Compromised WordPress Bot Net Attacks, Now Help Kill it


100% Tier-1 Gogent
This morning some idiot thought his little compromised Wordpress bot net would terrorize a provider.  It worked for a few minutes then humans sprung to.

Slews and slews of URL requests made at the same time through common WordPress exploitation.

This details the common exploit via the Pingback mechanism:

In a bit when they tire out and/or run out money, interest or compromised machines, I'll publish all the compromised IPs so others can take proactive stance and get to snipping them too.

Open to recommendations on services and sites such compromised sites can be added to for sh!t listing.


Bad Goy
For convenient copy-paste:

/* Author: Samuel Aguilera */
add_filter( 'xmlrpc_methods', 'Remove_Pingback_Method' );

function Remove_Pingback_Method( $methods ) {
   unset( $methods[''] );
   unset( $methods['pingback.extensions.getPingbacks'] );
   return $methods;

In the previous posts with the XML-filter unset, be sure to replace:




100% Tier-1 Gogent
Oh yeah the company in this instance wasn't running WordPress, but rather someone using those exploited WordPress installs as a distributed DDoS canon against them.


100% Tier-1 Gogent
Feel free to block this Wordpress compromised botnet  :)  Seems like they ran out compromised machines... bahahaha
List here under.... in the spoiler...
Last edited by a moderator:


Just a little bit crazy...
Verified Provider
Honestly, at-least pingback attacks are easy to recognize & mitigate. Wordpress uses a recognizable User Agent so providing you have enough bandwidth you can just tank it.


100% Tier-1 Gogent
This attack @splitice was more sophisticated.

Unsure how they are doing it, but useragent when they started getting blocked stopped having Wordpress in it and went random mass browsers.  So the useragent block approach died quickly :(

They were also pounding random number values into the URL base request...