wp-json exploited to send spam

  • Good Morning all,

    I have been fighting spammers sending messages through my contact us pages on my various wordpress websites.

    I’ve added a plugin to disable right click, etc..thinking that they were using the actual contact form but this morning it irked me enough to go looking in my apache logs to see if I could track down how the messages were coming in

    It looks like the rest api is being exploited :

    21.226.3.7 – – [03/Feb/2021:10:25:08 +0000] “POST /wp-json/contact-form-7/v1/contact-forms/174/feedback HTTP/1.0” 200 358 “https://mydomain.com/contact-us/” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.24 Safari/537.36”

    I’ve blocked this in my htaccess and then validated from the website form the messages still come through ok, just wanted to ask if this could have any other adverse effects …

    # tail -1 .htaccess
    RewriteRule ^wp-json(/.*|$) /404 [R=301,NC,L]

    I’ve done a grep on my access logs and tossing the contact-form-7 entries, I only have a couple other hits that appear to be some kind of probe

    66.160.140.184 – – [01/Feb/2021:13:19:39 +0000] “GET /wp-json/ HTTP/1.1” 200 113325 “-” “The Knowledge AI”
    66.160.140.184 – – [01/Feb/2021:13:19:39 +0000] “GET /wp-json/wp/v2/pages/6 HTTP/1.1” 401 212 “-” “The Knowledge AI”
    66.160.140.184 – – [01/Feb/2021:13:19:50 +0000] “GET /wp-json/oembed/1.0/embed?url=http%3A%2F%mydomain.com%2F HTTP/1.1” 200 2163 “-” “The Knowledge AI”
    66.160.140.184 – – [01/Feb/2021:13:19:50 +0000] “GET /wp-json/oembed/1.0/embed?url=http%3A%2F%mydomain.com%2F&format=xml HTTP/1.1” 200 2243 “-” “The Knowledge AI”
    143.110.235.32 – – [02/Feb/2021:00:44:17 +0000] “GET /wp-json/wp/v2/users/ HTTP/1.1” 403 229 “-” “Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36”
    143.110.235.32 – – [02/Feb/2021:00:44:17 +0000] “GET /wp-json/oembed/1.0/embed?url=https://mydomain.com HTTP/1.1” 403 233 “-” “Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36”
    82.165.56.51 – – [02/Feb/2021:20:53:41 +0000] “GET /wp-json/wp/v2/users/ HTTP/1.1” 403 229 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36”
    82.165.56.51 – – [02/Feb/2021:20:53:41 +0000] “GET /wp-json/oembed/1.0/embed?url=https://mydomain.com HTTP/1.1” 403 233 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36”

Viewing 1 replies (of 1 total)
  • Thread Starter geolaw

    (@geolaw)

    Looks like the .htaccess rule is wrong and would need a leading slash in front of wp-json but a valid form submission appears to send its data via wp-json as well, so this is probably not a good method to block spam

    108.251.156.163 – – [03/Feb/2021:14:56:14 +0000] “GET /contact-us/ HTTP/1.1” 200 19753 “https://mydomain.com/” “Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:85.0) Gecko/20100101 Firefox/85.0”
    108.251.156.163 – – [03/Feb/2021:14:56:23 +0000] “POST /wp-json/contact-form-7/v1/contact-forms/174/feedback HTTP/1.1” 200 508 “https://mydomain.com/contact-us/” “Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:85.0) Gecko/20100101 Firefox/85.0”

    I’ve got a captcha on my form, anyone have any other anti-spam measures that work?
    I’ve read about a honey pot with hidden fields.

Viewing 1 replies (of 1 total)
  • The topic ‘wp-json exploited to send spam’ is closed to new replies.