O hai let me wanna-be!

Miercuri, 24 Septembrie, Anul 6 d.Tr. | Autor: Mircea Popescu | » Edit «

~ * ~ NOTICE ~ * ~

You are seeing this because your blog was recently used as part of a DDOS attack against Trilema.

The way this works is that the attacker sends pingbacks to a long list of blogs. The blogs in question then load the indicated url to try and verify if the pingback is legitimate (ie, if the url of the pinged blog actually appears on page), resulting in massive traffic spikes for the victim.

This works because WordPress pingbacks are poorly implemented. A more solid implementation would verify if the pingback originates from the same IP as the site that supposedly sent it, and discard the request if there's a mismatch. The current implementation allows pingbacks to be sent by any arbitrary IP, and so allow a malicious user yet another DDOS vector.

Please do your part by fixing your pingbacks implementation. The easiest way would be to open the file xmlrpc.php found in the root directory of your blog installtion, and modify the part that says

		// Let's check the remote site

		$linea = wp_remote_fopen( $pagelinkedfrom );
To instead say
		// Let's check the remote site

// First, make sure we're not being used for DDoS!

if (gethostbyname(parse_url($pagelinkedfrom, PHP_URL_HOST))
  <> $_SERVER['REMOTE_ADDR']) 
  die ("Sorry, you will have to send this from your blog's IP.");

		$linea = wp_remote_fopen( $pagelinkedfrom );

This checks that the IP of the domain you think you've been pinged by and the IP of the client informing you were pinged match, and dies if they don't - rendering this particular DDoS avenue inoperable while maintaining all the pingback functionality you could possibily want.

Thanks for being part of the solution!


~ * ~ Notice over, back to the actual article ~ * ~

Being as I am the realisation of their idealized image of the self as well as the icon of the father they always wanted but never had plus that beloved older brother they had a nonsexual crush on, of course I’d hear from each and every wanna-be kid on the Internet. The self-avowed hacker, the grandiose expert, the pro-professional, the many plurious things a recent birth with no power, no knowledge and no importance tends to vacuously ascribe himself.

Without even going into the piles and layers accumulated back while I was writing in Romanian, and without bothering to notice that Jeff Berwick is still working on something better than “I just read the story I made up on your blog and it doesn’t sound as convincing as I thought it did”, let’s have some quick examples : O hai let me verify your identity! ; O hai. I was justing doing a penetration test of your site. ; MIRCEA POPESCU IS AN ASSHOLE! etc etc etc.

So then it comes as no surprise that :

kakobrekla: Pasted per request; http://dpaste.com/0DQZB8W.txti
mircea_popescu: So was BitBet actually down ?

kakobrekla: Well BitBet was sort of down and assbot suffered the most.
Apocalyptic: Hard to tell if guy was serious or trolling.
kakobrekla: I dont know, I saw ‘low orbit ion cannons cannons’ and got scared.
mircea_popescu: Apocalyptic that’s the new generation. Sorta half-ass doing things and being “ironic” about them at the same time as a sort of multi-hedged insurance agaisnt the scary world. Can’t say he’s not tried. Can’t say he’s really tried, either. Can’t say he’s a faggot, not really, can’t say anything. Aderpynymous!

kakobrekla: Imagine cannons shooting out whole cannons
* kakobrekla runs in the basement to hide.

[after a break]

mircea_popescu: You know your secret agent reddit/4chan guy tried to “ddos” Trilema earlier too. He… failed. “Number of simultaneously running php and cgi scripts, as well as cron jobs and shell sessions: 65724(max).” That’s not SO BAD is it ?

Turns out the logs on Trilema actually had a story to tell. It goes like this :

54.215.115.74 - - [24/Sep/2014:02:34:37 -0400] “GET / HTTP/1.0″ 200 26649 “-” “WordPress/3.9; http://ec2-54-215-115-74.us-west-1.compute.amazonaws.com; verifying pingback from 43.254.40.25″

The complete file weighs in at 25 Mb. That’s 183`902 lines worth of (served!) requests for Trilema pages, sent by various WordPress blog installations. 95`651 of them include the “verifying pingback from 43.254.40.25″ line, 3`731 show a different IPii, the rest omit the source.iii All this happened from 02:34:37 -0400 to 2:55-ish, with a few stragglers all the way to 3:00.

Obviously this is not what “LOIC” means. Nevertheless, it’s perhaps a usable reflected DDOS attack. All you need is a host that’ll let you do it, WordPress is dumb enough to go for it, and now that you have the list…

Enjoy. Or fix it, whatever, I don’t care.

UPDATE, September 28th : Failure breeds insistence in the narcissistically wounded, so here we are again, doing the same thing only bigger this time. <sarcasm>Because that totally works, if you fail it’s not time to try a new tack, it’s time to try harder. The time to try a new tack is when you succeed. </sarcasm>

The splendiferous haxxor at that difficult age doesn’t think the foregoing should apply to him, of course, because he thinks he should get a say in what applies to him and what doesn’t, because that’s democraticfairnormalrapetriggersomgbbq or whateveriv, and so here we are.

This time there’s a grand total of 2`211`833 lines, more than ten times the size of the previous attempt. The complete list is here. Of some interest are the first five lines,

50.62.208.39 - - [28/Sep/2014:02:35:39 -0400] “HEAD /2014/today-is-the-international-day-of-remembering-how-mirce$
50.62.208.39 - - [28/Sep/2014:02:35:40 -0400] “HEAD /2013/the-greatest-smartphone-app/#comment-91767 HTTP/1.0″ 40$
50.62.208.39 - - [28/Sep/2014:02:50:36 -0400] “HEAD /2014/today-is-the-international-day-of-remembering-how-mirce$
50.62.208.39 - - [28/Sep/2014:02:50:37 -0400] “HEAD /2013/the-greatest-smartphone-app/#comment-91767 HTTP/1.0″ 40$
97.88.208.209 - - [28/Sep/2014:02:51:37 -0400] “GET / HTTP/1.0″ 500 - “-” “WordPress/3.0.4; http://diehoch.net”
54.201.25.164 - - [28/Sep/2014:02:51:37 -0400] “GET / HTTP/1.0″ 500 - “-” “WordPress/3.9.2; http://54.201.25.164;$
107.170.18.6 - - [28/Sep/2014:02:51:37 -0400] “GET / HTTP/1.0″ 500 - “-” “WordPress/4.0; http://authenticorepilat$

Obviously 50.62.208.39 knew what was about to happen seconds before it actually did. It’s an abused GoDaddy IP (which have, of course, been notified, and which, of course, still suck). The list of originating IPs (appearing after the “verifying pingback from” built-in header) is significantly shorter than last time.v This, coupled with the pathetic appeals to mercy proffered by the “hacker”, with the significant increase in the list of abused blogs and with the frequent repeats suggests perhaps that she’s running out of resources. Which is fine, and the first step towards embracing the slavery that’ll perhaps spit her out on the other side a complete being.

Good luck, Britni!

PS. If you don’t understand why this article figures in your pingback list, while your link isn’t in here : it’s because your blog has been abused to try and DDOS this blog, as you can verify by searching for your name in the attached gzips. Please consider hardening your WordPress installation so that this can’t be repeated in the future - as it currently stands I am immune to this because I am rich and powerful, but most bloggers out there are neither rich nor powerful and who knows how many you’ve squished so far, unknowingly ?

———
  1. ~fccccck@184.75.212.202

    **** BEGIN LOGGING AT Wed Sep 24 13:54:47 2014

    [13:54:47] fccccck hellllllllllo
    [13:55:19] kakobrekla hi?
    [13:55:29] fccccck we are reddit police
    [13:55:44] kakobrekla who is we
    [13:56:05] fccccck subreddit you dont know because admins keep shadowbanning us
    [13:56:13] fccccck you spam reddit, this is your punishment! muahuahua
    [13:56:30] kakobrekla i spam?
    [13:56:45] * kakobrekla does not have a reddit handle.
    [13:56:59] fccccck yes you spam
    [13:56:59] fccccck http://trilema.com/2014/spamming-reddit-an-experiment/
    [13:57:10] kakobrekla i am not mircea btw.
    [13:57:27] fccccck oh
    [13:57:33] fccccck you are Anon?
    [13:57:50] kakobrekla i am http://bitcoin-otc.com/viewratingdetail.php?nick=kakobrekla
    [13:58:25] fccccck our expert secret agents well versed in /b/tarding have pointed LOIC cannons filled with cumboxes and declare WAR!
    [13:58:38] kakobrekla ok
    [13:58:47] fccccck you are impostor and scammer, website says
    [13:59:04] kakobrekla and you are doing the world a favour.
    [13:59:46] fccccck yes. anyway i am watching you mitigate if you want to try
    [14:00:06] kakobrekla k

    **** BEGIN LOGGING AT Wed Sep 24 14:08:32 2014
    [14:08:32] fccccck your nginx is still down?
    [14:08:47] fccccck wai

    **** BEGIN LOGGING AT Wed Sep 24 14:27:34 2014
    [14:27:34] fccccck Hetzner has good DDoS protection, but we have well lubricated cumboxes that will pierce the firewall
    [14:30:25] fccccck I mean, layer 4.

    []

  2. Specifically :

    12,”10.0.0.1″; 8,”10.0.11.193″; 11,”10.0.113.35″; 3,”10.0.1.4″; 4,”10.0.3.1″; 9,”10.10.0.113″; 2,”10.100.1.3″; 12,”10.1.0.1″; 3,”10.101.101.245″; 10,”10.105.101.162″; 12,”10.105.102.41″; 14,”10.111.204.2″; 15,”10.1.1.61″; 19,”10.142.191.108″; 11,”10.143.0.53″; 16,”10.147.146.230″; 11,”10.15.128.202″; 12,”10.156.250.9″; 14,”10.158.4.2″; 8,”10.160.234.201″; 9,”10.160.234.253″; 28,”10.16.56.199″; 10,”10.167.12.44″; 6,”10.172.74.53″; 10,”10.179.226.90″; 18,”10.183.186.158″; 19,”10.183.248.250″; 4,”10.183.248.252″; 1,”10.183.250.134″; 3,”10.183.251.1″; 11,”10.189.245.5″; 3,”10.189.246.4″; 5,”10.189.254.10″; 6,”10.189.254.5″; 16,”10.189.254.6″; 3,”10.190.254.11″; 4,”10.190.254.5″; 7,”10.190.254.7″; 10,”10.192.16.32″; 15,”10.196.113.4″; 13,”10.206.27.57″; 10,”10.21.10.9″; 5,”10.2.130.253″; 12,”10.217.161.3″; 19,”10.225.175.112″; 4,”10.2.2.6″; 10,”10.227.1.193″; 6,”10.229.75.99″; 12,”10.2.3.1″; 8,”10.231.20.96″; 22,”10.234.6.182″; 13,”10.236.168.50″; 24,”10.240.107.42″; 19,”10.245.0.1″; 18,”10.245.0.155″; 15,”10.247.6.76″; 17,”10.248.36.182″; 9,”10.250.250.1″; 7,”10.252.35.3″; 19,”10.252.67.67″; 11,”10.27.0.6″; 8,”10.28.41.106″; 17,”10.29.42.15″; 23,”10.3.1.1″; 12,”10.43.101.70″; 11,”10.43.148.58″; 15,”10.4.56.19″; 16,”10.50.101.190″; 21,”10.52.1.254″; 10,”10.70.11.13″; 8,”10.70.11.3″; 9,”10.73.131.91″; 5,”10.75.1.13″; 1,”108.162.218.89″; 1,”108.162.219.245″; 1,”108.162.237.79″; 1,”108.162.245.154″; 1,”108.162.249.215″; 9,”108.61.47.194″; 10,”10.86.7.254″; 37,”10.89.140.154″; 4,”10.9.160.24″; 2,”10.9.160.25″; 2,”10.9.160.26″; 2,”10.9.160.27″; 1,”10.9.160.29″; 1,”10.9.160.30″; 1,”10.9.160.31″; 5,”10.9.160.32″; 2,”10.9.160.33″; 15,”10.97.50.153″; 10,”12.133.118.20″; 1486,”127.0.0.1″; 6,”127.0.0.3″; 4,”140.112.202.148″; 1,”141.101.98.99″; 6,”144.76.98.212″; 18,”154.35.133.34″; 1,”162.220.112.18″; 14,”163.245.1.248″; 5,”165.137.226.135″; 10,”169.254.11.253″; 1,”172.16.0.2″; 9,”172.16.15.1″; 11,”172.16.1.80″; 42,”172.16.24.1″; 17,”172.17.0.2″; 9,”172.17.0.5″; 12,”172.17.42.1″; 5,”172.20.1.10″; 15,”172.23.4.254″; 11,”172.24.0.4″; 4,”172.31.0.170″; 3,”172.31.10.72″; 10,”172.31.13.59″; 11,”172.31.14.52″; 11,”172.31.14.75″; 13,”172.31.19.65″; 14,”172.31.20.19″; 8,”172.31.22.250″; 13,”172.31.23.169″; 11,”172.31.23.20″; 15,”172.31.25.67″; 11,”172.31.26.199″; 10,”172.31.28.196″; 15,”172.31.30.125″; 13,”172.31.37.98″; 15,”172.31.41.85″; 13,”172.31.43.254″; 16,”172.31.46.209″; 8,”172.31.47.203″; 8,”172.31.7.127″; 9,”173.208.201.141″; 10,”173.214.170.179″; 1,”173.245.48.120″; 1,”173.245.55.64″; 9,”176.9.120.132″; 40,”178.63.135.0″; 12,”181.224.154.199″; 9,”187.33.232.18″; 11,”188.132.158.129″; 16,”188.225.33.130″; 29,”192.163.204.49″; 10,”192.163.246.206″; 10,”192.168.0.1″; 8,”192.168.0.4″; 13,”192.168.0.96″; 10,”192.168.1.1″; 11,”192.168.1.100″; 5,”192.168.1.2″; 9,”192.168.1.31″; 5,”192.168.160.41″; 20,”192.168.2.102″; 7,”192.168.213.3″; 8,”192.168.4.66″; 10,”192.168.49.200″; 9,”192.168.50.254″; 6,”192.168.5.240″; 28,”192.168.57.1″; 21,”192.168.7.8″; 14,”192.168.9.4″; 17,”192.169.20.1″; 11,”192.241.202.92″; 20,”192.76.138.201″; 7,”194.5.108.254″; 6,”194.58.40.120″; 15,”194.58.61.100″; 17,”194.58.93.43″; 30,”198.1.124.229″; 15,”198.57.176.232″; 3,”199.184.149.2″; 4,”199.184.149.3″; 3,”199.184.149.4″; 5,”199.184.149.5″; 1,”199.27.133.67″; 1,”199.27.133.71″; 14,”199.59.160.140″; 15,”205.147.111.7″; 20,”207.210.203.66″; 13,”207.67.4.254″; 13,”212.25.8.164″; 8,”212.68.57.222″; 8,”216.121.53.151″; 2,”30.0.0.97″; 9,”30.176.171.13″; 4,”31.20.2.238″; 3,”46.38.178.10″; 7,”50.7.64.146″; 11,”5.172.196.65″; 11,”5.45.111.30″; 12,”5.9.211.108″; 12,”62.75.232.242″; 1,”64.22.103.188″; 13,”66.11.132.73″; 8,”69.10.51.45″; 9,”69.59.187.219″; 71,”77.232.66.255″; 18,”77.92.141.208″; 12,”81.38.109.100″; 12,”82.221.39.11″; 13,”82.94.169.36″; 11,”85.235.174.162″; 15,”91.208.40.20″; 5,”91.228.152.9″; 20,”"::ffff:43.254.40.25″

    []

  3. APNIC reports 43.254.40.* owned by PEL-IN, who supposedly is “uniquely positioned to provide Spamfree”. I’ve notified them, seems somehow magically 100k+ fake pingback notifications managed to flow out of their network at the rate of >100 a second. Nothing suspicious there at all whatsoever, amirite. []
  4. And then, in a stroke reminiscent of matters discussed over at Cel mai adevarat in gangsta rap, ends up being the one in need of favours. Ain’t it funny how the world teenagers dream actually works ? []
  5. Specifically,

    1 from ::ffff:142.0.44.50 ; 2 from 188.226.244.159 ; 3 from 64.79.64.162 ; 22 from 10.183.250.134 ; 32 from 192.168.160.41 ; 33 from 10.190.254.11 ; 65 from 10.231.20.96 ; 80 from 82.94.169.36 ; 108 from 10.245.0.1 ; 120 from 10.189.254.5 ; 125 from 172.17.42.1 ; 127 from 194.58.61.100 ; 132 from 10.10.0.113 ; 134 from 10.247.6.76 ; 135 from 176.9.120.132 ; 135 from 212.25.8.164 ; 137 from 172.31.14.75 ; 146 from 10.189.246.5 ; 146 from 5.172.196.65 ; 166 from 10.183.251.1 ; 227 from 10.1.1.60 ; 237 from 172.16.1.80 ; 240 from 62.75.232.242 ; 244 from 172.31.20.19 ; 245 from 207.67.4.254 ; 248 from 10.158.4.2 ; 252 from 10.111.204.2 ; 253 from 10.214.31.8 ; 261 from 10.2.3.1 ; 264 from 10.28.41.106 ; 316 from 181.224.154.199 ; 370 from 10.0.11.193 ; 509 from 10.1.0.1 ; 621 from 172.16.24.1 ; 621 from 192.168.49.200 ; 643 from 10.167.12.44 ; 980 from 10.0.3.1 ; 1454 from 192.168.4.66 ; 1498 from 82.221.39.11 ; 1743 from 207.210.203.66 ; 2125 from : ; 2207 from 10.240.107.42 ; 2897 from 205.147.111.7 ; 4158 from 194.58.93.43 ; 4397 from 10.29.42.15 ; 5080 from 77.232.66.255 ; 5892 from ::ffff:192.187.118.162 ; 24925 from 127.0.0.1 ; 397748 from 142.0.44.50 ; 706747 from 192.187.118.162.

    []

Rubrica: Meta psihoza
Puteti urmari raspunsurile prin fluxul RSS 2.0. Puteti lasa un comentariu ori trimite un trackback de pe blogul propriu. (Edit this entry)

3 Responses

  1. Most of them look like private IP addresses from AWS. Just forward whole mess to their abuse dept, other ISPs too if you can identify.

    I got some annoying “fix it or we’ll shut it down” requests from AWS just because I ran shell service on it and some derp allegedy used it to probe some tight-assed ssh server. AWS even relayed how intense flood it was, like, 5 login attempts in 20 minutes.

  2. Mircea Popescu`s avatar
    2
    Mircea Popescu  » Edit «
    Joi, 25 Septembrie 2014

    Yeah, which is why I’ve not written to Amazon. What are the people in question to do, comment out the pingback code ? Not desirable.

  3. And updated.

If you would like to leave a comment, please click here.