Wordpress DoS Attack Script Solution

20th October 2009 - 5 minutes read time

There is a script knocking about on the internet at the moment that allows an attacker to run some code that will bring your Wordpress blog to its knees. This will more than likely cause your host to get annoyed as well.

What it does it performs a trackback request to the file wp-trackback.php, but it sends a massive (over 200,000 characters) string that Wordpress will take at face value and accept as a legitimate trackback. The first time this is run Wordpress will write it to the database, but the every time after that it will run a select query to see if the trackback exists. Even though this isn't a legitimate trackback Wordpress will still process it on every request, causing a massive overhead as each large string is processed.

One solution is to simply stop access to the offending file by using an Apache rule in your .htaccess file to prevent all access to this file.

<Files ~ "wp-trackback.php">
Order allow,deny
Deny from all
</Files>

This might be a good solution if you don't care about trackbacks, but if you want them then there exists another fix that involves changing the wp-trackback.php file to exit if the charset if quite long. Open the file and look for line 47.

$charset = $_POST['charset'];
 
// These three are stripslashed here so that they can be properly escaped after mb_convert_encoding()

Add the following lines:

$charset = $_POST['charset'];
 
// DoS attack fix.
if ( strlen($charset) > 50 ) {
 die;
}
 
// These three are stripslashed here so that they can be properly escaped after mb_convert_encoding()

This will stop any script kiddie from running the exploit script and killing your blog, but you might also want to add a check to make sure that the title variable isn't a stupid size as well. On line 56 (assuming you implemented the previous fix) add the following lines.

if ( strlen($title) > 200 ) {
 die;
}

This assumes that the trackback's post won't be longer than characters. There might be some legitimate posts that do have titles this long, but it is my opinion that these are probably poor quality posts and so okay to ignore.

Many thanks to Steve Fortuna's post New 0-Day Wordpress Exploit for pointing out and providing a fix to this issue.

UPDATE

Wordpress released an update this morning (V2.8.5) to fix this and other exploits. As usual Wordpress are quick in releasing patches for fixing exploits and vulnerabilities.

script

Comments

Hey, I just wanted to point out that that Jarreltech copied my post word for word from stevefortuna.com. I am quite surprised to see someone steal my post word for word, as my blog is very small and new. If you're not sure if I was the one copying or not, check out the time on my post, along with this http://digg.com/users/tcpjack. -Steve

Submitted by Steve Fortuna on Tue, 10/20/2009 - 13:46

Permalink
Thanks for the update Steve, I have updated the post to give credit where credit is due. :)
Philip Norton

Submitted by giHlZp8M8D on Tue, 10/20/2009 - 13:59

Permalink
Thanks. I appreciate it.

Submitted by Steve Fortuna on Tue, 10/20/2009 - 14:00

Permalink
Уязвимость Wordpress: изменение wp-trackback.php может вызвать DoS-атаку...Обнаружена свежая уязвимость Wordpress! Уязвимость позволяет провести DOS атаку на блог используя файл wp-trackback.php. Используя эксплоит, злоумышленник может заставить нарушить работоспособность блога – он перестанет отвечать на запросы польз...

Submitted by Wordpress - ру… on Tue, 10/20/2009 - 20:00

Permalink
can we use this for a normal website? NOT WP

Submitted by Tom on Tue, 11/10/2009 - 02:37

Permalink
@Tom This code is for a Wordpress site, but the same principle can be applied to any script of this type really. What sort of thing did you have in mind?
Philip Norton

Submitted by giHlZp8M8D on Tue, 11/10/2009 - 22:29

Permalink
I am sorry, but wordpress 2.8.5 not fix the problem. our site in v2.8.5 was the victim this past weekend. see log excerpt below: 91.121.120.153 www.xxxxx.com - [10/Nov/2009:11:48:30 +0100] "POST /wp-trackback.php HTTP/1.1" 200 699 "-" "-" 360.000 lines in the log !!!! result: server down by host for 2 days.

Submitted by Alain on Thu, 11/12/2009 - 03:59

Permalink
Great post , You definately hit the nail on the head, I just don't understand why people quite get what you're saying. I'm not for sure how many people I've talked to concerning this very thing in the past week, and they just can't get it. , Excellent post!

Submitted by Brandon on Mon, 12/14/2009 - 21:27

Permalink

heloo

this is a very good information for us thanx for this usfull information

Submitted by Muhammad Yaseen on Sun, 10/23/2011 - 19:41

Permalink

Add new comment

The content of this field is kept private and will not be shown publicly.
CAPTCHA
3 + 3 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.

Related Content

Logging Errors In WordPress

21st June 2011

To debug WordPress many sites will tell you to add the WP_DEBUG setting on its own to your wp-config.php file, but this can be quite harmful as many server configurations will start showing PHP errors and warning messages on your site pages.

Read more

The Correct Way To Load A Template File In WordPress

18th December 2010

Since WordPress 3.0 there has been a funcion called get_template_part(), which has been used quite a bit in the new Twenty Ten default WordPress theme. This is an evolution of the usual way to include parts of themes by using functions like get_header() to include the header.php file.

Read more

Some Essential WordPress Plugins

28th October 2010

I know what you are thinking, but this isn't just another WordPress plugin blog post. I am asked every few weeks what WordPress plugins I would recommend, and I always end up giving a disjointed list of some from the top of my head.

Read more

WordCampUK 2010: A Review

21st July 2010

WordCampUK is an informal 2 day conference and barcamp that centers around using, working with and developing in WordPress. This year's WordCampUK was held in Manchester and so being local I could hardly miss the opportunity to attend. It was a great event, with great talks and lots of friendly people who were really enthusiastic about WordPress.

Read more

Custom Post Types In WordPress 3.0

12th July 2010

This article relates to WordPress 3.0. Much of the code posted here won't work on previous versions and some of the information may change in newer versions.

WordPress already comes with five different content types built into the system.

Posts

Read more