HTTP-Reflection and Amplification via a 100k-Wordpress-Botnet

  • Step 1: goto shodan and search for Pingback; for thos who need context: read this

  • Step 2: extract the DATA from shodan-export.json.gz:
    with some older files i had just over 150k wordpress-installations

[ trigger@happy ~ ] zless shodan-export.json.gz | jq .data |  grep "X-Pingback" | awk -F "Pingback:" '{print $2}' | awk -F "/xmlrpc" '{print $1}' | sort -u  > wc-pongback.list

[ trigger@happy ~ ] > wc -l wc-pongback.list 
151531 wc-pongback.list
  • Step 3: run the whole list through a parser that does the following:
    • check if the website is online
    • check if /xmlrpc.php exists, if not, continue
    • check if /feed exists, is loadable with feedparser
    • select a random wp-post-url from feeds, neede dlater for callback
    • write res to a file




Fragen? Kontakt: info@zero.bs

taggy