Wordpress pingback

[Misiek]

Dear all,
Most of cpanel boxes with wordpress are now under attack of pingback function allowing to DDoS any host, could someone please give the rule to add to mod_securit to disable this kind of attack ? Any other possibility to close server for this hole

 

[quizknows]

Easiest to just disable xmlrpc.php for the sites being hit (chmod 000 the file or something to disable access).

A couple links with more info that may help you:

WordPress XML-RPC PingBack Vulnerability Analysis - SpiderLabs Anterior

Blocking wordpress pingback with mod_security and fail2ban | Marcus Povey

I might be able to write you a modsecurity rule if you can post some of the access logs from the sites being abused.

 

[cPanelMichael]

Hello

Yes, the links referenced in the previous post should be helpful. Feel free to let us know the outcome after implementing any of those solutions.

Thank you.

 

[WhiteDog]

I am facing a similar issue and spent some time writing a better mod_security rule. I can't get it too work as I would like. I would like to add a extra filter for the word "pingback" but can't seem to filter against the REQUEST_BODY part most likely because the parameter is not filled due to the data being XML. Any help would be appreciated

<LocationMatch "/xmlrpc\.php">
[COLOR="#FF0000"][B]SecRule REQUEST_HEADERS:Content-Type "text/xml" "phase:1,nolog,pass,id:1010102,ctl:requestBodyProcessor=URLENCODED"[/B][/COLOR]
# not working
SecRule REQUEST_BODY "@contains pingback" "id:1010103,msg:'CUSTOM: XML Pingback',phase:2,drop,log,auditlog,severity:2"
# working
SecRule REQUEST_METHOD "@streq POST" "id:1010105,msg:'CUSTOM: XML Pingback',phase:2,drop,log,auditlog,severity:2"
</LocationMatch>

Also tried with:

SecRule REQUEST_HEADERS:Content-Type "@contains xml" "id:1010102,phase:1,t:none,t:lowercase,pass,nolog,ctl:forceRequestBodyVariable=On"

And a sample:

String match "POST" at REQUEST_METHOD. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "10"] [id "1010105"] [msg "CUSTOM: XML Pingback"] [severity "CRITICAL"]
[31/Dec/2014:10:41:37 +0100] VKPE0F-T6gMAAJFzNDEAAAAW 23.94.21.26 54110 95.211.234.3 80
--91681c7b-B--
POST /xmlrpc.php HTTP/1.0
Host: www.xxxxxxxxxxxxxxxxxx.nl
Content-type: text/xml
Content-length: 263
User-agent: Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)

--91681c7b-C--
<?xmlversion="1.0"?><methodCall><methodName>pingback.ping</methodName><params><param><value><string>http://www.hmw-innovations.ag/</string></value></param><param><value><string>http://www.xxxxxxxxxxxxxx.nl/?page_id=100</string></value></param></params></methodCall>
--91681c7b-F--
HTTP/1.1 301 Moved Permanently
X-Powered-By: PHP/5.3.29
X-Pingback: http://xxxxxxxxxxxxxxxxx.nl/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Location: http://xxxxxxxxxxxxxxx.nl/xmlrpc.php
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8

--91681c7b-H--
Message: XML parser error: XML: Failed parsing document.
Message: Access denied with connection close (phase 2). String match "POST" at REQUEST_METHOD. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "10"] [id "1010105"] [msg "CUSTOM: XML Pingback"] [severity "CRITICAL"]
Action: Intercepted (phase 2)
Stopwatch: 1420018896758086 295819 (- - -)
Stopwatch2: 1420018896758086 295819; combined=1534, p1=265, p2=1078, p3=0, p4=0, p5=112, sr=54, sw=79, l=0, gc=0
Producer: ModSecurity for Apache/2.8.0 (http://www.modsecurity.org/); COMODO WAF: rules for Apache 2.4.
Server: Apache
Engine-Mode: "ENABLED"