Home | Blogs | Wordpress DoS Attack Script Solution

Wordpress DoS Attack Script Solution

Tue, 10/20/2009 - 10:38 | by philipnorton42

There is a script knocking about on the internet at the moment that allows an attacker to run some code that will bring your Wordpress blog to it's knees. This will more than likely cause your host to get annoyed as well.

What it does it performs a trackback request to the file wp-trackback.php, but it sends a massive (over 200,000 characters) string that Wordpress will take at face value and accept as a legitimate trackback. The first time this is run Wordpress will write it to the database, but the every time after that it will run a select query to see if the trackback exists. Even though this isn't a legitimate trackback Wordpress will still process it on every request, causing a massive overhead as each large string is processed.

One solution is to simply stop access to the offending file by using an Apache rule in your .htaccess file to prevent all access to this file.

<Files ~ "wp-trackback.php">
Order allow,deny
Deny from all
</Files>

This might be a good solution if you don't care about trackbacks, but if you want them then there exists another fix that involves changing the wp-trackback.php file to exit if the charset if quite long. Open the file and look for line 47.

$charset = $_POST['charset'];
 
// These three are stripslashed here so that they can be properly escaped after mb_convert_encoding()

Add the following lines:

$charset = $_POST['charset'];
 
// DoS attack fix.
if ( strlen($charset) > 50 ) {
 die;
}
 
// These three are stripslashed here so that they can be properly escaped after mb_convert_encoding()

This will stop any script kiddie from running the exploit script and killing your blog, but you might also want to add a check to make sure that the title variable isn't a stupid size as well. On line 56 (assuming you implemented the previous fix) add the following lines.

if ( strlen($title) > 200 ) {
 die;
}

This assumes that the trackback's post won't be longer than characters. There might be some legitimate posts that do have titles this long, but it is my opinion that these are probably poor quality posts and so okay to ignore.

Many thanks to Steve Fortuna's post New 0-Day Wordpress Exploit for pointing out and providing a fix to this issue.

UPDATE

Wordpress released an update this morning (V2.8.5) to fix this and other exploits. As usual Wordpress are quick in releasing patches for fixing exploits and vulnerabilities.

Tags:

Share:

  • Add news feed
  • Bookmark this on Delicious

Comments

by Steve Fortuna (not verified) | Tue, 10/20/2009 - 14:00

Thanks. I appreciate it.

Thanks. I appreciate it.
by philipnorton42 | Tue, 10/20/2009 - 13:59
philipnorton42's picture

Thanks for the update Steve,

Thanks for the update Steve, I have updated the post to give credit where credit is due. :)
by Steve Fortuna (not verified) | Tue, 10/20/2009 - 13:46

Hey, I just wanted to point

Hey, I just wanted to point out that that Jarreltech copied my post word for word from stevefortuna.com. I am quite surprised to see someone steal my post word for word, as my blog is very small and new. If you're not sure if I was the one copying or not, check out the time on my post, along with this http://digg.com/users/tcpjack. -Steve
by Glenn Ansley (not verified) | Tue, 10/20/2009 - 14:07

We just created a quick

We just created a quick plugin that accomplishes the same thing as your code in the event that some people may be uncomfortable editing PHP or core WordPress files. You can find it here: http://fullthrottledevelopment.com/wordpress-plugin-to-stop-trackback-dos-attacks
by Wordpress - русские шаблоны и плагины (not verified) | Tue, 10/20/2009 - 20:00

Уязвимость Wordpress:

Уязвимость Wordpress: изменение wp-trackback.php может вызвать DoS-атаку... Обнаружена свежая уязвимость Wordpress! Уязвимость позволяет провести DOS атаку на блог используя файл wp-trackback.php. Используя эксплоит, злоумышленник может заставить нарушить работоспособность блога – он перестанет отвечать на запросы польз...
by Tom (not verified) | Tue, 11/10/2009 - 03:37

can we use this for a normal

can we use this for a normal website? NOT WP
by Alain (not verified) | Thu, 11/12/2009 - 04:59

I am sorry, but wordpress

I am sorry, but wordpress 2.8.5 not fix the problem. our site in v2.8.5 was the victim this past weekend. see log excerpt below: 91.121.120.153 www.xxxxx.com - [10/Nov/2009:11:48:30 +0100] "POST /wp-trackback.php HTTP/1.1" 200 699 "-" "-" 360.000 lines in the log !!!! result: server down by host for 2 days.
by philipnorton42 | Tue, 11/10/2009 - 23:29
philipnorton42's picture

@Tom This code is for a

@Tom This code is for a Wordpress site, but the same principle can be applied to any script of this type really. What sort of thing did you have in mind?
by Brandon (not verified) | Mon, 12/14/2009 - 22:27

Great post , You definately

Great post , You definately hit the nail on the head, I just don't understand why people quite get what you're saying. I'm not for sure how many people I've talked to concerning this very thing in the past week, and they just can't get it. , Excellent post!
by Muhammad Yaseen (not verified) | Sun, 10/23/2011 - 19:41

This a good info

heloo

this is a very good information for us thanx for this usfull information

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <h2> <h3> <h4> <h5> <h6> <pre> <span> <p> <br />
  • Syntax highlight code surrounded by the {syntaxhighlighter SPEC}...{/syntaxhighlighter} tags, where SPEC is a Syntaxhighlighter options string or "class="OPTIONS" title="the title".

More information about formatting options

By submitting this form, you accept the Mollom privacy policy.