Hackers Point Large Botnet at WordPress sites to Steal Admin Passwords and Gain Server Access

WordPress Image

WORDPRESS – If you’re running a WordPress site, now would be a good time to ensure you are using very strong passwords and to make sure your username is not “admin.” According to reports from HostGator and CloudFlare, there is currently a significant attack being launched at WordPress blogs across the Internet. For the most part, this is a brute-force dictionary-based attack that aim to find the password for the ‘admin’ account that every WordPress site sets up by default.

HostGator’s analysis found that this is a well-organized and very distributed attack. The company believes that about 90,000 IP addresses are currently involved. CloudFlare, its founder and CEO Matthew Prince told me earlier today, thinks the hackers control about 100,000 bots. As for the scope of the attack, Prince says that CloudFlare saw attacks on virtually every WordPress site on its network.

If somebody guesses your WordPress password, that’s obviously a big problem, but attacks like this then open up ways for the hackers to take over your server – and that’s what whoever is behind this attack is clearly after. The CloudFlare team believes that the attacker is currently using a network of relatively low-powered home PCs, but the aim is “to build a much larger botnet of beefy servers in preparation for a future attack.” Home PCs can be the staging ground for a large denial-of-service attack, but servers have access to far more bandwidth and can hence push out far larger amounts of traffic.

This currently attack is similar to an attack in 2012 that was also aimed at WordPress sites. That attack, however, was looking for outdated versions of TimThumb, a popular PHP-based image resizer that is often used as the default by many WordPress templates.

Both CloudFlare and HostGator, as well as a number of other hosting providers, have taken measures to protect their customers. Besides choosing a very strong password – which is always a good idea – you can also install a number of WordPress plug-ins that limit the number of login attempts from the same IP address or network to put a stop to these brute-force attacks (though as WordPress founder Matt Mullenweg notes in a blog post this afternoon, changing your ‘admin’ username to something ab it more obscure may be your best defence given that the hackers do have 90,000 IPs at their disposal). If your site is hosted on WordPress.com, you can also turn on two-factor authentication to add an extra layer of security.

SOURCE: TechCrunch

NOTE: WordPress is the most popular Content Management System.


RELATED REPORTS

Hackers hijack over 162,000 WordPress websites

By Lee Bell – Tue Mar 11 2014, 15:42

Over a Hundred Thousand legitimate WordPress websites have been hijacked by hackers, security firm Securi has claimed, in a plot that has connected users to a criminal botnet, forcing them to inadvertently launch distributed denial of service (DDoS) attacks.

Securi said in a blog post that it uncovered the botnet while examining an attack targeting one of its customers. Securi CTO Daniel Cid said in a blog post that the firm managed to trace the sources of the attack to over 162,000 legitimate WordPress websites.

“The most interesting part is that all the requests were coming from valid and legitimate WordPress sites. Yes, other WordPress sites were sending random requests at a very large scale and bringing the site down,” he said.

“Just in the course of a few hours, over 162,000 different and legitimate WordPress sites tried to attack [the] site. We would likely have detected a lot more sites, but we decided we had seen enough and blocked the requests at the edge firewall, mostly to avoid filling the logs with junk.”

The hackers mounted the attack using a well known flaw in WordPress that can be exploited by just one attacker to launch DDoS attacks across thousands of popular, clean WordPress websites.

“And that all happens with a simple ping-back request to the XML-RPC file,” Securi’s CTO added. “This is a well-known issue within WordPress and [while] the core team is aware of it, it’s not something that will be patched, though. In many cases this same issue is categorised as a feature, one that many plug-ins use, so in there lies the dilemma.”

Cid said WordPress users concerned that they might be affected should disable the dodgy XML-RPC functionality of their website or download an automated scanner tool from a legitimate security service provider to protect themselves from such attacks.

This is not the first time that WordPress has come under fire from hackers. In January 2012, hundreds of WordPress websites and blogs were compromised.

The attack affected websites using an old version 3.2.1 of WordPress, according to M86 Security Labs, which found websites that had been injected with code that redirects the user to an exploit website.

SOURCE: The Inquirer


RELATED REPORTS

More Than 162,000 WordPress Sites Used for Distributed Denial of Service Attack

By Daniel Cid on March 10, 2014

Distributed Denial of Service (DDOS) attacks are becoming a common trend on our blog lately, and that’s OK because it’s a very serious issue for every website owner. Today I want to talk about a large DDOS attack that leveraged thousands of unsuspecting WordPress websites as indirect source amplification vectors.

Any WordPress site with Pingback enabled (which is on by default) can be used in DDOS attacks against other sites. Note that XMLRPC is used for pingbacks, trackbacks, remote access via mobile devices and many other features you’re likely very fond of. But, it can also be heavily misused like what we are seeing.

SOURCE: Sucuri