Misiek

Well-Known Member
Feb 23, 2004
116
0
166
cPanel Access Level
Root Administrator
Dear all,
Most of cpanel boxes with wordpress are now under attack of pingback function allowing to DDoS any host, could someone please give the rule to add to mod_securit to disable this kind of attack ? Any other possibility to close server for this hole
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
86
78
cPanel Access Level
DataCenter Provider

cPanelMichael

Technical Support Community Manager
Staff member
Apr 11, 2011
47,911
2,233
363
cPanel Access Level
DataCenter Provider
Twitter
Hello :)

Yes, the links referenced in the previous post should be helpful. Feel free to let us know the outcome after implementing any of those solutions.

Thank you.
 

WhiteDog

Well-Known Member
Feb 19, 2008
138
3
68
I am facing a similar issue and spent some time writing a better mod_security rule. I can't get it too work as I would like. I would like to add a extra filter for the word "pingback" but can't seem to filter against the REQUEST_BODY part most likely because the parameter is not filled due to the data being XML. Any help would be appreciated :)

Code:
<LocationMatch "/xmlrpc\.php">
[COLOR="#FF0000"][B]SecRule REQUEST_HEADERS:Content-Type "text/xml" "phase:1,nolog,pass,id:1010102,ctl:requestBodyProcessor=URLENCODED"[/B][/COLOR]
# not working
SecRule REQUEST_BODY "@contains pingback" "id:1010103,msg:'CUSTOM: XML Pingback',phase:2,drop,log,auditlog,severity:2"
# working
SecRule REQUEST_METHOD "@streq POST" "id:1010105,msg:'CUSTOM: XML Pingback',phase:2,drop,log,auditlog,severity:2"
</LocationMatch>
Also tried with:
Code:
SecRule REQUEST_HEADERS:Content-Type "@contains xml" "id:1010102,phase:1,t:none,t:lowercase,pass,nolog,ctl:forceRequestBodyVariable=On"

And a sample:
Code:
String match "POST" at REQUEST_METHOD. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "10"] [id "1010105"] [msg "CUSTOM: XML Pingback"] [severity "CRITICAL"]
[31/Dec/2014:10:41:37 +0100] VKPE0F-T6gMAAJFzNDEAAAAW 23.94.21.26 54110 95.211.234.3 80
--91681c7b-B--
POST /xmlrpc.php HTTP/1.0
Host: www.xxxxxxxxxxxxxxxxxx.nl
Content-type: text/xml
Content-length: 263
User-agent: Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)

--91681c7b-C--
<?xmlversion="1.0"?><methodCall><methodName>pingback.ping</methodName><params><param><value><string>http://www.hmw-innovations.ag/</string></value></param><param><value><string>http://www.xxxxxxxxxxxxxx.nl/?page_id=100</string></value></param></params></methodCall>
--91681c7b-F--
HTTP/1.1 301 Moved Permanently
X-Powered-By: PHP/5.3.29
X-Pingback: http://xxxxxxxxxxxxxxxxx.nl/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Location: http://xxxxxxxxxxxxxxx.nl/xmlrpc.php
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8

--91681c7b-H--
Message: XML parser error: XML: Failed parsing document.
Message: Access denied with connection close (phase 2). String match "POST" at REQUEST_METHOD. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "10"] [id "1010105"] [msg "CUSTOM: XML Pingback"] [severity "CRITICAL"]
Action: Intercepted (phase 2)
Stopwatch: 1420018896758086 295819 (- - -)
Stopwatch2: 1420018896758086 295819; combined=1534, p1=265, p2=1078, p3=0, p4=0, p5=112, sr=54, sw=79, l=0, gc=0
Producer: ModSecurity for Apache/2.8.0 (http://www.modsecurity.org/); COMODO WAF: rules for Apache 2.4.
Server: Apache
Engine-Mode: "ENABLED"
 
Last edited: