One of the most common & dangerous attacks against WordPress

資安議題研究區

One of the most common & dangerous attacks against WordPress

Postby BlueStar » Fri Dec 23, 2016 7:06 pm

Recently, our global honeypots have collected thousands of attacks which scanned and sent requests for WordPress XMLRPC. XML-RPC is a simple, portable way to make remote procedure calls over HTTP. WordPress, Drupal and many content management systems (CMS) support XML-RPC. However, XML-RPC may lead to serious security issues.

To use brute force attack(https://en.wikipedia.org/wiki/Brute-force_attack) to obtain admin/password, instead of going against wp-login.php or doing a single attempt against xmlrpc, attackers can leverage the system.multicall method to attempt to guess hundreds of passwords within just one HTTP request.

The two main ways to identify XML-RPC attacks are as follow:
1) Seeing the “Error connecting to database” message when WordPress sites are down
2) Finding many entries similar to "POST /xmlrpc.php HTTP/1.0” in the logs of web servers

As you see, this issue may lead to backend compromised or Denial or Service. To mitigate the issue, you could block XML-RPC. If you can't due to compatibility reason, you could mitigate the issue by blocking system.multicall requests.

CMS like WordPress are widely deployed, and that's why many cyber attackers are targeting at these kinds of systems.

Also, it's worthy of mentioning that a group of security experts from CloudCoffer(http://www.cloudcoffer.com/), which is our global research partner, has offered the right solution to help users prevent all kinds of known and unknown attacks, including brute force and OWASTP TOP 10.

Please feel free to leave a message to us at support@rayaegis.com.
BlueStar
 
Posts: 53
Joined: Fri Jun 06, 2014 5:01 pm

Return to 研究專區(Research Area)

cron