XML-RPC amplification attack: "Violent aesthetics" against WordPress"

XML-RPC amplification attack: "Violent aesthetics" against WordPress"

Brute force cracking attacks are one of the oldest and most common attacks we have seen on the Internet so far. Hackers can use SSH and FTP protocols to crack your WEB server.

Traditional brute force cracking attacks

These attacks are generally not very complex and theoretically easy to curb. However, they still have value, because people are not used to using strong passwords, and not everyone has good logon habits.

However, it is a pity that a brute-force cracking attack has a fatal weakness. Generally, if the hacker needs to try 500 different passwords, he will try to send 500 different requests to the server. By limiting the number of logins, You can curb brute-force cracking attacks at a certain level.

Amplified brute force attack

Can hackers reduce the number of attacks? Can they perform multiple login attempts with one request? Imagine that if you can try 500 passwords for one attack request, the number of logins is limited to no more than 5?

This method is a bit similar to our previous DDoS amplification attack. A Core Command server can use the DNS or NTP protocol to respond to the amplification attack, increasing the original attack intensity by 50-times. Any type of amplification attacks will benefit hackers.

Free up big attacks with brute force guesses through Wordpress XML-RPC

One of the hidden features of the XML-RPC is that you can use the system. multicall method to make multiple attempts in a single request, which is very useful. It allows an application to execute multiple commands through an HTTP request.

XML-RPC is an easy-to-use remote call through HTTP methods. It supports Perl, Java, Python, C, C ++, PHP, and many other programming languages. Wordpress, Drupal, and many other content management systems support XML-RPC.

Of course, any good technology is a double-edged sword. In the XML-RPC technology is common program developers love at the same time, has become a hacker in the hands of the weapon.

We 've been tracking attacks on XML-RPC for weeks and found the first on the Internet in September 10, 2015, with similar attacks growing. Unlike previous hackers keen on wp-login.php, this file is easily protected by login, or. htaccess is given to ban. The hacker attempted to use the system. multicall method to contain hundreds of attacks in a request. You can imagine that when you view logs, an entry contains so many attempts.

194.150.168.95 – – [07/Oct/2015:23:54:12 -0400] “POST /xmlrpc.php HTTP/1.1″ 200 14204 “-” “Mozilla/5.0 (Windows; U; WinNT4.0; de-DE; rv:1.7.5) Gecko/20041108 Firefox/1

Looking at this, do you see that this is an attack that calls hundreds of password guesses? Hackers can use them to bypass security detection and conduct brute force attempts.

Wp. getCategories method attack

We also found the wp. getCategories method on the network, which requires the user name and password. The request results are as follows:

<methodCall><methodName>system.multicall</methodName> <member><name>methodName</name><value><string>wp.getCategories</string></value></member> <member><name>params</name><value><array><data> <value><string></string></value><value><string>admin</string></value><value><string>demo123</string></value> .. <member><name>methodName</name><value><string>wp.getCategories</string></value></member> <member><name>params</name><value><array><data> <value><string>admin</string></value> <value><string>site.com</string></value> …

WordPress (xmlrpc) will respond to a successful combination of user names and passwords.

In the above example, the hacker tried the combination of admin/demo123 and admin/site.com. The response package is as follows:

[{‘faultCode': 403, ‘faultString': ‘Incorrect username or password.‘}, {‘faultCode': 403, ‘faultString': ‘Incorrect username or password.‘}, {‘faultCode': 403, ‘faultString': ‘Incorrect username or password.’}, {‘faultCode': 403, ‘faultString': ‘Incorrect username or password.’}, {‘faultCode': 403, ‘faultString': … [[{‘url': ‘http://site.com/wordpress/’, ‘isAdmin': True, ‘blogid': ‘1’, ‘xmlrpc': ‘http://site.com/wordpress/xmlrpc.php’, ‘blogName': ‘wpxxx’}]]]

Here we use the wp. getCategories Method for attack experiments. Other methods that require authentication can also be used. So ban wp. getCategories is of little use to prevent attacks of the same type. The following is a list of authentication methods:

wp.getUsersBlogs, wp.newPost, wp.editPost, wp.deletePost, wp.getPost, wp.getPosts, wp.newTerm, wp.editTerm, wp.deleteTerm, wp.getTerm, wp.getTerms, wp.getTaxonomy, wp.getTaxonomies, wp.getUser, wp.getUsers, wp.getProfile, wp.editProfile, wp.getPage, wp.getPages, wp.newPage, wp.deletePage, wp.editPage, wp.getPageList, wp.getAuthors, wp.getTags, wp.newCategory, wp.deleteCategory, wp.suggestCategories, wp.getComment, wp.getComments, wp.deleteComment, wp.editComment, wp.newComment, wp.getCommentStatusList, wp.getCommentCount, wp.getPostStatusList, wp.getPageStatusList, wp.getPageTemplates, wp.getOptions, wp.setOptions, wp.getMediaItem, wp.getMediaLibrary, wp.getPostFormats, wp.getPostType, wp.getPostTypes, wp.getRevisions, wp.restoreRevision, blogger.getUsersBlogs, blogger.getUserInfo, blogger.getPost, blogger.getRecentPosts, blogger.newPost, blogger.editPost, blogger.deletePost, mw.newPost, mw.editPost, mw.getPost, mw.getRecentPosts, mw.getCategories, mw.newMediaObject, mt.getRecentPostTitles, mt.getPostCategories, mt.setPostCategories

The following figure shows an example of the system. multicall method for a XML-RPC, specifically for brute force guessing attacks. Each request can carry hundreds of brute-force cracking attacks. The figures shown in the figure allow you to enjoy the brute-force Aesthetics:

If you are a Wordpress webmaster and do not use a plug-in that relies on the xmlrpc. php file, you can rename or delete the file to defend against attacks. However, if you are using a plug-in such as JetPack, dropping this file may make your website function abnormal.