Dealing with XMLRPC Attack of Wordress Bots

Chronicles of DDOS: Dealing with XMLRPC Attack of WordPress Bots

Two days ago we have faced with diffuculties with one of our clients website as Nettsted Limited. We don’t normally provide technical support to our clients but unfortunately our client’s hosting service doesn’t provide any support her. Since we felt responsibility to help her, we decided to take action against Botnet attacks. We faced with strange behaviours of bots during the attack. I am going to mention about what happened hour by hour on this page and what actions we have done for protecting our client’s website.

The Beginning of the DDOS Attack: The Attacker Identifies Himself

As I am owner of Nettsted Limited, I am working 16-18 hours in a day to provide support to our clients. We have different clients from whole around the world, so I need to be awake different time zones. For months later, firstly I wanted to watch a movie and had fun with my family. Unfortunately this was one of the worst days of my career. After movie, we decided to take rest. However just an unseen thingie poked me and told me “hey! you have to take a look at your works and then sleep”. And yes… These were what happened in my 5 hours absence in the work:

  1. One of my clients has removed the SEO plugin, deleted all descriptions and titles of the website. He also broke the link structure of the website.
  2. The other client has removed some plugins we installed which are related with SEO. Changed the settings of caches and somehow all .js and .css files broken.
  3. One of my client was getting DDOS attack and she was just watching how her website crumble.

When I joined WhatsApp and Skype, I have seen lots of complaints for that 5 hours. 30% of sentences were just “Where are you?!”.

My client has told me that he got a message through WhatsApp. The attacker identified himself with the phone number and told my client that he is going to attack her. This really sounds stupid but he really did… When I came back to work, the attack was already began.

Get 20% off on the Best WordPress Themes & Plugins

Get 20% off on the Best WordPress Themes & Plugins

Day 1-) Taking First Action Against Attacks

These are some logs from the attack we got:

103.9.156.249 - - [07/Apr/2019:01:19:02 +0100] "GET / HTTP/1.0" 200 73651 "-" "WordPress/4.1.1; http://thuecanhodep.com; verifying pingback from 93.174.93.163"
199.223.214.148 - - [07/Apr/2019:01:19:03 +0100] "GET / HTTP/1.0" 200 13194 "-" "WordPress/3.3.1; http://www.mentalic.gr"
216.240.176.141 - - [07/Apr/2019:01:19:02 +0100] "GET / HTTP/1.0" 200 73651 "-" "WordPress/4.0; http://graduscapital.com; verifying pingback from 93.174.93.163"
104.236.33.158 - - [07/Apr/2019:01:19:02 +0100] "GET / HTTP/1.0" 200 73651 "-" "WordPress/4.1.1; http://pmsearchpartners.com; verifying pingback from 93.174.93.163"
149.210.236.96 - - [07/Apr/2019:01:19:02 +0100] "GET / HTTP/1.0" 200 73651 "-" "WordPress/3.9.27; http://imageconsultant.mu; verifying pingback from 149.210.236.96"
185.87.249.33 - - [07/Apr/2019:01:19:02 +0100] "GET / HTTP/1.0" 200 73651 "-" "WordPress/4.1; http://compleetontbijten.nl; verifying pingback from 93.174.93.163"
158.69.26.84 - - [07/Apr/2019:01:19:02 +0100] "GET / HTTP/1.0" 200 73651 "-" "WordPress/3.9.2; http://teensystudios.com; verifying pingback from 93.174.93.163"
103.233.76.243 - - [07/Apr/2019:01:19:02 +0100] "GET / HTTP/1.0" 200 73651 "-" "WordPress/4.1.26; http://help.worldmart.in; verifying pingback from 93.174.93.163"
203.175.180.254 - - [07/Apr/2019:01:19:02 +0100] "GET / HTTP/1.0" 200 73651 "-" "WordPress/4.1.1; http://www.cybertechriskcenter.com; verifying pingback from 93.174.93.163"
199.223.214.148 - - [07/Apr/2019:01:19:03 +0100] "GET / HTTP/1.0" 200 13194 "-" "WordPress/3.3.1; http://www.mentalic.gr"
68.71.60.249 - - [07/Apr/2019:01:19:02 +0100] "GET / HTTP/1.0" 200 73651 "-" "WordPress/4.1.26; http://www.itunesalternative.org; verifying pingback from 93.174.93.163"
66.55.132.6 - - [07/Apr/2019:01:19:02 +0100] "GET / HTTP/1.0" 200 73651 "-" "WordPress/3.8.16; http://ntrz.clanservers.com; verifying pingback from 93.174.93.163"
163.172.103.45 - - [07/Apr/2019:01:19:02 +0100] "GET / HTTP/1.0" 200 73651 "-" "WordPress/4.1.26; http://funzed.com; verifying pingback from 93.174.93.163"

In the logs you can see that that the attack was coming from WordPress user agents. However some of those attacks were also coming without agents too. I checked all those referred websites and they were all outdated and abandoned websites. There is one IP which was almost same at all of logs and there were 2 other. 93.174.93.163 was a Netherlands IP but I believe that it was the server/hosting which was preparing botnet attack to us. Others 2 IPs were also Netherlands IP.

Since there were too much “verifying pingback from” notifications on attacks I thought he is using pingbacks and xmlrpc.php for attacking.

My first reaction to attacks was changing the name of xmlrpc.php, then removing it at all and removing pingbacks from WordPress settings.

Result: It didn’t even slow down attacks.

Since I didn’t get any good results from first movements, I decided to remove xmlrpc.php file of WordPress from the files. However it still didn’t help.

However it has proven that it is helping for some kind of DDOS attacks. If you are also facing with that, you can also try it.

Day 1-) First Response: Take Advantage of Being Local

Now you are going to tell me why didn’t I use cloudflare. CF was taking time to setup and name server changes can be really pain at times. So I wanted to slow down the attacks but I also setup cloudflare for the website. Changed the nameservers. The attack was serious and it was seriously damage to usage of I/O, bandwith and so on. I believe they were 2-3 people who were attacking from different servers. My client’s website was gaining 1000$ daily and it was a serious problem for him. Site was down about 6 hours.

Since the site was local, I decided to setup an htaccess. I was needing all ip addresses of Denmark. with the help of a website I manage to find all Denmark IPs. I would close the website to all foreign traffic temporarily. I created a htaccess file and blocked all foreign traffic to the website.

Result: This is a good temporarily result. All malicious bots were hitting to 403 pages now. However bad news. Google bots were hitting 403 too. Since the bot traffic was coming from USA mainly, I didn’t make any setup for USA or Google bot IPs. Since this was temporary until nameserver changes take place, it wasn’t a problem.

During whole process I was talking with my client on the phone and calming her down. She was quite angry and upset because of the situation. She told me she got messages from attacker. She had his phone number!

Day 1-) Nameservers Changed and Problems with Cloudflare Settings

About 2 hours later that I setup the htaccess, nameservers changed and I activated cloudflare. Removed deny/allow rules from .htaccess file. However there was a problem with Cloudflare’s WAF settings. I asked my client to change the server IP and she has done that. Sometime later I would change the DNS records of cloudflare since old IP information was still there. However if I would do it soon after purchase the IP, site would be down again. The “Under Attack Mode” was already active on the website.

Result: After we activated the Cloudflare all attacks were stopped.

After the 6-7 hours excitement I stood up from my chair and went to sleep. We thought we have won but it hasn’t finished yet.

Day 2-) He came Back! Bypassed to Cloudflare with Botnet!

We have changed the IP in the morning and since I thought the website is secure, I changed under attack mode to medium. I made some other changes on .htaccess. I have bought PRO cloudflare for my customer. I setup some WAF settings to make website more secure. However some time later he managed to come back with more serious attacks and serious amount of attacks were hitting to origin. He was bypassing Cloudflare.

Some WAF settings of Cloudflare was promising stop of WordPress bot attacks, XMLRPC Attack  but they weren’t. I decided to setup all WAF settings as default on the Cloudflare.

Result: All bot attacks which has no user-agent start to hit to 403.

The result gave a relief to the website for sometime and server was up once more. However we were getting too much attacks and it was close for it.

Day 2-) Country Blocking on Cloudflare

Finally I thought that we should do more investment on cloudflare to get rid of those attacks. We have almost removed 50% of the threat with my last changes. However there were still other 50%. For a local website country blocking wouldn’t be a problem. Also since we have fixed the 50% of bot traffic, attacks from US wouldn’t be a serious problem for us. We purchased Cloudflare enterprise and blocked all foreign traffic except from USA and Denmark.

Result: This fixed the 90% of botnet traffic.

Day 3-) Revenge is a Dish Best Served Cold

Our server could manage to deal with 90% percent of botnet traffic. They haven’t stopped their attacks though. Then I found an interesting plugin on WordPress. However I had to test it first. Otherwise the website could go down and that will ruin things. I asked a programmer friend to attack one of my websites. It was working perfectly. Then I investigate about the attacker. I understand who is he and why he is attacking us.

I contacted to attacker first. I asked him to stop his attacks. However he answered me with lots of insults and swears. I just blocked him from WhatsApp and didn’t even respond him. My client asked me to pay more for this service but I denied. I was taking it as a matter of pride. I asked my client permission and removed the under attack mode. I setup the plugin.

I started to send his nasty, bloody, vile bots back to his website. His website crumbled in front of my eyes. What I felt was same with Cersei who was watching the destruction of Baelor’s Sept. Then I sent them his other website and then other and then other… When they stopped the attack, the system was stopping. However when they start to hit with bots, it was redirecting them to all their websites.

Nettsted Limited
gwenterprise11@gmail.com

Nettsted Limited is an agency which is providing services for WordPress. WhatsApp contact number: +905050199074

No Comments

Post A Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.