11 comments

[ 4.1 ms ] story [ 38.0 ms ] thread
This really doesn't surprise me in the slightest. I inherited a Wordpress site someone hacked up for a friend of mine a few months ago. Until then, I wasn't quite aware of the ability to slide malware into it (it was an oldish version of WP).

As it was a relatively static site, I extracted the templates, removed the malware (which had injected itself into the header) and fudged it all into Jekyll[1] and uploaded it again as a static site to webfaction and changed the DNS entries.

Problem solved. Permanently.

I really wish people would do this more rather than pile loads of poorly maintained crap onto shared hosting.

[1] http://jekyllrb.com/

I really like static sites too, and that's what I use on my personal blog... but the bar for administering a Jekyll site is much higher than a Wordpress one. Especially if you run Windows, or have multiple contributors, or need a contact form or some other server-side processing -- all pretty common things.
The functionality this is exploiting, pingbacks, is the kind of dynamic, API-driven feature you can't get on a static site. It's a trade-off you have to be comfortable making.
Why can't they develop an algorithm that distinguishes malicious pings from legitimate pings?
The mechanism this attack uses is interesting. So way back in the early "web 2.0" days, "trackbacks" were a big deal. You'd mention someone else's blog post on your blog, your blogging software did an XML-RPC call out to their blog, and a notification showed up in their comments that there was further discussion on your site. It was great, and contributed to the whole community feeling of "web 2.0". But it was easily exploited by spammers, who just sent out XML-RPC calls to build links.

"Pingbacks" are like trackbacks, except the referenced blog requests the URL that supposedly links back to it to verify there's actually a link there, and it appears that's what's being used to redirect the DDoS to the target server.

The obvious solution is to disable pingbacks. But they exist for a reason, and even if most people don't use them anymore there's going to be an uproar from the people who still do. Keep in mind there are still people pissed that blogrolls (links) were removed from WordPress core a couple versions ago. When was the last time you even heard the word "blogroll"?

I'd love to see data on current pingback usage and what percent of it is spam or malicious.
I don't have data, I have experience. Vast majority of pingbacks are spam. I disabled pingbacks and I think most wordpress site owners do the same.
I don't see where the amplification is. The size of the GET request reflected to the target appears smaller than the POST request sent to the Wordpress XMLRPC. So it's less effective than simply attacking the target directly.

Am I missing something?

[Edit: reworded for clarity]