Use xmlrpc. php for WordPress brute-force cracking and DDoS protection

Tools can use WordPress vulnerabilities for scanning or launch DDoS attacks. The vulnerability affects all versions of the xmlrpc. php file.

Recently I also encountered a large-scale wordpress backend (wp-login.php) cracking, wordpress almost became a zombie in the hands of hackers. However, there is indeed an alternative wordpress brute-force cracking attack. Hackers use the xmlrpc. Php file to bypass the wordpress background logon error restriction and crack it.

Attack methods

Wp. getUsersBlogs username password

Such attacks using xmlrpc. php can bypass these restrictions. Attackers can directly POST the following data to xmlrpc. php:

Wp. getUsersBlogs username password

The username field is the pre-collected user name. Password is the password of the attempt. For more information about the getUsersBlogs interface, refer to the official guide. If the password is correct, return:

Password error 403:

Solution:

Install the Login Security Solution plug-in. Click to download it.

Or delete the xmlrpc. Php file.

Set the permission to inaccessible.

Principles of DDoS vulnerability exploitation

Pingback is one of the three types of reverse links. It is a way to notify the author when someone links or steals the author's article. This allows the author to understand and track the links or reposted content. Some of the world's most popular blog systems, such as Movable Type, Serendipity, WordPress, and Telligent Community, all support the Pingback function, so that you can be notified when your article is reproduced and published. In WordPress, there is an xmlrpc API that can be accessed through the XMLRPC. php file, which can be exploited using the pingback. ping method. Other BLOG websites send pingback to WordPress websites. When WordPress processes pingback, it tries to parse the source URL. If the resolution is successful, a request will be sent to the source URL, and check whether there is a link to this WordPress article in the response package. If you find such a link, you will post a comment on this blog, telling everyone that the original article is on your own blog. A hacker sends a data packet to a website that uses the WordPress Forum with the URL (source URL) of the target ). After receiving the data packet, the WordPress Forum website calls the xmlrpc API through the XMLRPC. php file and initiates a verification request to the attacked URL. If a large number of requests are sent, HTTP Flood will be formed for the target URL. Of course, simply sending a large number of requests to the WordPress Forum website may also paralyze the WordPress website itself. Apart from DDoS attacks, hackers can return different error messages through the existence of the source URL host. If these hosts exist in the intranet, attackers can scan the intranet host.