats suggests perhaps that she's running out of resources. Which is fine, and the first step towards embracing the slavery that'll perhaps spit her out on the other side a complete being.

Good luck, Britni!

PS. If you don't understand why this article figures in your pingback list, while your link isn't in here : it's because your blog has been abused to try and DDOS this blog, as you can verify by searching for your name in the attached gzips. Please consider hardening your WordPress installation so that this can't be repeated in the future - as it currently stands I am immune to this because I am rich and powerful, but most bloggers out there are neither rich nor powerful and who knows how many you've squished so far, unknowingly ?

———
  1. ~fccccck@184.75.212.202

    **** BEGIN LOGGING AT Wed Sep 24 13:54:47 2014

    [13:54:47] fccccck hellllllllllo
    [13:55:19] kakobrekla hi?
    [13:55:29] fccccck we are reddit police
    [13:55:44] kakobrekla who is we
    [13:56:05] fccccck subreddit you dont know because admins keep shadowbanning us
    [13:56:13] fccccck you spam reddit, this is your punishment! muahuahua
    [13:56:30] kakobrekla i spam?
    [13:56:45] * kakobrekla does not have a reddit handle.
    [13:56:59] fccccck yes you spam
    [13:56:59] fccccck http://trilema.com/2014/spamming-reddit-an-experiment/
    [13:57:10] kakobrekla i am not mircea btw.
    [13:57:27] fccccck oh
    [13:57:33] fccccck you are Anon?
    [13:57:50] kakobrekla i am http://bitcoin-otc.com/viewratingdetail.php?nick=kakobrekla
    [13:58:25] fccccck our expert secret agents well versed in /b/tarding have pointed LOIC cannons filled with cumboxes and declare WAR!
    [13:58:38] kakobrekla ok
    [13:58:47] fccccck you are impostor and scammer, website says
    [13:59:04] kakobrekla and you are doing the world a favour.
    [13:59:46] fccccck yes. anyway i am watching you mitigate if you want to try
    [14:00:06] kakobrekla k

    **** BEGIN LOGGING AT Wed Sep 24 14:08:32 2014
    [14:08:32] fccccck your nginx is still down?
    [14:08:47] fccccck wai

    **** BEGIN LOGGING AT Wed Sep 24 14:27:34 2014
    [14:27:34] fccccck Hetzner has good DDoS protection, but we have well lubricated cumboxes that will pierce the firewall
    [14:30:25] fccccck I mean, layer 4.

    []

  2. Specifically :

    12,"10.0.0.1"; 8,"10.0.11.193"; 11,"10.0.113.35"; 3,"10.0.1.4"; 4,"10.0.3.1"; 9,"10.10.0.113"; 2,"10.100.1.3"; 12,"10.1.0.1"; 3,"10.101.101.245"; 10,"10.105.101.162"; 12,"10.105.102.41"; 14,"10.111.204.2"; 15,"10.1.1.61"; 19,"10.142.191.108"; 11,"10.143.0.53"; 16,"10.147.146.230"; 11,"10.15.128.202"; 12,"10.156.250.9"; 14,"10.158.4.2"; 8,"10.160.234.201"; 9,"10.160.234.253"; 28,"10.16.56.199"; 10,"10.167.12.44"; 6,"10.172.74.53"; 10,"10.179.226.90"; 18,"10.183.186.158"; 19,"10.183.248.250"; 4,"10.183.248.252"; 1,"10.183.250.134"; 3,"10.183.251.1"; 11,"10.189.245.5"; 3,"10.189.246.4"; 5,"10.189.254.10"; 6,"10.189.254.5"; 16,"10.189.254.6"; 3,"10.190.254.11"; 4,"10.190.254.5"; 7,"10.190.254.7"; 10,"10.192.16.32"; 15,"10.196.113.4"; 13,"10.206.27.57"; 10,"10.21.10.9"; 5,"10.2.130.253"; 12,"10.217.161.3"; 19,"10.225.175.112"; 4,"10.2.2.6"; 10,"10.227.1.193"; 6,"10.229.75.99"; 12,"10.2.3.1"; 8,"10.231.20.96"; 22,"10.234.6.182"; 13,"10.236.168.50"; 24,"10.240.107.42"; 19,"10.245.0.1"; 18,"10.245.0.155"; 15,"10.247.6.76"; 17,"10.248.36.182"; 9,"10.250.250.1"; 7,"10.252.35.3"; 19,"10.252.67.67"; 11,"10.27.0.6"; 8,"10.28.41.106"; 17,"10.29.42.15"; 23,"10.3.1.1"; 12,"10.43.101.70"; 11,"10.43.148.58"; 15,"10.4.56.19"; 16,"10.50.101.190"; 21,"10.52.1.254"; 10,"10.70.11.13"; 8,"10.70.11.3"; 9,"10.73.131.91"; 5,"10.75.1.13"; 1,"108.162.218.89"; 1,"108.162.219.245"; 1,"108.162.237.79"; 1,"108.162.245.154"; 1,"108.162.249.215"; 9,"108.61.47.194"; 10,"10.86.7.254"; 37,"10.89.140.154"; 4,"10.9.160.24"; 2,"10.9.160.25"; 2,"10.9.160.26"; 2,"10.9.160.27"; 1,"10.9.160.29"; 1,"10.9.160.30"; 1,"10.9.160.31"; 5,"10.9.160.32"; 2,"10.9.160.33"; 15,"10.97.50.153"; 10,"12.133.118.20"; 1486,"127.0.0.1"; 6,"127.0.0.3"; 4,"140.112.202.148"; 1,"141.101.98.99"; 6,"144.76.98.212"; 18,"154.35.133.34"; 1,"162.220.112.18"; 14,"163.245.1.248"; 5,"165.137.226.135"; 10,"169.254.11.253"; 1,"172.16.0.2"; 9,"172.16.15.1"; 11,"172.16.1.80"; 42,"172.16.24.1"; 17,"172.17.0.2"; 9,"172.17.0.5"; 12,"172.17.42.1"; 5,"172.20.1.10"; 15,"172.23.4.254"; 11,"172.24.0.4"; 4,"172.31.0.170"; 3,"172.31.10.72"; 10,"172.31.13.59"; 11,"172.31.14.52"; 11,"172.31.14.75"; 13,"172.31.19.65"; 14,"172.31.20.19"; 8,"172.31.22.250"; 13,"172.31.23.169"; 11,"172.31.23.20"; 15,"172.31.25.67"; 11,"172.31.26.199"; 10,"172.31.28.196"; 15,"172.31.30.125"; 13,"172.31.37.98"; 15,"172.31.41.85"; 13,"172.31.43.254"; 16,"172.31.46.209"; 8,"172.31.47.203"; 8,"172.31.7.127"; 9,"173.208.201.141"; 10,"173.214.170.179"; 1,"173.245.48.120"; 1,"173.245.55.64"; 9,"176.9.120.132"; 40,"178.63.135.0"; 12,"181.224.154.199"; 9,"187.33.232.18"; 11,"188.132.158.129"; 16,"188.225.33.130"; 29,"192.163.204.49"; 10,"192.163.246.206"; 10,"192.168.0.1"; 8,"192.168.0.4"; 13,"192.168.0.96"; 10,"192.168.1.1"; 11,"192.168.1.100"; 5,"192.168.1.2"; 9,"192.168.1.31"; 5,"192.168.160.41"; 20,"192.168.2.102"; 7,"192.168.213.3"; 8,"192.168.4.66"; 10,"192.168.49.200"; 9,"192.168.50.254"; 6,"192.168.5.240"; 28,"192.168.57.1"; 21,"192.168.7.8"; 14,"192.168.9.4"; 17,"192.169.20.1"; 11,"192.241.202.92"; 20,"192.76.138.201"; 7,"194.5.108.254"; 6,"194.58.40.120"; 15,"194.58.61.100"; 17,"194.58.93.43"; 30,"198.1.124.229"; 15,"198.57.176.232"; 3,"199.184.149.2"; 4,"199.184.149.3"; 3,"199.184.149.4"; 5,"199.184.149.5"; 1,"199.27.133.67"; 1,"199.27.133.71"; 14,"199.59.160.140"; 15,"205.147.111.7"; 20,"207.210.203.66"; 13,"207.67.4.254"; 13,"212.25.8.164"; 8,"212.68.57.222"; 8,"216.121.53.151"; 2,"30.0.0.97"; 9,"30.176.171.13"; 4,"31.20.2.238"; 3,"46.38.178.10"; 7,"50.7.64.146"; 11,"5.172.196.65"; 11,"5.45.111.30"; 12,"5.9.211.108"; 12,"62.75.232.242"; 1,"64.22.103.188"; 13,"66.11.132.73"; 8,"69.10.51.45"; 9,"69.59.187.219"; 71,"77.232.66.255"; 18,"77.92.141.208"; 12,"81.38.109.100"; 12,"82.221.39.11"; 13,"82.94.169.36"; 11,"85.235.174.162"; 15,"91.208.40.20"; 5,"91.228.152.9"; 20,""::ffff:43.254.40.25"

    []

  3. APNIC reports 43.254.40.* owned by PEL-IN, who supposedly is "uniquely positioned to provide Spamfree". I've notified them, seems somehow magically 100k+ fake pingback notifications managed to flow out of their network at the rate of >100 a second. Nothing suspicious there at all whatsoever, amirite. []
  4. And then, in a stroke reminiscent of matters discussed over at Cel mai adevarat in gangsta rap, ends up being the one in need of favours. Ain't it funny how the world teenagers dream actually works ? []
  5. Specifically,

    1 from ::ffff:142.0.44.50 ; 2 from 188.226.244.159 ; 3 from 64.79.64.162 ; 22 from 10.183.250.134 ; 32 from 192.168.160.41 ; 33 from 10.190.254.11 ; 65 from 10.231.20.96 ; 80 from 82.94.169.36 ; 108 from 10.245.0.1 ; 120 from 10.189.254.5 ; 125 from 172.17.42.1 ; 127 from 194.58.61.100 ; 132 from 10.10.0.113 ; 134 from 10.247.6.76 ; 135 from 176.9.120.132 ; 135 from 212.25.8.164 ; 137 from 172.31.14.75 ; 146 from 10.189.246.5 ; 146 from 5.172.196.65 ; 166 from 10.183.251.1 ; 227 from 10.1.1.60 ; 237 from 172.16.1.80 ; 240 from 62.75.232.242 ; 244 from 172.31.20.19 ; 245 from 207.67.4.254 ; 248 from 10.158.4.2 ; 252 from 10.111.204.2 ; 253 from 10.214.31.8 ; 261 from 10.2.3.1 ; 264 from 10.28.41.106 ; 316 from 181.224.154.199 ; 370 from 10.0.11.193 ; 509 from 10.1.0.1 ; 621 from 172.16.24.1 ; 621 from 192.168.49.200 ; 643 from 10.167.12.44 ; 980 from 10.0.3.1 ; 1454 from 192.168.4.66 ; 1498 from 82.221.39.11 ; 1743 from 207.210.203.66 ; 2125 from : ; 2207 from 10.240.107.42 ; 2897 from 205.147.111.7 ; 4158 from 194.58.93.43 ; 4397 from 10.29.42.15 ; 5080 from 77.232.66.255 ; 5892 from ::ffff:192.187.118.162 ; 24925 from 127.0.0.1 ; 397748 from 142.0.44.50 ; 706747 from 192.187.118.162.

    []

Category: Meta psihoza
Comments feed : RSS 2.0. Leave your own comment below, or send a trackback.

72 Responses

  1. Most of them look like private IP addresses from AWS. Just forward whole mess to their abuse dept, other ISPs too if you can identify.

    I got some annoying "fix it or we'll shut it down" requests from AWS just because I ran shell service on it and some derp allegedy used it to probe some tight-assed ssh server. AWS even relayed how intense flood it was, like, 5 login attempts in 20 minutes.

  2. Mircea Popescu`s avatar
    2
    Mircea Popescu 
    Thursday, 25 September 2014

    Yeah, which is why I've not written to Amazon. What are the people in question to do, comment out the pingback code ? Not desirable.

  3. Mircea Popescu`s avatar
    3
    Mircea Popescu 
    Sunday, 28 September 2014

    And updated.

  4. Hey You commented to our website about this, i dont understand it.

  5. Mircea Popescu`s avatar
    5
    Mircea Popescu 
    Tuesday, 30 September 2014

    Well okay, how could I help ?

  6. Cool, never knew about pingback vulnerabilities and their potential use as a DDOS. I've patched my website, so it shouldn't bother you ever again. Sorry about that, and thanks for the heads up.

  7. Mircea Popescu`s avatar
    7
    Mircea Popescu 
    Tuesday, 30 September 2014

    No serious harm done, thanks for your help!

  8. It's not just as a DDoS attack, they're basically a free port scanner and everything else. There's even a two year old metasploit.

  9. Thanks for the heads up. Fixed. Excuse the trouble, not intentional.

  10. Mircea Popescu`s avatar
    10
    Mircea Popescu 
    Wednesday, 1 October 2014

    @anon Yeah, makes sense, you could probably do all sorts of things with an open interface like that.

    @WB And thank you.

  11. Thanks for the heads up. Fixed. Excuse the trouble.

  12. electtron`s avatar
    12
    electtron 
    Thursday, 2 October 2014

    Me too. Sorry and thanks.

  13. Mircea Popescu`s avatar
    13
    Mircea Popescu 
    Thursday, 2 October 2014

    Dun worry about it, as long as you fixed the hole I'm happy.

  14. Whoa! That is a massive list. Thanks for the heads up, but I couldn't find our domain in there even though we got a pingback from this post. Any ideas why?

  15. Mircea Popescu`s avatar
    15
    Mircea Popescu 
    Tuesday, 7 October 2014

    If you tell me what site, I'ma look into it.

  16. We received the pingback from you on isifederal.com.

  17. Mircea Popescu`s avatar
    17
    Mircea Popescu 
    Wednesday, 8 October 2014

    Oh look at that, as it turns out the published lists are not even complete.

  18. Gman Grappler`s avatar
    18
    Gman Grappler 
    Sunday, 12 October 2014

    Sir, thank you for all of this helpful information. I went to copy and paste the code you provided in my xmlr file but my file does not contain the line of code such as "// Let's check the remote site" I was not sure exactly where to place the code and ended up placing it right before... "include_once(ABSPATH . 'wp-admin/includes/admin.php');
    include_once(ABSPATH . WPINC . '/class-IXR.php');
    include_once(ABSPATH . WPINC . '/class-wp-xmlrpc-server.php');

    Any advice you could give as to the best place to insert this code would be greatly appreciated. I also apologize for any DDOS that happened to stem from my domain.

  19. Mircea Popescu`s avatar
    19
    Mircea Popescu 
    Sunday, 12 October 2014

    Generally, you want to put the code right above wherever it calls "wp_remote_fopen". It's not possible for that call to not exist.

  20. Okay, so I've been reading up on this and discussing this in the WP forums. A user there shared some articles, which were pretty interesting--and thanks for bringing this problem to my attention, I'd never heard of it before--and one thing both those articles mentioned is that Akismet is supposed to catch this sort of spam.

    Since I didn't actually see the original pingback from the hacker (I'm assuming it would show up the same way your pingback did) does this mean my site blocked the request and didn't become a part of the attack? Or does it simply not work the way Matt Mullenweg says it works and Akismet checks URLs even in the comments it flags as spam? (Disappointingly, Matt brushed it off thus:
    "This tradeoff in pingback's design has been there for a decade now," he said via email. "It's seldom used outside of experimentation because it gets shut down by anti-spam providers like Akismet or web hosts when used at any scale, and there are cheaper, easier, and more effective ways to DDOS sites. That's why no serious attacks (above 2gbps) use it.")

  21. In WP 4.0 the code has been changed but not improved. I suggest you contribute to wordpress by offering your change request

    Gman spoke about class-wp-xmlrpc-server.php. It has a line

    $linea = wp_remote_retrieve_body( $request );

    which most likely corresponds to the call you mention

  22. Mircea Popescu`s avatar
    22
    Mircea Popescu 
    Monday, 13 October 2014

    @Fatima Given a blog B, a victim V and an attacker A, here's how pingbacks work :

    1. A talks to B (by sending a post request to B/xmlrpc.php) claiming that V has a link to a page on B.
    2. B makes a http request to the indicated page on V
    3. B looks on the page thus obtained, to see if the link is there.
    4. B reports (to its human handler, in the admin interface) that there's a new pingback.

    You will readily see that all the attacker needs is step 2 above. Consequently, he wouldn't usually bother to try and find a page on V which actually links to B - mostly because it's unlikely for one to exist. He probably also wouldn't bother to try and put one there.

    So it's not possible for Akismet to have done anything useful here. Moreover, inasmuch as Akismet did something at all, it'd be to HIDE the problem, by intervening somewhere between 3 and 4. But in your case, seeing how the attacker used the root of this blog, the pingback would never have appeared anywhere Akismet could have seen it anyway.

    The fix as given consists of interceding a step between 1 and 2 which checks that the IP originating the post to xmlrpc.php is in fact the same as the ip of V. This reduces the surface of the attack significantly, because in order to be successful now the attack also requires large scale dns poisoning, which isn't really feasible for this purpose.

    @Mark Thank you very much for that snippet, I was loath to put someone to work finding the sore spot in the 4.0 codebase.

    It is absolutely scandalous that after a spate of this sort of attack in March/April, widely reported at the time, the Automattic idiots *claimed* to have fixed it but in fact did not. It is also sad to see "solutions" pushed by "experts" from the ever-so-vibrant community such as disabling pingbacks and so on.

    Anyway, I'm not about to engage in a conversation with the dimwits pushing out this codebase. I never had a very good opinion of their intellects, and this isn't helping. Feel free however to package it whichever way you wish and submit it in whatever manner.

  23. Thanks! I already had my suspicions about the usefulness of Akismet in intercepting this sort of attack (the way the plugin works, even if it were included in the scheme of things, Akismet would still probably have to check/load the URL itself so no use anyway) but this pretty much settles it. If you don't mind, I'd like to share your comments in the forums and elsewhere to let more people know about the vulnerability+the fix you've proposed.

  24. Mircea Popescu`s avatar
    24
    Mircea Popescu 
    Saturday, 18 October 2014

    Please do, yes.

  25. caan.org.uk, WP file now modified to prevent use as a DDOS vector. Note that more recent versions (4 onwards) the pingback IP validation check needs to go in the file: class-wp-xmlrpc-server.php . The file is in the wp-includes folder.

    You probably know this, but the info needs to go in the above article.

    Cheers!

  26. Mircea Popescu`s avatar
    26
    Mircea Popescu 
    Wednesday, 24 December 2014

    Thanks MikF!

  27. thank you for commenting on my website

  28. Mircea Popescu`s avatar
    28
    Mircea Popescu 
    Tuesday, 30 December 2014

    You're welcome, now fix it!

  29. I received a pingback request (see below) and now idea what to do. Is this spam?

    Website: O hai let me wanna-be! pe Trilema - Un blog de Mircea Popescu. (IP: 190.172.2.87 , 190-172-2-87.speedy.com.ar)
    URL: http://trilema.com/o-hai-let-me-wanna-be.php?id=...
    Pingback (Kurzfassung):
    […] are seeing this because your blog was recently used as part of a DDOS attack against […]

  30. Hi,
    Really sorry to hear that.

    The code writte above
    $linea = wp_remote_fopen( $pagelinkedfrom );
    cant be located in xmlrpc.php file. Does that mean WordPress 4.1 fixed that issue?

  31. Thanks for bringing this to my attention.. simply turning Pingbacks off would prevent the site from being used this way, wouldn't it?

  32. Mircea Popescu`s avatar
    32
    Mircea Popescu 
    Saturday, 3 January 2015

    @Kylie It would, but in that sense turning the server off entirely would also prevent it from being used this (or any other) way. There's nothing inherently bad about pingbacks that'd make turning them off a worthy approach. It's just the automattic implementation that's horrible (and not really hard to fix).

  33. Mircea Popescu`s avatar
    33
    Mircea Popescu 
    Saturday, 3 January 2015

    @Mehmet Nah, they just moved the crap around (they do that a lot, for no appreciable reason).

    As MikF points out above, the new file is class-wp-xmlrpc-server.php.

  34. Mircea Popescu`s avatar
    34
    Mircea Popescu 
    Saturday, 3 January 2015

    @Oliver You should fix your wordpress install so as to no longer be used as part of DDoS attacks.

  35. Hi Mircea,
    Thanks for the pingback to my blog and the info I found here. I'm a little late to the party, but the time you first reported this corresponds to when I had enormous trouble with my server almost falling over due to this very issue. xmlrpc was being hit 40,000 times in an hour and brought my server to it's knees. Was obviously the DDOS against you, I didn't know this at the time though. I ended up blocking all the offending IP's that were hitting it.
    Thanks for the posted a long term fix - I'll look in to it.
    Cheers,
    Lachlan

  36. Mircea Popescu`s avatar
    36
    Mircea Popescu 
    Monday, 2 February 2015

    You're welcome.

  37. Not quite sure why I got a pingback from your web stating that my site has recently participated in a dDoS against you. There is nothing in your article pointing to my IP address.

  38. Mircea Popescu`s avatar
    38
    Mircea Popescu 
    Monday, 9 March 2015

    Yes, but the fact that you got the pingback is proof positive that your website is vulnerable. Please fix it.

  39. boardtc`s avatar
    39
    boardtc 
    Tuesday, 10 March 2015

    I got your pingback. I opened xmlrpc.php on my website and those lines are not present, there is no mention of remote, etc. I am using Wordpress 4.1.1. What am I missing?

  40. Mircea Popescu`s avatar
    40
    Mircea Popescu 
    Tuesday, 10 March 2015

    Since you are on the newly reshuffled codebase, you're missing the stuff Mark said above, comment #21.

  41. Christiane`s avatar
    41
    Christiane 
    Friday, 13 March 2015

    Hello, thank very much to inform me. I don't understand really what's happen.
    About one month I don't do nothing there.
    Ok, I try to find for the code to change // Let's check the remote site

    $linea = wp_remote_fopen( $pagelinkedfrom );

    but it's not in the xmlrpc.php. What else can I do?

    here the webside
    ...street-art-3d.de

    Christiane

  42. boardtc`s avatar
    42
    boardtc 
    Friday, 13 March 2015

    Thanks. I found the file wp-includes/class-wp-xmlrpc-server.php. I am unsure what fix to do. I think it was here the first time I looked ta this post, but I can't find it now. the lines in te file are:
    $request = wp_safe_remote_get( $pagelinkedfrom, $http_api_args );
    $linea = wp_remote_retrieve_body( $request );
    What do I do?

    Thanks!

    Will this be overwritten in a wordpress upgrade?

    Has a ticket been open against wordpress to fix it? Is there a reason they would not?

  43. Mircea Popescu`s avatar
    43
    Mircea Popescu 
    Friday, 13 March 2015

    @Christiane If you're using a newer version of Wordpress, see the comment of Mark above.

    @boardtc

    modify the part that says

      // Let's check the remote site

      $linea = wp_remote_fopen( $pagelinkedfrom );

    To instead say

      // Let's check the remote site

      // First, make sure we're not being used for DDoS!

      if (gethostbyname(parse_url($pagelinkedfrom, PHP_URL_HOST))
      <> $_SERVER['REMOTE_ADDR'])
      die ("Sorry, you will have to send this from your blog's IP.");

      $linea = wp_remote_fopen( $pagelinkedfrom );

    So what you do is insert the lines shown in red above the $linea= line.

  44. Christiane`s avatar
    44
    Christiane 
    Saturday, 14 March 2015

    @Mircea

    it's done, I change the code, thank you again! I think I do now the same code to my English side.

    Christiane

  45. Mircea Popescu`s avatar
    45
    Mircea Popescu 
    Saturday, 14 March 2015

    Well done!

  46. Mitchell`s avatar
    46
    Mitchell 
    Saturday, 14 March 2015

    In order to further the cause, we sent an email to WordPress asking them to patch up this security vulnerability.

    Thanks for pointing this out MP!

  47. Thanks. Here's edit for Wordpress 4.0 so:

    // First, make sure we're not being used for DDoS!

    if (gethostbyname(parse_url($pagelinkedfrom, PHP_URL_HOST))
    $_SERVER['REMOTE_ADDR'])
    die ("Sorry, you will have to send this from your blog's IP.");

    // existing lines
    $request = wp_safe_remote_get( $pagelinkedfrom, $http_api_args );
    $linea = wp_remote_retrieve_body( $request );

    I guess since this file is now under wp_content, they won;t be overwritten in a wordpress upgrade

  48. Mircea Popescu`s avatar
    48
    Mircea Popescu 
    Saturday, 14 March 2015

    @Mitchell You wouldn't be the first one to try that.

    @boardtc Cool.

  49. Mitchell`s avatar
    49
    Mitchell 
    Sunday, 15 March 2015

    Yea, I read the ticket. I got a good laugh from your article. I figure, if they get enough requests from developers, they'll listen up. We'll see!

  50. Mircea Popescu`s avatar
    50
    Mircea Popescu 
    Sunday, 15 March 2015

    Kinda half-curious myself nao.

  51. Mitchell`s avatar
    51
    Mitchell 
    Monday, 16 March 2015

    Hey pimp slice, here is the responz:

    Thank for bringing this blog post to our attention!

    The post is describing an attack involving A (an attack script)
    telling B (an intermediary WordPress site) that B has received a
    pingback from C (the victim site).

    B receives the request from A, then contacts C to see if it's genuine.
    There are two possible outcomes from this:

    - If the post doesn't exist, C will return a 404 to B, and the
    pingback process on B will end.
    - If the post does exist, B will search through the post content to
    find the URL on B being pinged, won't find it, and then the pingback
    process on B will end.

    The problem is that it's not possible for B alone to determine if the
    pingback in genuine, without first contacting C. The suggested fix
    will work for some sites, but it will also block all pingbacks coming
    from sites with more than one web server. For that reason, it's not
    possible to change the existing behaviour in WordPress core.

    That said, it is possible to ensure your site isn't part of a DDoS
    botnet by using Akismet (https://wordpress.org/plugins/akismet/),
    which, if it's seeing C as being a DDoS target, blocks the request
    from B to C before it's made.

    Thank you again for the report!

    -Gary

    --

    Not sure if that's useful, but thought I would try. :)

  52. Mircea Popescu`s avatar
    52
    Mircea Popescu 
    Monday, 16 March 2015

    That's a bunch of idiotic/interested lies. As far as the idiotic lies go,

    The problem is that it's not possible for B alone to determine if the pingback in genuine, without first contacting C.

    The solution above does in fact allow B to determine the pingback is not genuine without contacting C. If the idiot you talked to had read the material, and understood the material, before opening his idiot mouth, we wouldn't be here.

    As far as the interested lies go,

    That said, it is possible to ensure your site isn't part of a DDoS
    botnet by using Akismet

    This happens to be false, and has already been debunked about 500 times, most recently #22 above. Akismet does not work for this purpose (or for any other purpose, for that matter). Automattic continues to push it exactly in the manner and exactly for the reasons Microsoft continues to push shitty code : they make money from it.

    So now : can I have Gary's full name so I can add him to the list of idiots to be hanged by their own guts once we take power, alongside Mark Epstein et all ?

  53. Mitchell`s avatar
    53
    Mitchell 
    Monday, 16 March 2015

    Lol, u r the best! Full name is Gary Pendergast.

  54. Mircea Popescu`s avatar
    54
    Mircea Popescu 
    Monday, 16 March 2015

    /me pronounces curses, imprecations, maledicitons & obloquies.

  55. Mitchell`s avatar
    55
    Mitchell 
    Monday, 23 March 2015

    Forgot to post earlier, but here is the response after relaying your message.

    --

    Hi Mitchell,

    There's nothing really to reply to - my previous email explained why the gethostbyname() solution isn't a viable option.

    In reference to how Akismet works, I've spoken to the Akismet developers, and they've confirmed that it intervenes before the blog makes a HTTP request to the victim, blocking the DDoS. There's a short ramp-up time while it detects that a DDoS has started, but once that kicks in it blocks 100% of HTTP requests at the blog, before they're sent to the victim.

    I don't have anything else to add to this discussion, it seems to have descended into conspiracy theories about Automattic. I'm a big fan of Automattic conspiracy theories (I'm often the source of them), but sadly, there's no conspiracy here.

    --

    Another game of wait and see. As we've learned, you tend to call the shots! :)

    All the best,
    Mitchell

  56. Mircea Popescu`s avatar
    56
    Mircea Popescu 
    Monday, 23 March 2015

    Yeah. They will wait and see until the system that spawned them collapses.

    Which, really, is fine by me. The guy is exactly correct on one point : he really doesn't have anything to add to this discussion. Or to any other. His "friends" and "coworkers" aren't in much better a position.

  57. Hi :-) I like how you're abusing random websites

  58. Mircea Popescu`s avatar
    58
    Mircea Popescu 
    Wednesday, 6 May 2015

    A good beating delivered to obnoxious, over-vocal, self-centered solipsistic children is not abuse. It's education, and the best kind of.

  59. Hey asshole do you love your family? I know a couple broke violent dudes

  60. Mircea Popescu`s avatar
    60
    Mircea Popescu 
    Wednesday, 6 May 2015

    I don't enjoy getting blowjobs from broke dudes, but thanks.

  61. Hey 40z, you wouldn't be this kiddo would you.

  62. thanks for the information of great value!

  63. Great article! Never Knew about pingback vulnerabilities. Big Thanks for the heads up! This really helped me!

  64. Mircea Popescu`s avatar
    64
    Mircea Popescu 
    Monday, 8 February 2016

    You're also welcome.

  65. thanks for its post, fixed here!

  1. [...] you’re curious about the details, there’s an amply documented, very detailed field report available. [↩]DDoS nullroutes work kinda like shadowbanning : the attacker figures he’s [...]

  2. [...] keeps otherwise brilliant and hardworking people from being useful at large. mircea_popescu Exactly the Wordpress problem, repeated.ii Because a bunch of asswipes are pushing out insecure code, and because a bunch of [...]

  3. [...] Mircea Popescu Since you are on the newly reshuffled codebase, you're missing the stuff... [...]

  4. [...] Mircea Popescu That's a bunch of idiotic/interested lies. As far as the idiotic lies... [...]

  5. [...] out of 11 hits are attempts to POST on xmlrpc.php, which, if you've been following the story of Automattic deliberately poisoning the Internet will readily recognise as the entry point for blog spam, as well as Automattic-enabled DDoS [...]

  6. [...] you see your Gravatar image there it means I have your email now. Because Gravatar sucks, just like Automattic sucks, just like Disqus sucks, just like the entire bezzle-powered world [...]

  7. [...] to fix back in 2014 ? Friday, 13 October, Year 9 d.Tr. | Author: Mircea Popescu Yeah, that. Well.. guess what ? It's still there! And Mika Epstein Ipistenu is still a despicable [...]

Add your cents! »
    If this is your first comment, it will wait to be approved. This usually takes a few hours. Subsequent comments are not delayed.