The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Wordpress pingback

Discussion in 'Security' started by Misiek, Mar 27, 2014.

  1. Misiek

    Misiek Well-Known Member

    Joined:
    Feb 23, 2004
    Messages:
    93
    Likes Received:
    0
    Trophy Points:
    6
    Dear all,
    Most of cpanel boxes with wordpress are now under attack of pingback function allowing to DDoS any host, could someone please give the rule to add to mod_securit to disable this kind of attack ? Any other possibility to close server for this hole
     
  2. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    648
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Yes, the links referenced in the previous post should be helpful. Feel free to let us know the outcome after implementing any of those solutions.

    Thank you.
     
  4. WhiteDog

    WhiteDog Well-Known Member

    Joined:
    Feb 19, 2008
    Messages:
    118
    Likes Received:
    0
    Trophy Points:
    16
    I am facing a similar issue and spent some time writing a better mod_security rule. I can't get it too work as I would like. I would like to add a extra filter for the word "pingback" but can't seem to filter against the REQUEST_BODY part most likely because the parameter is not filled due to the data being XML. Any help would be appreciated :)

    Code:
    <LocationMatch "/xmlrpc\.php">
    [COLOR="#FF0000"][B]SecRule REQUEST_HEADERS:Content-Type "text/xml" "phase:1,nolog,pass,id:1010102,ctl:requestBodyProcessor=URLENCODED"[/B][/COLOR]
    # not working
    SecRule REQUEST_BODY "@contains pingback" "id:1010103,msg:'CUSTOM: XML Pingback',phase:2,drop,log,auditlog,severity:2"
    # working
    SecRule REQUEST_METHOD "@streq POST" "id:1010105,msg:'CUSTOM: XML Pingback',phase:2,drop,log,auditlog,severity:2"
    </LocationMatch>
    
    Also tried with:
    Code:
    SecRule REQUEST_HEADERS:Content-Type "@contains xml" "id:1010102,phase:1,t:none,t:lowercase,pass,nolog,ctl:forceRequestBodyVariable=On"
    

    And a sample:
    Code:
    String match "POST" at REQUEST_METHOD. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "10"] [id "1010105"] [msg "CUSTOM: XML Pingback"] [severity "CRITICAL"]
    [31/Dec/2014:10:41:37 +0100] VKPE0F-T6gMAAJFzNDEAAAAW 23.94.21.26 54110 95.211.234.3 80
    --91681c7b-B--
    POST /xmlrpc.php HTTP/1.0
    Host: www.xxxxxxxxxxxxxxxxxx.nl
    Content-type: text/xml
    Content-length: 263
    User-agent: Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)
    
    --91681c7b-C--
    <?xmlversion="1.0"?><methodCall><methodName>pingback.ping</methodName><params><param><value><string>http://www.hmw-innovations.ag/</string></value></param><param><value><string>http://www.xxxxxxxxxxxxxx.nl/?page_id=100</string></value></param></params></methodCall>
    --91681c7b-F--
    HTTP/1.1 301 Moved Permanently
    X-Powered-By: PHP/5.3.29
    X-Pingback: http://xxxxxxxxxxxxxxxxx.nl/xmlrpc.php
    Expires: Wed, 11 Jan 1984 05:00:00 GMT
    Cache-Control: no-cache, must-revalidate, max-age=0
    Pragma: no-cache
    Location: http://xxxxxxxxxxxxxxx.nl/xmlrpc.php
    Content-Length: 0
    Connection: close
    Content-Type: text/html; charset=UTF-8
    
    --91681c7b-H--
    Message: XML parser error: XML: Failed parsing document.
    Message: Access denied with connection close (phase 2). String match "POST" at REQUEST_METHOD. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "10"] [id "1010105"] [msg "CUSTOM: XML Pingback"] [severity "CRITICAL"]
    Action: Intercepted (phase 2)
    Stopwatch: 1420018896758086 295819 (- - -)
    Stopwatch2: 1420018896758086 295819; combined=1534, p1=265, p2=1078, p3=0, p4=0, p5=112, sr=54, sw=79, l=0, gc=0
    Producer: ModSecurity for Apache/2.8.0 (http://www.modsecurity.org/); COMODO WAF: rules for Apache 2.4.
    Server: Apache
    Engine-Mode: "ENABLED"
    
     
    #4 WhiteDog, Dec 31, 2014
    Last edited: Dec 31, 2014
Loading...

Share This Page