WordPress 4.4 XML-RPC Exploits Still NOT Fixed

I’m sorry, but that’s not correct. I’m already rate limiting at 10 requests per second with a burst of 5 using nginx for all php files. My server is extremely powerful, but this attack is ridiculous. The IPs “hammering” my servers are sending less than 4 requests per second, which is nothing for nginx. However, their payload is making php5-fpm work like crazy. There is certainly something wrong here with WordPress. My server is about as tightly locked down as you can get. Nothing else is able to flood my server except for the xmlrpc.php exploit. They are sending multiple commands to execute in multiple methods in one request that the server is having to process.

Surely there is a better way to lock this down? It’s only a few IPs from Ecatel LTD that seem to be exploiting this to the point that php5-fpm spawns several processes that use over 10% of the CPU. I wish I could specifically tell you what they are doing, but I’m not sure yet. I just know that this is not typical and something is being exploited regarding xmlrpc.

The attacks come from a single IP address. I can ban these IP addresses which fixes the problem, but they are somehow exploiting WordPress code to DDOS the server in a non-DDOS fashion. They are not sending that many requests per second. It’s hard to stop these attacks.

I already am using Fail2ban, but I fail to see why I need to use a third party utility to fix code that can be exploited in WordPress.

nginx is capable of handling thousands of requests. There’s something about these POST xmlrpc.php attacks that is causing the server to execute a ton of code and work hard. That’s where the problem lies. It shouldn’t allow a huge payload or process a request that will trigger a bunch of actions.

Many others have reported this problem, yet no action has been taken by WordPress developers. You cannot blame “too many requests” as the problem when that is not the case (not for me anyways, I can tell you that much for sure). There are plugins that disable access to the xmlrpc.php file. Clearly, something is exploiting this functionality, and people are fixing it by disabling access. I will do that globally too on my server if I have to, but I really find that quite sad that apps using this functionality won’t be able to work.

When xmlrpc.php isn’t being exploited on my server, my average system load is 0.01, 0.10, 0.09. When it’s being exploited, it goes over 5 and sometimes 10. And I’m hosting over 100 websites on this server… that says a lot.

I will try to capture packets the next time this happens. This needs to be stopped. I’m assuming this command should give me what I need:

tcpdump -i eth0 src "EXPLOITING_IP_ADDR" -A -s 0 -w exploit.cap

In my case:

tcpdump -i eth0 src 93.174.93.61 -A -s 0 -w exploit.cap

Then maybe we could find out what they’re doing?

I’m not sure how that isn’t a DDOS. It makes my php5-fpm spawn a bunch of processes that use too much of my CPU.

The server ends up working too hard on pingbacks (for reasons I simply cannot understand), which is a DOS for sure.

The posts they’re trying to pingback to don’t even exist. So, what’s making php5-fpm work so hard? Are the database queries simply that inefficient? They’re not even attacking posts that contain pingback support. In fact, the URL for the pingback doesn’t even work!!!!

Example: http://blog.eamster.tk/ubuntu-grub-fails-to-install-on-raid-array/ is what one of the strings is set to in the packet capture. Yet, this page does not exist. The post is now: http://blog.eamster.tk/?p=372

I had to disable permalinks on nginx, so all of my posts updated to new links since nginx doesn’t support .htaccess files like Apache2 does. Plus, after researching permalinks, I don’t think they’re a good idea… but that’s another story.

Yeah, I think I will install that plugin that disables pingbacks, but still, I think something is wrong here.

The posts referenced by the attacker no longer load, the posts don’t support pingbacks already, and pingbacks in general is a feature that is easily abused which doesn’t serve much purpose other than causing DOS problems it would seem.

nginx runs all of my other websites just fine. Like I said, the load is usually always under 0.30 unless someone is spamming or DDOSing my WordPress.

I wonder if the web server change from apache2 to nginx and then updating the permalinking settings caused some sort of bug that is making pingback requests slow my server to a crawl for some reason.

I would assume its safe to say that this is a WordPress problem considering the high traffic on my other websites which do not run WordPress.

Thanks, I installed the disable-xml-rpc-pingback mod and hope that will solve the problem. I will update this thread if it doesn’t.

https://wordpress.org/plugins/disable-xml-rpc-pingback/

WordPress should disable pingback functionality by default. It’s too easily abused and is evidently not very efficient. You shouldn’t blame sever operators for this issue. WordPress provides the functionality, WordPress should fix and secure it. As it stands right now, pingbacks introduced another way to DOS the internet. It affected me when my server was running Apache2 and nginx. Every webserver running WordPress is essentially open to this issue.