<del>Word</del><ins>Botnet</ins>Press identified.
-
Oh the deep layers of buttery-flakey WTF in this one just, mmm, melts in your mouth.
Botnet of Infected WordPress Sites Attacking WordPress Sites
The Defiant Threat Intelligence team recently began tracking the behavior of an organized brute force attack campaign against WordPress sites. This campaign has created a botnet of infected WordPress websites to perform its attacks, which attempt XML-RPC authentication to other WordPress sites in...
Okay, so at the top there is there's a WordPress botnet that's currently active. Nothing unusual about that. The main target of the botnet is other WordPress sites, presumably attempting to grow the BotNet in side. Cool.
But how are those attacks being performed? The infected sites run a script that tries to brute-force credentials on target sites through
xmlrpc.php. What isxmlrpc.php, and why does thinking about "xml", "rpc" and "WordPress" in the same though make the skin of your brain crawl?xmlrpcis exactly what it sounds like. It's a php script that takes a chunk of XML and tries to interpret it as a procedure call, done remotely. One of the things you can do is try to login. Is that butt-stupid idea? Yes, it is. I'd be weary of even the best system taking in arbitrary requests and attempting to do system-critical things with that data. So you can imagine how much I trust WordPress to do that correctly. (Hint: my trust level is, as soon as I install WordPress, I nuke that file, and then put in as many .htaccess and firewall rules as possible to block xmlrpc.php).But wait, says anyone with a passing knowledge of WordPress security history, isn't xmlrpc.php already responsible for security vulnerabilites in the past? Why yes, person, it has been. Most notably one that this botnet is trying to take advantage of in unpatched sites (or any wordpress less than 4.4, since WordPress never back-ported the fix). You see, xmlrpc.php allows you to do batch processing. I suppose that's if you want to-- syndicate multiple posts? I dunno, I've never heard of a use case for xmlrpc that justifies it's existence. Anyways, if you haven't put 1 + 1 = WTF together, that means xmlrpc allows you to attempt to authenticate credentials AND allows you to do batch operations.
Yup. Hackers quickly realized they could send an XMLRPC request with TENS OF THOUSANDS of login requests, and not only would WordPress process each one-- it wouldn't trip off any bruthe force alarms that rely on number-of-page-requests, and it also wouldn't trip alarms for number of login-attempts. And even better, after it processed every request, it would then return which of them succeeded and which failed. !!!
The "fix" was to say that if a single login attempt failed in the batch, then stop processing and return a general error. That way the attackers wouldn't know which login failed. Though I'm sure that since xmlrpc processes logins until it encounters an error, then someone can fairly easily do some sort of "which half is it in" analysis based on the amount of time the response takes, and try again. Brillant information leakage!
So there's a botnet taking advantage of a piece of wordpress that was dumbly designed, serves no purpose and should never be there in the first place (
just like the entire wordpress itself har har har). WordPress is dumb. But I promised more as you dug deeper.The botnet itself consists of a whole bunch of wordpress sites, and about 4 command and control servers behind nearly 20k proxy servers in Russia. Obviously those servers are in Russia, and belong to a company who gives zero fucks-with-a-backwards-R about who uses the proxy or how, as long as they pay.
How do we know those numbers? Well, Wordpress isn't the only dumbs here.
Imagine you have a botnet. You want to use the bots to attack other sites. But those bots need to know who the targets are. They need a list of targets, distributed by the C&C servers. Seems easy enough. The C&C sites can contact the bots, going through the proxy servers as to not reveal the C&C 's actual IP address.
OR you can do what this botnet does, which is the C&C server contacts the bot to give a command, and at the same time has the bot run a function. That function takes in
$pathas input. The function then checks the local filesystem for the .txt file of targets. If it's missing or out of date, the bot does a server-side call back to the C&C server with $path being the C&C server's IP address.The actual IP address.
If the bot had just returned a message like "I am out of date", and the server made a second request with just the new file, that would have been smart. Instead the hackers were smrt, and security researchers now know the IPs of the main C&C servers.
But how do the security researchers know how many proxy servers there are? Well......
You go to the IP address off the C&C server, and you get a login screen. No way you're going to guess the hacker's passwords, right? But maybe you can go right to /index.php or something. No good, the server just responds with a 302 back to index.php. But the C&C software doesn't flush the response stream first. So it returns a 302 AND the html of the page you requested. Same thing happens if you POST. Security researchers were able to effectively browse the entire C&C server, unauthenticated, and get a list of all the proxy servers.
And now for that last bit of delicious flaky yummy wtf-ness. A growing number of those proxy servers, if accessed, instead of returning whatever a proxy server should return-- they instead return a 500 error, along with an error page with Russian text that when translated means "this key is no longer valid as it hasn't been paid for". ie: fuck you, comrade, give me money.
So the hackers, even though they are on a proxy network run by people who only care about one thing-- getting paid-- they, uh, have been forgetting to pay their bills. And their proxy network is slowly rotting away.
WordPress, everyone!
-
Another reason to be ashamed I have a WordPress site. (I'm moving to a different platform "soon", okay?)
But if I understand correctly, having a properly secure password means it most likely hasn't been attacked, right?
-
@kazitor said in <del>Word</del><ins>Botnet</ins>Press identified.:
But if I understand correctly, having a properly secure password means it most likely hasn't been attacked, right?
If there aren't any weirdly named files on your server and you aren't pumping out gigabytes of outbound requests, then you haven't been attacked yet. :/
(Seriously, though, highly recommend WordFence as a firewall / IDS / threat removal tool / brute force protection. They're the ones who blogged about the attack in the OP).
-
@Lorne-Kates said in <del>Word</del><ins>Botnet</ins>Press identified.:
The "fix" was to say that if a single login attempt failed in the batch, then stop processing and return a general error. That way the attackers wouldn't know which login failed. Though I'm sure that since xmlrpc processes logins until it encounters an error, then someone can fairly easily do some sort of "which half is it in" analysis based on the amount of time the response takes, and try again. Brillant information leakage!
Not convinced about that, since you expect most logins to fail until one gets a success and moves onto the next stage of the attack. It's still very stupid, but it isn't quite as bad as you make out. Searching for the one failure to log in is supposed to be like looking for a needle in a haystack made out of needles.
TRWTF is WordPress. It's like PHP!PHP! in terms of
-
@Lorne-Kates said in <del>Word</del><ins>Botnet</ins>Press identified.:
xmlrpcis exactly what it sounds like. It's a php script that takes a chunk of XML and tries to interpret it as a procedure call, done remotely. One of the things you can do is try to login. Is that butt-stupid idea? Yes, it is.But, but, what if someone wanted to write a client application to interface with WordPress XML RPC API? It's like REST, but from early 2000s.
On second thought, no, that's still a bad idea because it involves WordPress.
-
@aitap I think MS Word does.
-
@dkf said in <del>Word</del><ins>Botnet</ins>Press identified.:
TRWTF is WordPress. It's like PHP!PHP! in terms of
More like NPHP!NPHP!, right?
-
@kazitor said in <del>Word</del><ins>Botnet</ins>Press identified.:
Another reason to be ashamed I have a WordPress site. (I'm moving to a different platform "soon", okay?)
?
-
@aitap said in <del>Word</del><ins>Botnet</ins>Press identified.:
But, but, what if someone wanted to write a client application to interface with WordPress XML RPC API?
Then they'd be a botnet owner, because those are the only people who use it.
-
@Lorne-Kates But what about Windows Live Writer? Or the Blog Post magic template in Word? Or LiveJournal's cross-post feature? Maybe someday an actual human being will be so demented that they'll actually want to use those!
-
@TwelveBaud said in <del>Word</del><ins>Botnet</ins>Press identified.:
Windows Live Writer
Oh man, I remember using this back when I actually had a Wordpress site. It was ass, but sadly not as ass as the actual Wordpress app was.
-
@TwelveBaud said in <del>Word</del><ins>Botnet</ins>Press identified.:
@Lorne-Kates But what about Windows Live Writer? Or the Blog Post magic template in Word? Or LiveJournal's cross-post feature? Maybe someday an actual human being will be so demented that they'll actually want to use those!
Support "FrontPage" and "that HTML composer built into SeaMonkey" or GTFO.
-
@TwelveBaud
That degree of demented is so far beyond murdering trans hookers that no one will ever stay functional and out of jail long enough to reach it.
-
@CHUDbert Ha ha, thankfully not. I wonder how excellently it would be suited to a blog...
-
@Lorne-Kates said in <del>Word</del><ins>Botnet</ins>Press identified.:
And even better, after it processed every request, it would then return which of them succeeded and which failed.
Yay for built-in brute force support!
-
@Lorne-Kates said in <del>Word</del><ins>Botnet</ins>Press identified.:
If there aren't any weirdly named files on your server and you aren't pumping out gigabytes of outbound requests, then you haven't been attacked yet. :/
...or the attackers haven't successfully brute-forced his password yet, anyway.
-
@anotherusername said in <del>Word</del><ins>Botnet</ins>Press identified.:
@Lorne-Kates said in <del>Word</del><ins>Botnet</ins>Press identified.:
If there aren't any weirdly named files on your server and you aren't pumping out gigabytes of outbound requests, then you haven't been attacked yet. :/
...or the attackers haven't successfully brute-forced his password yet, anyway.
Here's a legit hint: One of my administrator passwords is
google.
-
@Tsaukpaetra said in <del>Word</del><ins>Botnet</ins>Press identified.:
Here's a legit hint: One of my administrator passwords is google.
I just used google to find his password, but I couldn't find his password. Must be a very secure one.
