WordPress Sites Targeted by Mass Brute-force Botnet Attack

IT Security experts are warning that an escalating series of online attacks designed to break into poorly-secured WordPress blogs is fueling the growth of an unusually powerful botnet currently made up of more than 90,000 Web servers.
Over the past 2 weeks, analysts from a variety of security and networking firms have tracked an alarming uptick in so-called “brute force” password-guessing attacks against Web sites powered by WordPress, perhaps the most popular content management system in use today (this blog also runs WordPress).

According to Web site security firm Incapsula, those responsible for this crime campaign are scanning the Internet for WordPress installations, and then attempting to log in to the administrative console at these sites using a custom list of approximately 1,000 of the most commonly-used username and password combinations.

Infected sites will be seeded with a backdoor the lets the attackers control the site remotely (the backdoors persist regardless of whether the legitimate site owner subsequently changes his password). The infected sites then are conscripted into the attacking server botnet, and forced to launch password-guessing attacks against other sites running WordPress.

The traffic being generated by all this activity is wreaking havoc for some Web Hosting firms. It hurts the service providers the most, not just with incoming traffic, but as soon as those servers get hacked, they are now bombarding other servers with attack traffic. These are Web Servers, not just home PCs. PCs may be connected to the Internet with a 10 megabit or 20 megabit line, but the best hosting providers have essentially unlimited Internet bandwidth. They’re building an army of zombies, big servers to bombard other targets, for, perhaps, a bigger cause down the road.WordPress botnet attack

Indeed, this was the message driven home Thursday in a blog post from Houston, Texas based HostGator, one of the largest hosting providers in the United States. The company’s data suggests that the botnet of infected WordPress installations now includes more than 90,000 compromised sites.

“As I type these words, there is an on-going and highly-distributed, global attack on WordPress installations across virtually every web host in existence,” wrote HostGator’s Sean Valant.  ”This attack is well organized and again very, very distributed; we have seen over 90,000 IP addresses involved in this attack.”

That assessment was echoed in a blog post Thursday by CloudFlare, content delivery network based in San Francisco. Cloudflare CEO Matthew Prince said the tactics employed in this attack are similar to those used by criminals to build the so-called itsoknoproblembro/Brobot botnet which, in the Fall of 2012, was responsible for a series of rather large cyber attacks against the largest US financial institutions.

“One of the concerns of an attack like this is that the attacker is using a relatively weak botnet of home PCs in order to build a much larger botnet of beefy servers in preparation for a future attack,” Prince wrote. ”These larger machines can cause much more damage in DDoS attacks because the servers have large network connections and are capable of generating significant amounts of traffic.”

HostGator’s Valant urged WordPress administrators to change their passwords to something that meets the security requirements specified on the WordPress website. These requirements are fairly typical of a secure password: upper and lowercase letters, at least eight characters long, and including “special” characters (^%$#&@*).

Matthew Mullenweg, the founding developer of WordPress, suggests site administrators choose a username that is something other than the default “admin”. In addition, he urged WordPress.com-hosted blogs to turn on two-factor authentication, and to verify that the site is running the latest version of WordPress. “Do this and you’ll be ahead of 99% of sites out there and probably never have a problem,” Mullenweg wrote.

WordPress administrators who have been hacked should strongly consider taking the following steps to evict the intruders and infections:

– Log in to the administrative panel and remove any unfamiliar admin users.

– Change all passwords for all admin users (and make sure all legitimate accounts are protected with strong passwords this time).

– Update the secret keys inside WordPress (otherwise any rogue admin user can remain logged in).

– Reinstall WordPress from scratch or revert to a known, safe backup.

Comments

comments

About the author

Freelancer Information Technology.