Categories: Hacking

162,000 WordPress instances abused for DDoS attack

Sucuri firm detected a large DDOS attack that leveraged thousands of unsuspecting WordPress websites as indirect amplification vectors.

The security community is threatened by a new botnet composed at least 162,000 WordPress-powered websites abused to run DDoS attacks. The technique of attack allows to flood a target with requests sent by WordPress servers that received a specifically crafted spoofed Web request. The requests sent to the WordPress servers appear to come from the target site, so the attackers are able to amplify they fire capability.

The discovery was made by experts from security firm Sucuri that counted more than 162,000 legitimate WordPress sites targeting the web site of a company customer.

“Can you see how powerful it can be?” “One attacker can use thousands of popular and clean WordPress sites to perform their DDoS attack, while being hidden in the shadows, and that all happens with a simple ping back request to the XML-RPC file.” states the blog post published by the company. 

The attack targets the XML-RPC implemented by web sites running WordPress and many other Web applications that offer services such as pingbacks, trackbacks, and remote access to some users.

A similar attack is considerable as an “application DDoS” conducted with ISO/OSI application layer requests, exactly like HTTP DDoS attack, despite its magnitude is significantly lower respect a DNS amplification DDoS attack or an NTP based DDoS.

One attacker can use thousands of popular and clean WordPress sites to perform their DDOS attack, while being hidden in the shadows, and that all happens with a simple ping back request to the XML-RPC file:

$ curl -D -  "www.anywordpresssite.com/xmlrpc.php" -d '<methodCall><methodName>pingback.ping</methodName><params><param><value><string>http://victim.com</string></value></param><param><value><string>www.anywordpresssite.com/postchosen</string></value></param></params></methodCall>'

To discover if your WordPress instance is abused to conduct DDoS attack it is possible to run an online scan with this tool proposed by Sucury firm, the post also provides instructions to improve security of the WordPress like adding the following code to a site theme:

add_filter‘xmlrpc_methods’, function$methods ) {
unset$methods[pingback.ping’] );
return $methods;
} );

Be aware, because filter could have an impact on your website because the numerous functionalities based on XML-RPC protocol. We can conclude that DDoS attacks are becoming even more popular and attackers are adopting new and original techniques.

Pierluigi Paganini

(Security Affairs – WordPress, DDoS)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Romanian national was sentenced to 20 years in prison for his role in NetWalker ransomware attacks

Romanian national was sentenced to 20 years in prison for his role in NetWalker ransomware…

4 hours ago

Sophos fixed critical vulnerabilities in its Firewall product

Sophos fixed three Sophos Firewall flaws that could lead to SQL injection, privileged SSH access…

17 hours ago

U.S. CISA adds BeyondTrust software flaw to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds BeyondTrust Privileged Remote Access (PRA) and Remote…

1 day ago

Raccoon Infostealer operator sentenced to 60 months in prison

Raccoon Infostealer operator Mark Sokolovsky was sentenced to 60 months in US prison and ordered…

1 day ago

Mirai botnet targets SSR devices, Juniper Networks warns<gwmw style="display:none;"></gwmw>

Juniper Networks warns that a Mirai botnet is targeting SSR devices with default passwords after…

2 days ago

Fortinet warns about Critical flaw in Wireless LAN Manager FortiWLM<gwmw style="display:none;"></gwmw><gwmw style="display:none;"></gwmw>

Fortinet warns of a patched FortiWLM vulnerability that could allow admin access and sensitive information…

2 days ago

This website uses cookies.