Solve : 160,000 WordPress DDoS zombies?

1.	Solve : 160,000 WordPress DDoS zombies?
Answer» Full story: Over 160,000 WordPress sites used as DDoS zombies Quote PCWorld Lucian Constantin MAR 11, 2014 11:22 AM ATTACKERS have abused the WordPress pingback feature, which allows sites to cross-reference blog posts, to launch a large-scale, distributed denial-of-service (DDoS) attack, according to researchers from Web security firm ... Including two on my sites! Also, wp-cron.php had a vulnerability a while ago (last July or therabouts) that allowed attackers to save and edit files on your server. I had to deal with an attack around that time. First I Noticed a strange folder- "Dimethyline" in the FTP. Looking inside, it clearly contained the PHP code for some sort of hack bouncer- almost precisely the sort of thing that would be used to DDoS. (you passed in a URL and it would retrieve the contents of that url on the webhost and then serve it from the host itself, so it was basically working as a proxy) I was able to delete it, but it REAPPEARED a few days later. That got my interest rather fast. Then I looked at the FTP logs and saw that there was a login from a IP in argentina to my FTP account. Naturally, I instantly changed my password. A login failed, then there was a web access to wp-cron and the FTP accesses worked again. wp-cron.php was vulnerable in some way, so what I Did was lock it down with a plugin that required a secret key in order for the script to continue. Then I changed all passwords and deleted the hack code and haven't had a problem since. It could have been much worse, as according to the FTP logs, this other user had made changes to index.php. However, 40 seconds later, I also uploaded a changed version so in a case of rather good luck I managed to basically overwrite the changes entirely. Thanks for sharing that. I don't have the skill set to do that kind of probing. Instead, I have TAKEN down both Gekk9pm.com and DSLGeek.com for now. Maybe I will have to change eh IP also. Not sure. Hard to believe so many legitimate sites were used for evil ends. Unfortunately, our talking about this might encourage more hackers too try it. But we can not just pretend it never happens . Now that I know, I will take measures to prevent this. Thanks Geek for the info, I have three wordpress sites and as far as I remember I have pingbacks turned off, I must check, but I'm 99% sure you can turn them off.

Answer»

Full story:
Over 160,000 WordPress sites used as DDoS zombies
Quote

PCWorld
Lucian Constantin
MAR 11, 2014 11:22 AM

ATTACKERS have abused the WordPress pingback feature, which allows sites to cross-reference blog posts, to launch a large-scale, distributed denial-of-service (DDoS) attack, according to researchers from Web security firm ...

Including two on my sites! Also, wp-cron.php had a vulnerability a while ago (last July or therabouts) that allowed attackers to save and edit files on your server. I had to deal with an attack around that time.

First I Noticed a strange folder- "Dimethyline" in the FTP. Looking inside, it clearly contained the PHP code for some sort of hack bouncer- almost precisely the sort of thing that would be used to DDoS. (you passed in a URL and it would retrieve the contents of that url on the webhost and then serve it from the host itself, so it was basically working as a proxy)

I was able to delete it, but it REAPPEARED a few days later. That got my interest rather fast. Then I looked at the FTP logs and saw that there was a login from a IP in argentina to my FTP account. Naturally, I instantly changed my password.

A login failed, then there was a web access to wp-cron and the FTP accesses worked again. wp-cron.php was vulnerable in some way, so what I Did was lock it down with a plugin that required a secret key in order for the script to continue. Then I changed all passwords and deleted the hack code and haven't had a problem since.

It could have been much worse, as according to the FTP logs, this other user had made changes to index.php. However, 40 seconds later, I also uploaded a changed version so in a case of rather good luck I managed to basically overwrite the changes entirely.

Thanks for sharing that. I don't have the skill set to do that kind of probing.
Instead, I have TAKEN down both Gekk9pm.com and DSLGeek.com for now.
Maybe I will have to change eh IP also. Not sure.
Hard to believe so many legitimate sites were used for evil ends. Unfortunately, our talking about this might encourage more hackers too try it. But we can not just pretend it never happens . Now that I know, I will take measures to prevent this.

Thanks Geek for the info, I have three wordpress sites and as far as I remember I have pingbacks turned off, I must check, but I'm 99% sure you can turn them off.

Solve : 160,000 WordPress DDoS zombies?

Discussion

No Comment Found

Related InterviewSolutions

Reply to Comment