Need urgent help! SMF vulnerable to XML-RPC attack - must read!

xJamie · June 02, 2014, 06:56:07 PM

Hi,

Today someone DDoSed my forum and caused it to go Down. Someone used XMLRPC to attack my forum. XMLRPC is a layer7 pingback script which uses legitimate wordpress sites to attack Your website. It goes like this: Attacker > VPS/DEDICATED SERVER > WORDPRESS SITES > VICTIM.

Before my forum got attacked, I took a backup of my database. So basically my database went from 350Kb to 2MB. Please help me remove all these logs and errors and help me prevent these attacks.

Please see attachments for the logs of the attacks on Windows Server 2012.
NOTE: The IP address of my forum is not displayed. I am using CloudFlare and still my site went Down.

Please take a look at this issue and help me prevent this layer-7 attack.

The attacker who attacked my website is not only able to take my site offline, he is also able to take Down this forum as well.

I appreciate all Your help!

-edit-
Fixed caps...

Arantor · June 02, 2014, 06:59:07 PM

SMF is not vulnerable to any XMLRPC attacks seeing how there is no XMLRPC layer in SMF whatsoever. Tapatalk adds one, but SMF as it stands is not.

As for a DDOS, if you throw enough traffic at any server it's going to fall over, no matter how good it is.

xJamie · June 02, 2014, 07:00:42 PM

Quote from: Arantor on June 02, 2014, 06:59:07 PM
SMF is not vulnerable to any XMLRPC attacks seeing how there is no XMLRPC layer in SMF whatsoever. Tapatalk adds one, but SMF as it stands is not.

As for a DDOS, if you throw enough traffic at any server it's going to fall over, no matter how good it is.

Wanna bet?

SMF is vulnerable to XMLRPC.

margarett · June 02, 2014, 07:01:59 PM

I'm sorry but you're not making sense... You said:

QuoteAttacker > VPS/DEDICATED SERVER > WORDPRESS SITES > VICTIM

Where does SMF fit here? As the victim?

Every forum/software/etc out there, that runs in a web server, is susceptible to a DDoS attack... The protection can only be made on the server/firewall level. Clouldflare should help in that.

Also: 2Mb is a tiny database, I don't really think you got *that* much to worry about...

xJamie · June 02, 2014, 07:03:03 PM

Quote from: margarett on June 02, 2014, 07:01:59 PM
I'm sorry but you're not making sense... You said:
QuoteAttacker > VPS/DEDICATED SERVER > WORDPRESS SITES > VICTIM
Where does SMF fit here? As the victim?

Every forum/software/etc out there, that runs in a web server, is susceptible to a DDoS attack... The protection can only be made on the server/firewall level. Clouldflare should help in that.

Also: 2Mb is a tiny database, I don't really think you got *that* much to worry about...

Please take a look at this log.

I couldn't upload it in attachments due to file size too big.

Here is the link: https://mega.co.nz/#!NpkmGLZb!0r0l-rmU0gq9unSwNK2uUsfaFqeTG2-ilZOOZ-tH8B8

Arantor · June 02, 2014, 07:07:14 PM

Right, so we just confirmed what I already guessed: that you have no understanding whatsoever about what XMLRPC is, or indeed what the actual vulnerability is here, not that it can be protected against anyway.

margarett · June 02, 2014, 07:09:10 PM

I did. There is *NOTHING* in that log that points to SMF. It's just a bunch of stuff thrown at your web server. It looks like a DDoS, yes, but I fail to understand how sure you are about SMF's vulnerability.

xJamie · June 02, 2014, 07:11:59 PM

Quote from: margarett on June 02, 2014, 07:09:10 PM
I did. There is *NOTHING* in that log that points to SMF. It's just a bunch of stuff thrown at your web server. It looks like a DDoS, yes, but I fail to understand how sure you are about SMF's vulnerability.

Well,the attacker told me so..

I'm not sure if it is true or not, but that's just what he told me.

Anyway, I'm sorry if I overreacted it's just that I'm just upset and nervous, mainly because of the attack.

Do you guys have any advises/solutions on how to prevent these attacks? Thanks

margarett · June 02, 2014, 07:16:03 PM

The attacker told you? Man, you have some serious connections

There is no known vulnerability in SMF and that one that you point surely isn't the first. WP may be vulnerable, OK, but I don't know.
But there is nothing SMF can do about a DDoS... All it happens are dozens/hundreds of requests arriving at your server in a second. Of course it can't deal with all so it "collapses".

edit: http://blog.spiderlabs.com/2014/03/wordpress-xml-rpc-pingback-vulnerability-analysis.html (not sure if relevant here or not, but ok

)

LiroyvH · June 02, 2014, 07:17:02 PM

To protect against DDoS attacks, you have to start looking at the server/network configurations; not at SMF.

Herman's Mixen · June 02, 2014, 07:20:33 PM

Yup! only thing i see wich is outdated is the theme /urban-rc5 from dzinerstudio, and maybe even SPortal wich is not realy developed any more can be the case....
its not SMF itself...

xJamie · June 02, 2014, 07:40:27 PM

Hmm, okay. Now I get a IIS error. Please, how do I fix this error? My website: http://pwnxile.cm

Herman's Mixen · June 02, 2014, 07:43:12 PM

IIS... o.0 thats a vulnerable point, when it comes in configurations.... bet you will find it there !!

Arantor · June 02, 2014, 07:43:50 PM

Without more details it's impossible to say. All that error tells us is that there's an error...

xJamie · June 02, 2014, 07:46:28 PM

Quote from: Arantor on June 02, 2014, 07:43:50 PM
Without more details it's impossible to say. All that error tells us is that there's an error...

What files and information do you need?

butchs · June 02, 2014, 08:20:27 PM

If your are worried have your host disable "allow_url_fopen" as recommended in the OWASP PHP Configuration Cheat Sheet.

Further reading is PHP top 5.

xJamie · June 03, 2014, 08:23:04 AM

Ok, everything is working nice now, thanks.

I have a question, should my forum be running on IIS, Xampp or Wamp?

Which alternative gives the best performance and stability?

Much appreciated, thanks.

Arantor · June 03, 2014, 10:58:15 AM

The fact you're asking means you didn't listen to what we told you last time.

xJamie · June 03, 2014, 12:30:09 PM

Quote from: Arantor on June 03, 2014, 10:58:15 AM
The fact you're asking means you didn't listen to what we told you last time.

Why do you have to make everything so complicated for me?

It's a simple question and answer.

My forum has 200+ people online and active every single day. I have a virtual private server which is running the operating system Windows Server 2008 R2 Datacenter. Now my question is as follows, should my forum be running on IIS, Xampp or Wamp?

I want a simple answer. I'm not going to scroll over the replies like last time.

If you can't provide a simple answer, this might be the wrong place for me to seek help.

Arantor · June 03, 2014, 12:35:34 PM

It's not a simple question and answer at all. Your lack of knowledge is frightening and likely to get you into trouble.

I will repeat myself then.

WampServer and Xampp are not, out of the box, set up to be secure on a public website. They're just not designed for public websites. They're designed for people to test websites on their local computer.

The fact you're asking means you don't understand the distinction which also means you're running the webserver yourself without the knowledge to secure it properly, which is a bad idea.

Find yourself a proper host.

News:

Need urgent help! SMF vulnerable to XML-RPC attack - must read!