Ticket #894 (new maintenance)

Opened 11 months ago

Last modified 11 months ago

Brute Force Attacks Against WordPress XMLRPC

Reported by: chris Owned by: chris
Priority: major Milestone: Maintenance
Component: Parrot server Keywords:
Cc: ade, laura., sam Estimated Number of Hours: 0.0
Add Hours to Ticket: 0 Billable?: yes
Total Hours: 1.05

Description (last modified by chris) (diff)

For a few months I have see a lot of requests going to WordPress /xmlrpc.php and wasn't sure why, now it is clear:

Instead of going against wp-login.php (which can be easily blocked or protected via .htaccess) or doing a single attempt against xmlrpc, attackers are leveraging the system.multicall method to attempt to guess hundreds of passwords within just one HTTP request.

https://blog.sucuri.net/2015/10/brute-force-amplification-attacks-against-wordpress-xmlrpc.html

I'd like to install Stop XML-RPC Attack on all the WordPress site we host, unless anyone has a good reason not to. This plugin simply whitelists the JetPack/Automattic's subnets and blocks all other access to /xmlrpc.php.

I started tracking the abuse a while ago and you can see it and manually address it on ParrotServer like this:

sudo -i
wp-xmlrpc-abuse 
IP addresses accessing xmlrpc.php more than twice for the last 1000 lines of each access.log:
      2 46.148.XX.XX
    733 195.62.53.243
    177 195.62.53.243
      2 66.76.XX.XX
dig -x 195.62.53.243 +short
  53-243.static.spheral.ru.
ipdrop 195.62.53.243

But we need to be more pro-active in blocking access or we are going to probably see some compromised sites.

Change History

comment:1 Changed 11 months ago by chris

  • Add Hours to Ticket changed from 0.0 to 0.25
  • Total Hours changed from 0.0 to 0.25

comment:2 Changed 11 months ago by chris

  • Description modified (diff)

comment:3 Changed 11 months ago by chris

  • Add Hours to Ticket changed from 0.0 to 0.8
  • Total Hours changed from 0.25 to 1.05

Installing Stop XML-RPC Attack on all WordPress sites on ParrotServer:

sudo -i
su - conference15 -s /bin/bash
source /etc/bash_completion.d/wp 
cd sites/default/
wp plugin install stop-xmlrpc-attack
  Installing Stop XML-RPC Attack (1.0.3)
  Downloading install package from https://downloads.wordpress.org/plugin/stop-xmlrpc-attack.1.0.3.zip...
  Unpacking the package...
  Installing the plugin...
  Plugin installed successfully.
wp plugin activate stop-xmlrpc-attack
  Success: Plugin 'stop-xmlrpc-attack' activated.

Then a page needs to be requested on the site, https://conference15.transitionnetwork.org/ to trigger the updating of the .htaccess file, after that has been done this has been appended to it:

# BEGIN WORDPRESS PLUGIN stop_xmlrpc_attack
<Files "xmlrpc.php">
order deny,allow
deny from all
allow from 10.0.0.0/8
allow from 64.34.206.0/24
allow from 66.135.48.128/25
allow from 66.155.38.0/24
allow from 69.174.248.128/25
allow from 76.74.248.128/25
allow from 76.74.254.0/25
allow from 76.74.255.0/25
allow from 127.0.0.0/8
allow from 172.16.0.0/12
allow from 192.0.64.0/18
allow from 192.168.0.0/16
allow from 198.181.116.0/22
allow from 207.198.101.0/25
allow from 207.198.112.0/23
allow from 209.15.21.0/24
allow from 216.151.209.64/26
allow from 216.151.210.0/25
</Files>
# END WORDPRESS PLUGIN stop_xmlrpc_attack


Adding the plugin to the other sites:

su - cop21 -s /bin/bash
source /etc/bash_completion.d/wp 
cd sites/default/
wp plugin install stop-xmlrpc-attack
  Installing Stop XML-RPC Attack (1.0.3)
  Downloading install package from https://downloads.wordpress.org/plugin/stop-xmlrpc-attack.1.0.3.zip...
  Unpacking the package...
  Installing the plugin...
  Plugin installed successfully.
wp plugin activate stop-xmlrpc-attack
  Success: Plugin 'stop-xmlrpc-attack' activated.
exit
su - reconomy -s /bin/bash
source /etc/bash_completion.d/wp 
cd sites/default/
wp plugin install stop-xmlrpc-attack
  PHP Fatal error:  Class 'WP_Widget' not found in /home/reconomy/sites/default/wp-content/plugins/akismet/class.akismet-widget.php on line 5
  Fatal error: Class 'WP_Widget' not found in /home/reconomy/sites/default/wp-content/plugins/akismet/class.akismet-widget.php on line 5

This is a error that lots of people have:

And the fix:

WP CLI - Needs to be upgraded to the latest release, otherwise it won’t work.

https://wordpress.org/support/topic/read-this-first-wordpress-44-master-list?replies=5#post-7753846

So:

which wp
/usr/local/bin/wp
ls -lah /usr/local/bin/ | grep wp
lrwxrwxrwx  1 root staff    20 Nov 20  2014 wp -> ../src/wp-cli/bin/wp
-rwxr-xr-x  1 root staff   286 Oct 24 13:03 wp-brute-force
-rwxr-xr-x  1 root staff   269 Oct 24 13:17 wp-xmlrpc-abuse
cd /usr/local/src/
wget https://raw.github.com/wp-cli/builds/gh-pages/phar/wp-cli.phar
chmod 755 wp-cli.phar
php wp-cli.phar --info --allow-root
  PHP binary:     /usr/bin/php5
  PHP version:    5.4.45-0+deb7u2
  php.ini used:   /etc/php5/cli/php.ini
  WP-CLI root dir:        phar://wp-cli.phar
  WP-CLI global config:
  WP-CLI project config:
  WP-CLI version: 0.22.0
rm -rf wp-cli
cd ../bin/
rm wp
ln -s ../src/wp-cli.phar wp

Try again:

su - reconomy -s /bin/bash
source /etc/bash_completion.d/wp 
cd sites/default/
wp plugin install stop-xmlrpc-attack
  Installing Stop XML-RPC Attack (1.0.3)
  Downloading install package from https://downloads.wordpress.org/plugin/stop-xmlrpc-attack.1.0.3.zip...
  Unpacking the package...
  Installing the plugin...
  Plugin installed successfully.
  Success: Translations updates are not needed for the 'English (US)' locale.
wp plugin activate stop-xmlrpc-attack
  Success: Plugin 'stop-xmlrpc-attack' activated.
exit
su - tc -s /bin/bash
source /etc/bash_completion.d/wp 
cd sites/default/
wp plugin install stop-xmlrpc-attack
  PHP Fatal error:  Call to a member function separator() on a non-object in /home/tc/sites/default/wp-content/plugins/contactforms/buttonsnap.php on line 433
  Fatal error: Call to a member function separator() on a non-object in /home/tc/sites/default/wp-content/plugins/contactforms/buttonsnap.php on line 433

The wp-content/plugins/contactforms directory appears to have a variety of code in it. Stop XML-RPC Attack was installed using the web interface, these pluging have updates available:

  • Akismet
  • BackWPup
  • Bad Behavior
  • jQuery Colorbox
  • Optimize Database after Deleting Revisions
  • Query Monitor
  • Simple Recent Comments
  • Spam Destroyer
  • Subscribe2
  • Subscribe To Comments
  • User Switching

I haven't updated these or updated WordPress itself for fear of breaking things -- Sam perhaps you might want to look at this, I think you did the last updates on the site?

su - ts -s /bin/bash
source /etc/bash_completion.d/wp 
cd sites/default/
wp plugin install stop-xmlrpc-attack
wp plugin activate stop-xmlrpc-attack
exit
su - ttt -s /bin/bash
source /etc/bash_completion.d/wp 
cd sites/default/
wp plugin install stop-xmlrpc-attack
wp plugin activate stop-xmlrpc-attack
exit

The http://www.transitiontowntotnes.org/ and http://www.transitionstreets.org.uk/ sites were accesses and the .htaccess files were checked.

comment:4 Changed 11 months ago by chris

  • Description modified (diff)
Note: See TracTickets for help on using tickets.