Wordpress DoS Attack Script Solution

20th October 2009 - 5 minutes read time

There is a script knocking about on the internet at the moment that allows an attacker to run some code that will bring your Wordpress blog to its knees. This will more than likely cause your host to get annoyed as well.

What it does it performs a trackback request to the file wp-trackback.php, but it sends a massive (over 200,000 characters) string that Wordpress will take at face value and accept as a legitimate trackback. The first time this is run Wordpress will write it to the database, but the every time after that it will run a select query to see if the trackback exists. Even though this isn't a legitimate trackback Wordpress will still process it on every request, causing a massive overhead as each large string is processed.

One solution is to simply stop access to the offending file by using an Apache rule in your .htaccess file to prevent all access to this file.

<Files ~ "wp-trackback.php">
Order allow,deny
Deny from all
</Files>

This might be a good solution if you don't care about trackbacks, but if you want them then there exists another fix that involves changing the wp-trackback.php file to exit if the charset if quite long. Open the file and look for line 47.

$charset = $_POST['charset'];
 
// These three are stripslashed here so that they can be properly escaped after mb_convert_encoding()

Add the following lines:

$charset = $_POST['charset'];
 
// DoS attack fix.
if ( strlen($charset) > 50 ) {
 die;
}
 
// These three are stripslashed here so that they can be properly escaped after mb_convert_encoding()

This will stop any script kiddie from running the exploit script and killing your blog, but you might also want to add a check to make sure that the title variable isn't a stupid size as well. On line 56 (assuming you implemented the previous fix) add the following lines.

if ( strlen($title) > 200 ) {
 die;
}

This assumes that the trackback's post won't be longer than characters. There might be some legitimate posts that do have titles this long, but it is my opinion that these are probably poor quality posts and so okay to ignore.

Many thanks to Steve Fortuna's post New 0-Day Wordpress Exploit for pointing out and providing a fix to this issue.

UPDATE

Wordpress released an update this morning (V2.8.5) to fix this and other exploits. As usual Wordpress are quick in releasing patches for fixing exploits and vulnerabilities.

Comments

Permalink
Hey, I just wanted to point out that that Jarreltech copied my post word for word from stevefortuna.com. I am quite surprised to see someone steal my post word for word, as my blog is very small and new. If you're not sure if I was the one copying or not, check out the time on my post, along with this http://digg.com/users/tcpjack. -Steve

Steve Fortuna (Tue, 10/20/2009 - 13:46)

Permalink
Thanks for the update Steve, I have updated the post to give credit where credit is due. :)
Permalink
Thanks. I appreciate it.

Steve Fortuna (Tue, 10/20/2009 - 14:00)

Permalink
Уязвимость Wordpress: изменение wp-trackback.php может вызвать DoS-атаку...Обнаружена свежая уязвимость Wordpress! Уязвимость позволяет провести DOS атаку на блог используя файл wp-trackback.php. Используя эксплоит, злоумышленник может заставить нарушить работоспособность блога – он перестанет отвечать на запросы польз...

Wordpress - ру… (Tue, 10/20/2009 - 20:00)

Permalink
can we use this for a normal website? NOT WP

Tom (Tue, 11/10/2009 - 02:37)

Permalink
@Tom This code is for a Wordpress site, but the same principle can be applied to any script of this type really. What sort of thing did you have in mind?
Permalink
I am sorry, but wordpress 2.8.5 not fix the problem. our site in v2.8.5 was the victim this past weekend. see log excerpt below: 91.121.120.153 www.xxxxx.com - [10/Nov/2009:11:48:30 +0100] "POST /wp-trackback.php HTTP/1.1" 200 699 "-" "-" 360.000 lines in the log !!!! result: server down by host for 2 days.

Alain (Thu, 11/12/2009 - 03:59)

Permalink
Great post , You definately hit the nail on the head, I just don't understand why people quite get what you're saying. I'm not for sure how many people I've talked to concerning this very thing in the past week, and they just can't get it. , Excellent post!

Brandon (Mon, 12/14/2009 - 21:27)

Permalink

heloo

this is a very good information for us thanx for this usfull information

Muhammad Yaseen (Sun, 10/23/2011 - 19:41)

Add new comment

The content of this field is kept private and will not be shown publicly.