Wordpress pingback

Misiek

• March 27, 2014 03:19

Dear all, Most of cpanel boxes with wordpress are now under attack of pingback function allowing to DDoS any host, could someone please give the rule to add to mod_securit to disable this kind of attack ? Any other possibility to close server for this hole

• 

  quizknows

  • March 27, 2014 20:53

  Easiest to just disable xmlrpc.php for the sites being hit (chmod 000 the file or something to disable access). A couple links with more info that may help you: [url=http://blog.spiderlabs.com/2014/03/wordpress-xml-rpc-pingback-vulnerability-analysis.html]WordPress XML-RPC PingBack Vulnerability Analysis - SpiderLabs Anterior [url=http://www.marcus-povey.co.uk/2013/11/28/blocking-wordpress-pingback-with-mod_security-and-fail2ban/]Blocking wordpress pingback with mod_security and fail2ban | Marcus Povey I might be able to write you a modsecurity rule if you can post some of the access logs from the sites being abused.

  0
• 

  cPanelMichael

  • April 01, 2014 12:56

  Hello :) Yes, the links referenced in the previous post should be helpful. Feel free to let us know the outcome after implementing any of those solutions. Thank you.

  0
• 

  WhiteDog

  • December 31, 2014 08:51

  I am facing a similar issue and spent some time writing a better mod_security rule. I can't get it too work as I would like. I would like to add a extra filter for the word "pingback" but can't seem to filter against the REQUEST_BODY part most likely because the parameter is not filled due to the data being XML. Any help would be appreciated :) [COLOR="#FF0000">SecRule REQUEST_HEADERS:Content-Type "text/xml" "phase:1,nolog,pass,id:1010102,ctl:requestBodyProcessor=URLENCODED" # not working SecRule REQUEST_BODY "@contains pingback" "id:1010103,msg:'CUSTOM: XML Pingback',phase:2,drop,log,auditlog,severity:2" # working SecRule REQUEST_METHOD "@streq POST" "id:1010105,msg:'CUSTOM: XML Pingback',phase:2,drop,log,auditlog,severity:2"
  Also tried with: SecRule REQUEST_HEADERS:Content-Type "@contains xml" "id:1010102,phase:1,t:none,t:lowercase,pass,nolog,ctl:forceRequestBodyVariable=On"
  And a sample: String match "POST" at REQUEST_METHOD. [file "/usr/local/apache/conf/modsec2.user.conf"> [line "10"> [id "1010105"> [msg "CUSTOM: XML Pingback"> [severity "CRITICAL"> [31/Dec/2014:10:41:37 +0100] VKPE0F-T6gMAAJFzNDEAAAAW 23.94.21.26 54110 95.211.234.3 80 --91681c7b-B-- POST /xmlrpc.php HTTP/1.0 Host: www.xxxxxxxxxxxxxxxxxx.nl Content-type: text/xml Content-length: 263 User-agent: Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0) --91681c7b-C-- pingback.pinghttp://www.hmw-innovations.ag/http://www.xxxxxxxxxxxxxx.nl/?page_id=100 --91681c7b-F-- HTTP/1.1 301 Moved Permanently X-Powered-By: PHP/5.3.29 X-Pingback: http://xxxxxxxxxxxxxxxxx.nl/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Location: http://xxxxxxxxxxxxxxx.nl/xmlrpc.php Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8 --91681c7b-H-- Message: XML parser error: XML: Failed parsing document. Message: Access denied with connection close (phase 2). String match "POST" at REQUEST_METHOD. [file "/usr/local/apache/conf/modsec2.user.conf"> [line "10"> [id "1010105"> [msg "CUSTOM: XML Pingback"> [severity "CRITICAL"> Action: Intercepted (phase 2) Stopwatch: 1420018896758086 295819 (- - -) Stopwatch2: 1420018896758086 295819; combined=1534, p1=265, p2=1078, p3=0, p4=0, p5=112, sr=54, sw=79, l=0, gc=0 Producer: ModSecurity for Apache/2.8.0 (http://www.modsecurity.org/); COMODO WAF: rules for Apache 2.4. Server: Apache Engine-Mode: "ENABLED"
  

  0

Please sign in to leave a comment.