Friday, October 9, 2015

xmlrpc.php attack


REPORT


EXECUTIVE SUMMARY/KEY FINDINGS


 We noticed some performance issues in our website, after some investigation we found out that our site was used as part of a DDoS attack against www.venompen.com due to a feature enabled by default in WordPress. We blocked those type of requests and the issue was solved.
Our IPS did not detected this attack, mostly because this is a valid feature that exists in wordpress, but exploited by malicious users, a manual signature has to be created to detect attacks like these in the future.
Victim’s site is still down at the moment of this writing.

TECHNICAL ANALYSIS

We noticed some performance issues in our site running on WordPress, checking the monitoring tools we noticed spikes in CPU and Memory utilization:





Checking the connections to the server with “netstat -an | grep :80”  we noticed just a few valid connections “Established”:

We had very few valid “Established” connections at that time: 
tcp      167      0 172.XX.XX.XX:80              104.XX.XX.91:47950        ESTABLISHED
tcp      167      0 172.XX.XX.XX:80              149.XX.XX.196:46616       ESTABLISHED
tcp      167      0 172.XX.XX.XX:80              158.XX.XX.82:48896          ESTABLISHED
tcp      167      0 172.XX.XX.XX:80              176.XX.XX.83:43845          ESTABLISHED
tcp      167      0 172.XX.XX.XX:80              176.XX.XX.149:60507         ESTABLISHED
tcp      167      0 172.XX.XX.XX:80              198.XX.XX.143:37282        ESTABLISHED
tcp      167      0 172.XX.XX.XX:80              208.XX.XX.251:39214        ESTABLISHED
tcp      167      0 172.XX.XX.XX:80              209.XX.XX.67:33619        ESTABLISHED
tcp      167      0 172.XX.XX.XX:80              212.XX.XX.XX:40084        ESTABLISHED

Around 260 Lines of CLOSE_WAIT connections from attacker’s IPs:
tcp        0      0 172.XX.XX.XX:80              93.174.93.234:33124         CLOSE_WAIT
tcp        0      0 172.XX.XX.XX:80              94.102.49.2:33184           CLOSE_WAIT 

Now, looking deeper into the logs, we found thousands of entries for xlmrpc.php:

Output from grep -r xmlrpc /usr/local/apache/domlogs/*

/usr/local/apache/domlogs/siteABC/ABC.com:94.102.49.2 - - [08/Oct/2015:12:12:02 -0600] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
/usr/local/apache/domlogs/siteABC/ABC.com:93.174.93.234 - - [08/Oct/2015:12:41:09 -0600] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"

Same information visually from wireshark:


According to the site Sucuri.net:
“XML-RPC is used in WordPress as an API for third-party clients such as WordPress mobile apps, popular weblog clients like Windows Writer and popular plugins such as Jetpack. XML-RPC is used for pingbacks and trackbacks which are a good thing but can be heavily misused to start DDoS attacks.”
According to google, Pingback is: 
“An automatic notification sent when a link has been created to a person's blog post from an external website, allowing a reciprocal link to that website to be created.”
Pingback.ping function takes two parameters, the source URI and the target URI. When WordPress processes pingbacks, it's attempting to resolve the URL supplied to this function, if it succeeds it will make a request to the URL specified and check the response for a link to a certain WordPress blog post. If it finds a link, it will publish a comment on that blog post noting that this blog post was mentioned in their blog.
Basically, it allows clean websites to be used as open proxies, allowing an attacker to send application level attacks to a victim. Pingback is enabled by default on Wordpress sites.

Now, who were we “attacking”?

From Wireshark we extracted the following payload from one POST event:

POST /xmlrpc.php HTTP/1.0
Host: XX.XX.X8.3
Content-type: text/xml
Content-length: 243
User-agent: Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)
Connection: close

 <?xmlversion="1.0"?><methodCall><methodName>pingback.ping</methodName><params><param><value><string>http://www.venompen.com</string></value></param><param><value><string>http://ourWordpressSite<string></value></param></params></methodCall>HTTP/1.1 200 OK
Date: Thu, 08 Oct 2015 20:57:14 GMT
Server: Apache
X-Powered-By: PHP/5.4.34
Connection: close

As you can see, our site was participating on a Distributed Denial of Service Attack (DDoS) against http://www.venompen.com


MITIGATION TECHNIQUES

 There are multiple ways to fix this issue, one is to disable the pingback globally in WordPress and the other is the fix we applied, using IP tables to block incoming requests to xmlrpc.php

 iptables -I INPUT -p tcp --dport 80 -m string --string "POST /xmlrpc.php" --algo bm -j REJECT --reject-with tcp-reset

The command above will reject the connection when the request is a POST to xmlrpc.php, and will send a RST as response.

REFERENCES

 Technical Information:
https://wordpress.org/plugins/remove-xmlrpc-pingback-ping/
https://blogs.akamai.com/2014/03/anatomy-of-wordpress-xml-rpc-pingback-attacks.html

Posted by at 3 comments:
Subscribe to: Posts (Atom)