Your blog has been hacked. Actually, maybe not. The Pingback Exploit.

This morning I got an email from a person named Sam Browne with the ominous subject line “Your blog has been hacked“. The email read as follows:

I am Sam Bowne, an Instructor in Computer Networking and Information Technology at City College San Francisco. Your blog has been hacked, and is being used to attack other sites. The specific URL and IP address involved in attacks is in the list below.

Please scan your blog and clean it.

Complete information about this is at:

http://samsclass.info/125/proj11/wpbots120613.htm

Now I get a lot of crazy emails from a lot of crazy people so my initial reaction was that this is another one destined for the spam pile. But at the bottom of the email was a list of about 50 sites that were supposedly hacked and looking through it I got curious. On the list, which included a site I managed years ago, I found URLs like wordpress.org, viper007bond.com, and woothemes.com. The chance of any of these sites being hacked and used to spam Mr. Browne is pretty close to zero so clearly there was something else going on here.

Browsing the responses to Sam’s Twitter stream it became clear that many of the people who had received the same email (apparently it was sent to thousands of email addresses) had done their due diligence by checking their sites for exploits only to find they were in fact not hacked. My guess is that if we were to check all the sites on the list we’d find very few sites with hacks on them. But the claim that the sites were attacking Mr. Browne’s site are still true!

Your WordPress site can be tricked

It is a poorly kept secret that with some simple code you can turn a WordPress site into a tool of evil. Hidden in WordPress core is a function called XML-RPC that allows users to send emails to WordPress and then get WordPress to do things like publish posts. The feature also powers pingbacks – essentially messages sent to other sites when they are being linked to –  and it is very useful if you want to use a 3rd party application to write posts or you want to email posts to your site. This function can unfortunately be exploited to make your site send requests to target sites, thus becoming an accomplice in a DDoS attack.

It is disturbingly simple: A few lines of code will trigger a cascade of requests to your WordPress site that then in turn send pingback requests to a specified site. Multiply that by a hundred or a thousand or a million sites like yours and you have a perfectly orchestrated DDoS attack executed by proxy through your and other sites. Which seems to be what happened to Mr. Browne. Again, not an attack but an exploit.

Based on the list of sites provided by Sam and my own observations of spam comments it seems clear that a large portion of the sites that are taking down Sam’s site are in fact not infected but instead vulnerable to the pingback exploit. In fact it appears any standard install WordPress site without Akismet activated is vulnerable to this exploit. Which is a serious problem.

Solutions, current and future

This exploit is well known by the developers that build WordPress and it is being worked on. However as of right now your WordPress site may become part of the problem unless you take a simple step to prevent it: Go to Settings -> Discussion and turn   off. Some are suggesting removing the XML-RPC feature all together by deleting it from the WordPress install. This is a terrible idea and should not be done. WordPress core is not something you should mess with and the XMLRPC function is used for more than just sending out pingbacks, most notably to allow a user to post to the site using email or 3rd party apps.

Moving forward it’s clear this needs to be addressed in WordPress core so new users do not inadvertently become bots. What exactly that something is is up for debate. Simply disabling XML-RPC is not a solution yet leaving it completely open is an equal non-starter. Bottom line is a push needs to be made to get core updated in some way to curb this problem going forward. WordPress powers 20% of the web and will continue to take over more of the space so these exploits will be exploited more and more if nothing is done.


About Morten Rand-Hendriksen

Morten Rand-Hendriksen is a staff author at lynda.com specializing in WordPress and web design and development and an instructor at Emily Carr University of Art and Design. He is a popular speaker and educator on all things design, web standards and open source. As the owner and Web Head at Pink & Yellow Media, a boutique style digital media company in Burnaby, BC, Canada, he has created WordPress-based web solutions for multi-national companies, political parties, banks, and small businesses and bloggers alike. He also contributes to the local WordPress community by organizing Meetups and WordCamps.

4 comments:

  1. I got Mr. Bowne’s misleading and uninformative e-mail. “Please scan your blog and clean it”, well, according to other sources there’s nothing to clean, only configuration to adjust.

    I found your much better explanation, thanks.

    But… you say “In fact it appears any standard install WordPress site without Akismet activated is vulnerable to this exploit.”
    I have a stock WordPress with Akismet activated. It was blocking around 1,500 messages a month, but since September it’s down to 40 a month, I guess spammers have moved on.

    Also, you say disable “Allow link notifications from other blogs (pingbacks and trackbacks)” but the samsclass blog post instead recommends http://wordpress.org/plugins/prevent-xmlrpc/ (even though it only supports WP up to version 3.5.2) which says “There’s a vulnerability in WordPress’s XMLRPC implementation, that permits trackback spam – even when you disable trackbacks.” So who’s right?

    Again, thanks for your lucid explanation, though it’s still confusing.

  2. Good post.

    Additionally, if you do want to disable pingbacks you’d want to disable pingbacks on individual posts too, because the solution you provided (although correct) will only be applied to future posts.

    This could be done with bulk editing or directly via wp_posts – setting ping_status to ‘closed’.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>