WordPress XMLRPC.php DDOS Attack

The Bigger They Come, The Harder They Fall

Earlier this year a vulnerability was exploited which used the PingBack feature in WordPress.  I am going to show how to create a request to recreate the attack.  The attack send upwards of 400 Gbps through the internet. By comparison you’re home network is, on a good day, theoretically 100 Mbps. This attack pumped 40x more traffic than your home network can ever do.


I created the request in BURP PROXY:

Capture (1)

POST /xmlrpc.php HTTP/1.0
Host: https://prod.nestle-hcp.com.au/breastfeeding/
Content-Type: text/xml
<?xml version=”1.0″?>

See a List of Users in Linux

cat /etc/passwd | cut -d":" -f1

Install Kali on USB using Macbook Air

So I’m trying to install Kali on a Kingston USB 8Gb stick

  1. Download Kali from here
  2. I then used Disk Utility on the Mac to create 2 partitions

Disk Utility


  1. Create Folder Structure on USB
    • EFI/BOOT
  2. Unmount the Kingston usb stick
    • “sudo diskutil unmount /dev/disk1”
    • or “sudo diskutil unmountDisk /dev/disk1”
  3. Copy these files to BOOT Folder
  4. Copy ISO to USB
    • sudo dd if=/path/to/ISO of=/dev/rdisk1 bs=1m
    • Ctrl+t shows the progress



socat -v TCP-LISTEN:8091,reuseaddr,fork TCP:

WebServer on Mac

in Terminal:

  1. Start: apachectl start
  2. Stop: apachectl stop
  3. Restart: apachectl restart

Default File Location:

  • /Library/WebServer/Documents/index.html.en

Opening a file from the Terminal in Mac

sudo open -a <app> <file>

Removing Bindings from IIS Sites

1.  Backup the config file C:\Windows\System32\Inetsrv\config\applicationHost.config and then open it up in notepad.

2.  Search for the web site you want to edit.

Modify the applicationHost.config file to remove the :443 setting

The <bindings> area is what you are looking for, as you will want to remove the line <binding protocol=”https” bindingInformatino=”*:443:” />

3.  Save this file, refresh IIS and start or restart the web site, and you will see your changes you made.



Searching GoDaddy Shared Linux Server for Malware

My websites were recently flagged by Google as containing Malware.

In the Webmaster Tools I found this link to explain what was found.

http://www.google.com/safebrowsing/diagnostic?site=www.example.com) (replace www.example.com with the URL of your own site) to see specific information about what Google’s automatic scanners have found.

Of the 21 pages we tested on the site over the past 90 days, 1 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2013-01-01, and the last time suspicious content was found on this site was on 2013-01-01.

Malicious software is hosted on 1 domain(s), including donationwarecallers.info/.

This site was hosted on 1 network(s) including

AS26496 (PAH)

I used WinSCP to find an infected file and found this. I’ve truncated the code:

<?php <?php eval(gzinflate(base64_decode(‘vVhtb9pIEP7






I used PuTTy to SSH into the server and ran the following command to find all the files containing ‘vVhtb9pIEP7’:

grep -rl “vVhtb9pIEP7” /home/content/s/a/v/savvy95/html

I ran the following command to remove the offending code in any PHP file:

grep -rl “vVhtb9pIEP7” /home/content/s/a/v/savvy95/html | xargs sed -i “.bak” ‘/vVhtb9pIEP7’ > ./html/greplog2.log

But it didn’t work. I think it timed out on the GoDaddy’s Servers

I created a log of files which contained the offending code using the following command:

grep -rl “vVhtb9pIEP7” /home/content/s/a/v/savvy95/html


That seemed to find everything and I manually removed the offending code.


Every year 20 Continuing Professional Education Credits (CPE) are required to maintain your CISSP credential (along with upholding the (ISC)2 Code of Ethics and the Annual Maintenance Fees). At the end of 3 years 80 CPEs are required to be in good standing.

CPEs are broken into Groups; Group A’s activities include: Direct Information Systems Security Activities and align with one of the 10 body of knowledge domains (BOK). Group B’s activities include Professional Skills activities and cover areas a Security Professional would encounter.

But where can you get CPEs? According to their brochure you can get them by doing the following:

  • Attending educational courses or seminars
  • Attending security conferences
  • Being a member of an association chapter and attending meetings
  • Serving on the board for a professional security organization
  • Volunteering for a government, public sector and other charitable organizations, including (ISC)2 volunteer committees
  • Completing higher academic courses
  • Providing security training
  • Publishing security articles or books
  • Participating in self-study courses, computer-based training or Web casts
  • Reading an information security book or subscribing to an information security magazine

Here’s a good article which lists 10 Ways to Get Free CPEs for Your CISSP

The list includes:

  • Get a Degree
  • Watch Videos at The Academy Pro
  • Watch SANS Webcast
  • Listen to Webcasts and Podcasts. Keep a record of date of the podcast and the date you listened. Include the description as well.
  • If you Work for the Federal Government, learn from Virtual Training Environment
  • Department of Homeland Security (DHS) / Federal Emergency Management Agency (FEMA)

Here are some of my favorites reads and podcasts


You can check your CPE status on the (ISC)2 website: www.isc2.org/cpe

Amazon AWS S3 – Give User Access to Bucket

I was working at giving access to one of my Amazon S3 buckets to my cousin to share large files; but was having difficulty. I looked at using Dropbox to share files, but I didn’t want him to have to register on the site; I only wanted to provide him a private URL, username and password. The material was confidential, so I didn’t want to use Pastebin or some similar site.

So here’s what I did.

I created the S3 Bucket in the AWS Console.

I created a user for him in IAM and an auto-generated password; then put the user into a group.

I created an alias to my Amazon domain.

After several hours of Googling and setting user permissions, creating Bucket Policies and testing with the AWS Policy Generator, I found my answer here.

Can’t access bucket with user who has IAM policy applied



I set a Group Policy, first by going to the IAM console









Clicked on Groups








And added the following JSON statement

  "Statement": [
      "Effect": "Allow",
      "Action": ["s3:Get*",
      "Resource": "*"
      "Effect": "Deny",
      "Action": ["s3:ListBucket", "s3:GetBucket"],
      "NotResource":["arn:aws:s3:::<BucketName allowed access>"]



Now it works. Yay!