Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Wordpress Sites Under Wide-Scale Brute Force Attack

Soulskill posted about a year and a half ago | from the pressing-all-the-words dept.

Security 110

New submitter NitzJaaron writes "Some of us have been experiencing attacks on Wordpress sites for the last few days, but it's now beginning to be widely reported that there's a fairly large brute force attack happening on Wordpress users on multiple hosts, including HostGator and LiquidWeb. 'This attack is well organized and again very, very distributed; we have seen over 90,000 IP addresses involved in this attack.' CloudFlare has announced that they're giving all users (free and paid) protection from said attacks with their services. 'The attacker is brute force attacking the WordPress administrative portals, using the username "admin" and trying thousands of passwords.'" Further reports available from Immotion hosting and Melbourne server hosting.

cancel ×

110 comments

Sorry! There are no comments related to the filter you selected.

Seems like..... (3, Insightful)

n3tm0nk (2725243) | about a year and a half ago | (#43435545)

something they should have been prepared for in the first place......

Re:Seems like..... (5, Informative)

jakimfett (2629943) | about a year and a half ago | (#43435679)

Yet another reason to specify a non-default administrator username in the original install. And to use passphrases instead of passwords. Easier to remember, and there's almost no way to brute force a thirty character password.

Re:Seems like..... (2)

Doug Otto (2821601) | about a year and a half ago | (#43435803)

This.

Based on the dictionary they're using for this attack, all that's required to thwart it is a capital letter.

Re:Seems like..... (1)

pspahn (1175617) | about a year and a half ago | (#43435981)

Doesn't WP allow you to change the admin login URL as well?

Re:Seems like..... (2)

Doug Otto (2821601) | about a year and a half ago | (#43435995)

Unfortunately, no. It is, however, easy enough to protect with .htaccess

Re:Seems like..... (1)

smitty_one_each (243267) | about a year and a half ago | (#43437987)

Yes, you can specify a subdirectory at install-time.

Re:Seems like..... (4, Informative)

Electrawn (321224) | about a year and a half ago | (#43436003)

No, the wp-admin folder is rather hard coded.

Re:Seems like..... (1)

bananaquackmoo (1204116) | about a year and a half ago | (#43436795)

Don't listen to them. It is quite possible.

Re:Seems like..... (1)

Algae_94 (2017070) | about a year and a half ago | (#43437589)

It can be done, of course, but it's not an easily configurable option in the web interface.

Re:Seems like..... (0)

Anonymous Coward | about a year and a half ago | (#43435983)

Also don't use standard directory structure like /wordpress/ or /blog/

Re:Seems like..... (1)

schlick (73861) | about a year and a half ago | (#43436497)

And using the google authenticator plugin for 2 factor authentication.

Re:Seems like..... (0)

Anonymous Coward | about a year and a half ago | (#43436773)

And using the google authenticator plugin for 2 factor authentication.

That would be idiotic.^W^W^W^WI have some magic beans for you! Simply send any message to this email address: ihavewaytoomuchmoney@wesolvethat.com

Re:Seems like..... (3, Informative)

Zamphatta (1760346) | about a year and a half ago | (#43437135)

And it's another reason to temporarily lock out an account from logging in, if there's too many wrong guesses at the password in a very short period of time. There might be a Wordpress plug-in for something like that, but I don't think it's in Wordpress's core, and it really should be in the core of any web system. It adds tons of security all by itself.

Re:Seems like..... (1)

x_t0ken_407 (2716535) | about a year and a half ago | (#43437523)

And it's another reason to temporarily lock out an account from logging in, if there's too many wrong guesses at the password in a very short period of time. There might be a Wordpress plug-in for something like that, but I don't think it's in Wordpress's core, and it really should be in the core of any web system. It adds tons of security all by itself.

There are indeed plugins that do this. In fact, I was alerted to a few of my sites being bruteforced from a plugin that does just that. What really helps though, is having a .htpasswd enabled on the wp-admin directory -- I use a plugin for that as well ("AskApache Password Protect"), though admittedly it's not hard at all to implement without the plugin.

Re:Seems like..... (1)

thoughtlover (83833) | about a year and a half ago | (#43442089)

You should not use plugins to regulate login attempts, at this time. Check the post, below and link to his blog with the reasons why. http://it.slashdot.org/comments.pl?sid=3643255&cid=43436363 [slashdot.org]

I'd also recommend that people reset their Secret Keys to resalt users' cookies. https://codex.wordpress.org/Editing_wp-config.php#Security_Keys [wordpress.org]

Re:Seems like..... (1)

locater16 (2326718) | about a year and a half ago | (#43437849)

Passphrase? Cracking it is called a dictionary attack, it's what almost every password cracking attempt uses anyway. It's just a list of words run against the password, and can be rather easy to crack. SAFE passwords are long enough series of random letters numbers and symbols, something an attempt would have to brute force character by character and thus wouldn't have much of a chance of getting. $57*ghU^61@nm is a far safer password that "Correct Horse Staple Battery" which would easily be crackable in a reasonable timeframe. Unfortunately $57*ghU^61@nm is friggen hard to remember. Maybe it's time to find convenient and cheap biometric scanners.

Re:Seems like..... (1)

rtb61 (674572) | about a year and a half ago | (#43438061)

Dictionary attack fails due to time constraints as the complexity is just as great for completely mixed characters as for a pass phrase as you must guess all the words simultaneously rather than solve one word at a time. Pass phrase is quite simply the best realistic solution as it provides plenty of characters while being easy to remember and from the outside it is still unknown whether you are using any other characters in the pass word hence they still must be checked and PS spaces are never used is pass phrases why bother.

Re:Seems like..... (1)

Spiridios (2406474) | about a year and a half ago | (#43441391)

Passphrase? Cracking it is called a dictionary attack, it's what almost every password cracking attempt uses anyway. It's just a list of words run against the password, and can be rather easy to crack. SAFE passwords are long enough series of random letters numbers and symbols, something an attempt would have to brute force character by character and thus wouldn't have much of a chance of getting. $57*ghU^61@nm is a far safer password that "Correct Horse Staple Battery" which would easily be crackable in a reasonable timeframe. Unfortunately $57*ghU^61@nm is friggen hard to remember. Maybe it's time to find convenient and cheap biometric scanners.

I think you misunderstand. A brute-force attack on a password is "just" a dictionary attack using letters and symbols as your dictionary instead of English words. There's realistically 26 lower case letters, 26 upper case letters, 10 digits, around 32 symbols, and space (just looking at my keyboard), giving us a set of about 95 to compose our passwords from. According to Oxford Dictionaries [oxforddictionaries.com] there's around 171,476 words in current usage. Even if you constrain to what the average person knows, you've got anywhere from 12,000 to 60,000 words depending on who you trust for those kinds of statistics. Want to include your below average person? If XKCD [xkcd.com] is to be judged, you can still communicate somewhat by limiting yourself to the 1000 most used words. That ignores capitalization variations, so it assumes the attacker knows you only capitalize the first word of the sentence (or whatever your personal rule is). That actually puts a six word passphrase using a vocabulary of 1000 words as harder to brute force than an eight character password.

Passphrases of equivalent length are easier to remember because we're trained to think in sentences, not letters. You can also use visualization techniques, as XKCD suggests, because we associate images with many words, not so much with letters. The biggest problem with passphrases are sites that put an upper limit on passwords, so we're forced to come up with pass phrases that operate as mnemonics for passwords, but then that limits our pool of characters in our password (unless you know a word that begins with the letter %).

Re:Seems like..... (0)

Anonymous Coward | about a year and a half ago | (#43438083)

Anyone one can suggest me best plugin for wp security? My site affected itstarz [itstarz.com]

Re:Seems like..... (1)

radio4fan (304271) | about a year and a half ago | (#43439371)

Good advice.

But really, there just shouldn't be a default username: you should have to enter your own. This has been standard practice for decades.

Though I have to concede it works pretty well, WP is truly awful: a tiny bit object-oriented here, a bit finite state machine there; no coherent design at all.

It's kind-of the PHP of PHP software: Crufty, inelegant, painful to develop with, yet also ubiquitous and loved by clients, who ask for it by name.

WordPress needs a 100% rewrite by someone who has read a book or two on programming.

Re:Seems like..... (0)

Anonymous Coward | about a year and a half ago | (#43435797)

As a host, you simply cannot vet everything an unmanaged customer uploads to their account or dedicated server. With Wordpress' security history though, you'd think that some relevant security features would have been rolled into every release by now.

Liquidweb truly sucks, they deserve to burn! (-1)

Anonymous Coward | about a year and a half ago | (#43435555)

http://liquidwebreallysucks.com/

really? (2)

bmimatt (1021295) | about a year and a half ago | (#43435561)

I see automated attacks on wordpress sites in the logs all the time.  Same with phpmyadmin and other popular FOSS software.  What else is new?

Re:really? (1)

Anonymous Coward | about a year and a half ago | (#43435741)

What's new is the gigantic scale of it, nothing more. It appears to be one humongous distributed brute-force attack with the power to quite easily take down a server. This is not your average Wordpress brute-force attack.

Re:really? (1)

n3tm0nk (2725243) | about a year and a half ago | (#43435933)

I am wondering if this attack is masking some other activity.

Re:really? (0)

Anonymous Coward | about a year and a half ago | (#43436635)

How in the word is accessing a web admin panel going to bring down a server? Please explain that one to me.

I sir, am declaring shenanigans on your claim!

Re:really? (0)

Anonymous Coward | about a year and a half ago | (#43436861)

I've seen upwards of 10,000 IP's hitting the same wp-login at once. Thats how.

Re:really? (0)

Anonymous Coward | about a year and a half ago | (#43438713)

No, he is saying that the amount of bots involved is more than enough to (if they decide) DDoS a server.

Re:really? (1)

Anonymous Coward | about a year and a half ago | (#43435743)

What is new is that these attempts are coming from so many IP's simultaneously that it's crashing servers.

Re:really? (0)

Anonymous Coward | about a year and a half ago | (#43436623)

Finally another educated admin out there. Working for one of the top 5 web hosts in the company I saw atleast 10-20 compromised sites a day. All of which were WordPress, Joomla, Drupal and all of the other FOSS apps that mom and pops try to run without knowing how.

CVE reports almost 150 active exploits for wordpress.

http://www.cvedetails.com/vulnerability-list/vendor_id-2337/product_id-4096/

This happens way to frequently for this to be considered actual news.

Re:really? (0)

Anonymous Coward | about a year and a half ago | (#43436827)

When you have 11,000 IP's hitting the same wp-login.php at once, It's not your normal every day BS. I also work for a major web host. This is the most intense webapp brute force I've seen in 3-4 years. They're not trying to exploit any CVE's, just log in with 'admin' and common passwords.

limit login attempts (5, Insightful)

interkin3tic (1469267) | about a year and a half ago | (#43435589)

advising all our clients who use WordPress to install an additional plugin 'Limit Login Attempts' that will help to prevent brute force attacks

Not being familiar with wordpress, I'll ask why isn't that on by default?

Re:limit login attempts (5, Insightful)

preaction (1526109) | about a year and a half ago | (#43435713)

Because it increases the number of support requests dramatically.

Re:limit login attempts (0)

Anonymous Coward | about a year and a half ago | (#43435765)

The plugin is 3rd party and not a part of WordPress itself.

Re:limit login attempts (1)

interkin3tic (1469267) | about a year and a half ago | (#43435793)

Same basic question: why not?

Re:limit login attempts (1)

Anonymous Coward | about a year and a half ago | (#43435847)

Same basic answer: Because it increases the number of support requests dramatically.

Re:limit login attempts (0)

Anonymous Coward | about a year and a half ago | (#43436029)

And support is expensive, whether you consider money or time.

Re:limit login attempts (3, Insightful)

sabt-pestnu (967671) | about a year and a half ago | (#43435783)

>>advising all our clients who use WordPress to install an additional plugin 'Limit Login Attempts' that will help to prevent brute force attacks

> Not being familiar with wordpress, I'll ask why isn't that on by default?

What could be a simpler way to deny an administrator access to his own account than by a "limit login attempts" that limits attempts on a per-account basis (vs a per-IP address basis)?

And if the attack is "one attempt per site per zombie", limiting on a per-IP basis has no teeth.

<ignorant_speculation>Of course, if you have created an admin account that's not NAMED admin, you won't be locked out. And if you change the account named "admin" to having lower privileges, even better.</ignorant_speculation>

Re:limit login attempts (0)

Anonymous Coward | about a year and a half ago | (#43435959)

<ignorant_speculation>Of course, if you have created an admin account that's not NAMED admin, you won't be locked out. And if you change the account named "admin" to having lower privileges, even better.</ignorant_speculation>

Yeah that /is/ pretty ignorant

Re:limit login attempts (0)

Stalks (802193) | about a year and a half ago | (#43436551)

It would be written in PHP, so trivial to add an exception to your IP.

Re:limit login attempts (1)

jkflying (2190798) | about a year and a half ago | (#43439127)

Apparently there are over 90,000 IPs involved in the attacks, so they can effectively test a 90,000 password dictionary before you even see the same IP twice.

Fail2ban ForTheWin (0)

Anonymous Coward | about a year and a half ago | (#43436019)

Better yet, fail2ban...

Re:Fail2ban ForTheWin (0)

Anonymous Coward | about a year and a half ago | (#43436299)

You don't understand this "distributed" thing, do you? f2b does absolutely nothing when there's 90k hosts prodding your machine. The same ip won't try more than once.

Re:Fail2ban ForTheWin (1)

Algae_94 (2017070) | about a year and a half ago | (#43437695)

In that case, what's there to worry about? 90,000 guesses (1 per ip) is nowhere near enough to brute force a halfway decent password.

In order to brute force a password, you would need to hit the site multiple times from each ip. Every ipv4 address in existance (count ips that are not valid like 127.0.0.0) with one guess a piece gives 2^32 guesses. a 6 character alphanumeric password has over 13 times as many possibilities.

Re:Fail2ban ForTheWin (0)

Anonymous Coward | about a year and a half ago | (#43438735)

Meh, this isn't even a real brute force attack. This is a dictionary attack, limited to just thousands of common passwords. They don't care about breaking in, they're looking for the key under the doormat. 90,000 attempt per day is plenty for that.

Re:limit login attempts (0)

Anonymous Coward | about a year and a half ago | (#43436295)

This will not help in this case - the number of IPs used for the attack is far too large, and the attackers have taken to only sending one login attempt per IP.

htaccess checking to make sure the HTTP_REFERER is your website does work just fine, though.

Captcha's (1)

wanfuse123 (2860713) | about a year and a half ago | (#43436453)

There is several captcha plugins available, wont help with the DDOS but will help with machines trying to guess passwords. http://rawcell.com [rawcell.com]

GOD FORBID... (-1, Offtopic)

quonsar (61695) | about a year and a half ago | (#43435607)

someone getting unauthorized access to my crappy blog!

Re:GOD FORBID... (1)

Anonymous Coward | about a year and a half ago | (#43435691)

Yes, god forbid.

Nobody gives a shit about your crappy blog, but they will give a shit about your crappy forms that allow massive amounts of spam to be sent out.

Though admittedly, you usually don't need to brute force your way in for that.

Re:GOD FORBID... (0)

Anonymous Coward | about a year and a half ago | (#43435795)

Or even better to get a foot in the door via your crappy blog and then go to work on the hosting company's server.

Re:GOD FORBID... (1)

Algae_94 (2017070) | about a year and a half ago | (#43437707)

God forbid someone gets access to a hosting company that is so bad a clients blog can gain access to their server.

Little do they know... (1)

dragon-file (2241656) | about a year and a half ago | (#43435733)

that the administrative account uses 'administrator' not 'admin'. They'll be attempting that brute force for quite a while.

Re:Little do they know... (5, Funny)

Quirkz (1206400) | about a year and a half ago | (#43435775)

That's why I changed mine from username 'admin' with a blank password to password 'admin' with a blank username. They'll never guess that one!

Re:Little do they know... (1)

dragon-file (2241656) | about a year and a half ago | (#43435845)

faceplam

Re:Little do they know... (0)

Anonymous Coward | about a year and a half ago | (#43438055)

i am unable to get access to my site Software Zone [freeallstuff.com] but my all data still here

Re:Little do they know... (1)

Pauldow (1860502) | about a year and a half ago | (#43440309)

I use eight asterisks as my password. That way I can see it when I type it in.

That's why remote admin/root shouldn't be allowed (-1)

Anonymous Coward | about a year and a half ago | (#43435735)

Remote login attempts to "admin", "administrator", "root" are simply blocked on the servers I manage. It isn't possible. You'll have to guess another account name and then switch. Login attempts to "admin", "administrator", "root", and a bunch of others are automatically rejected and the time for login retries is long. On my web server, attempts to access certain commonly-vulnerable URLs that don't exist on the server (e.g., phpmyadmin) are also sent to a tarpit. The server does send a response back to the client, but it is random binary garbage, sent a few bytes at a time at intervals just shy of default timeouts. I've often wondered if the I've fuzzed any bugs out of the software these people are using :-)

None of this would probably stand up to a huge DDOS like this (has to be controlled further upstream), but a regular script kiddie is going to find my servers a horrible, sluggish black hole as they attempt the usual logins and security flaws. I mean, what kind of script is going to be able to resist the temptation to try the usual "easy" approaches first? But once they do: dump the connection, tarpit it, whatever. They're unquestionably up to no good.

Re:That's why remote admin/root shouldn't be allow (2)

Quirkz (1206400) | about a year and a half ago | (#43435809)

The no remote admin access makes sense for a computer login, but for a web-based app like WordPress often run on a remote hosting account there's no such thing as "local" access. Or I suppose there is, but most users don't have access to the host server and wouldn't know how to use it even if they did.

Re:That's why remote admin/root shouldn't be allow (1)

Anonymous Coward | about a year and a half ago | (#43436061)

> but for a web-based app like WordPress often run on a remote hosting account there's no such thing as "local" access

SSH tunnels.

Re:That's why remote admin/root shouldn't be allow (1)

KPU (118762) | about a year and a half ago | (#43435871)

Great! Now all I have to do is compromise your user account, add some aliases to your .bashrc, and I get promoted to root.

Re:That's why remote admin/root shouldn't be allow (1)

Anonymous Coward | about a year and a half ago | (#43436197)

And how will you do that if you don't know my regular username or password? All you've done is turn an easy problem (brute force guess the password for the known account "root"), into a harder problem (guessing both my username and password, and then guessing the root one or sneaking something into an alias and hoping I invoke it during an "su" or "sudo"). If you're talking about some other way to compromise the system, then the account name/pass is irrelevant.

All I'm saying is, these guys are apparently knocking on the "remote root login" door, hoping for an easy win that way. I don't understand why anyone's machine would be set up to allow such an easy way in. Don't have a "root", "admin", or "administrator" account with remote login enabled. Taking the guesswork out of the account name defeats half the value of having a username/pass pair, so don't make it so easy (there are of course other ways to authenticate, but assuming that's the method you're using -- do it right).

Someone else mentioned that for something like WordPress, you have to have remote login for administrators. Yes, but I don't see why the account *name* has to be "admin". Sure, it's easy to remember, but why couldn't it be something random like "SuperLuser782", which would be unlikely for a bot to try out in the first hundred common guesses for an administrator account.

Oh no! (-1)

Anonymous Coward | about a year and a half ago | (#43435891)

...Security experts are warning that an escalating series of online attacks designed to break into poorly-secured WordPress blogs

And this is a big deal because ....why?

Oh my! Some blogger is going to have his shitty content compromised! Oh no!

The World is coming to an end!

EVERYBODY PANIC!

Get a fucking grip people.

We have an asshole in Asia pointing nukes at people and I'm supposed to get worried about this?

Computer Security Experts need a new brand of panties that won't make them so exited! And maybe down a couple of Midols! And change tampons more often - fags.

Yeah, yeah, yeah, they have to justify their existence. The crazy 90s are over where nobody wrote secure code and now they have to drum up business somehow.

Re:Oh no! (0)

Anonymous Coward | about a year and a half ago | (#43436375)

Quite true. In fact I think I'll just switch off my pager this weekend, after all I can only worry about one thing at a time, so I may as well worry about one I can do nothing about.

Re:Oh no! (1)

uberbrainchild (2860711) | about a year and a half ago | (#43436439)

It's not just bloggers, a lot of businesses use wordpress. If i remember correctly, spotify's website is wordpress based

Identifying compromised installs? (0)

Anonymous Coward | about a year and a half ago | (#43435963)

I've been seeing these for the past few days across a wide variety of customer servers, sometimes with enough traffic to push the box into swap death. All I've found online are people warning if it and how to defend against it, but has anyone done any forensics on a compromised install? If so, can you share what to look for?

ISP Black/white Lists? (0)

Anonymous Coward | about a year and a half ago | (#43435975)

If I'm an internet service provider and I have a client who is sending request after request, at an inhumane rate, do I then have the right to put their service on hold for the sake of the guy at the other end of the line?

I'm looking for where the ISPs stand in these situations.

Re:ISP Black/white Lists? (1)

Krojack (575051) | about a year and a half ago | (#43436067)

Why would an ISP such as Comcrap want to block the account of a paying client? Most don't care about massive HTTP request.

Re:ISP Black/white Lists? (0)

Anonymous Coward | about a year and a half ago | (#43438759)

If I'm an internet service provider and I have a client who is sending request after request, at an inhumane rate,

HI! WELCOME TO THE INTERNET!
Everyone is sending request after request at inhuman rates. That's kinda how this thing works. Thanks for suggesting we kill the internet for doing what it does.

Admin wasn't just the default password (2)

quixote9 (999874) | about a year and a half ago | (#43436271)

I've used Wordpress since forever (2006?), and I seem to remember that at least back in the bad old days the admin username had to be "admin." Nothing else. There are probably millions of people who set their blogs up back then and haven't looked at that setting since.

I wonder what they're doing this for? What does blowing up a planet's worth of little blogs get anyone? Does anyone know what this thing actually does?

Re:Admin wasn't just the default username (1)

quixote9 (999874) | about a year and a half ago | (#43436313)

Gaaa. That subject line should read "username," not password.

Re:Admin wasn't just the default password (2)

jakimfett (2629943) | about a year and a half ago | (#43436431)

I saw this same question asked further up the comment line, and I think it's the key. They aren't targeting wordpress blogs. The attacks have to be a smoke screen for *something else*, whatever that something else is. Maybe this is yet another Chinese attack. Maybe it's anonymous (I'll wait while you finish laughing...and yeah, it's not anonymous, they couldn't pull off anything close to this order of magnitude and coordination level), or maybe it's th3j35t3r's evil twin. But it'll be something nasty if/when it ever comes to light.

Who benefits the most (0)

Anonymous Coward | about a year and a half ago | (#43437019)

If I wanted to be a leet haxor...
If I was in it for the lulz...
If I had a grudge...
If I owned a major news portal...
If I had facebook stock...

Hard to say. This seems high on the bumble-o-meter, like someone didn't care or didn't think it would get noticed.

Re:Admin wasn't just the default password (0)

Anonymous Coward | about a year and a half ago | (#43436579)

It's Kim's little joke on all the bloggers making fun of him. :)

Re:Admin wasn't just the default password (1)

thegarbz (1787294) | about a year and a half ago | (#43436801)

A cleaner internet?

Re:Admin wasn't just the default password (0)

Anonymous Coward | about a year and a half ago | (#43436807)

They do it for great justice! :D

A bit more seriously:
1. Create data-mining caching anti-DDOS company.
2. DDOS away!
3. Provide temporary free services publicly
4. End attacks.
5. End temporary free service.
6. Gain new customers
7. Profit!

Re:Admin wasn't just the default password (1)

Josh Hackney (2895507) | about a year and a half ago | (#43437187)

They're doing it because webservers come with a 15K SAS drive and a 10Gbit ethernet port to send spam out of and launch more attacks. would you rather have some dudes home computer or a web server in a state of the art datacenter? Point being, setting your logins to comon settings has always been a horrible idea just the same way you wouldn't want the lock to your house to open with a key you can buy from homedepot (read, admin//password as your login)

Re:Admin wasn't just the default password (2)

Call A Developer (2895483) | about a year and a half ago | (#43437237)

They are building a botnet of powerful webservers. We are already seeing them move on from Wordpress blogs, the attacks are not over. The current payloads are primarily spam and attacking other sites (using PHP and Perl scripts injected or uploaded to Wordpress sites), but the main point is to infect as many computers and servers as possible to gain more computing power. Now is a good time to secure your Joomla, Drupla, ZenCart, X-Cart, and even HTML (!) sites. It appears the attackers are now experimenting with various SSL attacks, pulling various configuration files, and trying to get into databases, primarily on shopping carts. This may just be another distration though, which is a common tactic in the world of hackers. If the distraction is big enough it will always draw attention away from what you are really doing...

Tarpit (0)

Anonymous Coward | about a year and a half ago | (#43436347)

There's a plugin I use on my sites that utilized the tarpit concept. The more attempts that are made to brute force an id from a given IP, the slower the response time becomes. It's called Login Security Solution.

How to Respond to the Global Wordpress Attacks (3, Interesting)

Call A Developer (2895483) | about a year and a half ago | (#43436363)

I have written a rather detailed article on next steps for anyone affected - which is just about anyone with a Wordpress site. Unfortunately at least 10% of accounts hit have been successfully compromised, and many are being used to send spam or attack other sites. The Global Wordpress Brute Force Attacks of 2013 - http://calladeveloper.blogspot.com/2013/04/global-wordpress-brute-force-attacks.html [blogspot.com] This includes the method to htaccess block direct automated requests for wp-login.php as well. The attackers have gotten around some fairly advanced countermeasures including mod_security rules so all Wordpress site owners should be following these steps.

Re:How to Respond to the Global Wordpress Attacks (2, Informative)

rduke15 (721841) | about a year and a half ago | (#43436867)

The useful part of that blog post seems to be:

RewriteEngine on
RewriteCond %{REQUEST_METHOD} =POST
RewriteCond %{HTTP_REFERER} !^http://(.*)?.example.com [NC]
RewriteCond %{REQUEST_URI} ^/wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^/wp-admin$
RewriteRule ^(.*)$ - [R=403,L]

(The logic makes sense. I haven't tested the syntax yet)

It also suggests an insane 30-character password abomination:

for example the relatively strong password: th1$l1ttl3p1ggy$3cur3dth31rW0rdpr3$$$1t3 is simply "thislittlepiggysecuredtheirWordpresssite" with i->1, s->$, e=3, and o->0 (zero)

I prefer "wrong chicken battery staple [xkcd.com] ", which is probably not in attacker's dictionnary.

Re:How to Respond to the Global Wordpress Attacks (1, Interesting)

Call A Developer (2895483) | about a year and a half ago | (#43437107)

You mean "correct horse battery staple" and unfortunately that is terrible advice - any password under 50 characters made of only lowercase letters will be broken by the most basic brute force. And their dictionary is impressive, we've been pulling the POSTDATA and checking what they are doing. The rotation of usernames in itself is scary - even non "admin" users are not protected. This is why I suggest a 30 character password and in fact you should be using a similar method to generate your admin username. Even that can be cracked with a botnet of sufficient size, which is exactly what they are trying to build. They have a LOT of CPU power at their disposal between the infected PCs and the infected servers (which often have 32+ cores and 100GB+ of memory to play with).

Re:How to Respond to the Global Wordpress Attacks (0)

Anonymous Coward | about a year and a half ago | (#43437731)

26^50 / 2 = 2.8e+70. At 1000 attempts per second, it would take an average of 9x10^59 YEARS to brute force a 50 character string of lowercase letters. Something's off in your alarmist argument, and it's possibly your definition of either "most basic", "brute force", or "50". You do this is web-based, right?

Re:How to Respond to the Global Wordpress Attacks (1)

Algae_94 (2017070) | about a year and a half ago | (#43437817)

any password under 50 characters made of only lowercase letters will be broken by the most basic brute force.

The fact that the password is only lowercase letters is immaterial for a brute force attack. Unless the attacker already knows that the password is only lowercase letters, they will try guesses with numerals and symbols. It is very hard to imagine a brute force attack that would try every combination of lowercase letters up to 50 characters without trying anything with uppercase, numerals, or symbols, but even if they do it isn't a reason to worry.

If they did try to brute force just lowercase, there are 5.6e70 combinations of EXACTLY 50 lowercase letters (this is not counting shorter passwords which adds to the total).Even if the botnet could send a trillion guesses per second, It would take over 1.7e51 years to exhaustively search the space of 50 character lowercase passwords. If they can send a trillion trillion guesses per second, it would still take 1.7e40 YEARS to exhaustively search. This is all assuming they are trying only lowercase letters to start

I find it hard to believe they have a botnet capable of a trillion trillion guesses per second, and even harder to believe that the average WordPress site could handle that many requests without cratering or causing the hosting company to shut it down.

They may get some sites with very weak admin passwords (think 'password' and '123456'), but you are spreading FUD about how vulnerable long passwords are.

Re:How to Respond to the Global Wordpress Attacks (1)

jkflying (2190798) | about a year and a half ago | (#43439163)

The thing is, they won't be using a pure brute force but rather a 'directed' brute force through some sort of markov-chain implementation. So if you use standard English words and grammar the number of bits of random data in your password is dramatically reduced.

Re:How to Respond to the Global Wordpress Attacks (1)

rduke15 (721841) | about a year and a half ago | (#43443027)

You mean "correct horse battery staple"

.

No, I meant another animal, just in case the person who did the dictionary is an xkcd fan, and put that in for fun.

But for the number of characters, I think you may have to revisit your math, as other have already pointed out. And this is an online attack, which severely limits the speed anyway (not the speed of trying, but the speed of getting a reply from the server).

Re:How to Respond to the Global Wordpress Attacks (0)

Anonymous Coward | about a year and a half ago | (#43440567)

Telling people to use their own domain to restrict access seems like bad advice. How many wordpress users have their own domain attached to their home.

Same withe the advice to use a single ip address.Wordpress users will find themselves locked out when their isp rotates their address.

A space in the username (1)

uberbrainchild (2860711) | about a year and a half ago | (#43436423)

Wordpress allowa for a space in the username which is nice and seems more unlikely to be guessed :)

Themes, plugins and .htacess... (1)

t4ng* (1092951) | about a year and a half ago | (#43436433)

I've found the "Better WP Security" plugin to be pretty good at stopping all of this. You can set login limits, 404 limits, etc., and have it automatically deny offenders IP addresses from accessing your site by modifying the site's root .htaccess file.  But even it doesn't cover everything.

Many WP attackers probe for themes and plugins with known weaknesses, or exploit the upload system to upload executables.  But what most people don't know (including most WP developers I've worked with) is that there is no reason for PHP files to be directly accessible anywhere in the /wp-content/ directory (which includes uploads, themes, and plugins).  Simply adding a .htaccess file to the /wp-content directory with something like the following in it will protect against poorly written themes, plug-ins, and most not-yet-known exploits of WordPress.

# Add allowable extensions as needed
Order Deny,Allow
Deny from all
<FilesMatch "\.(jpe?g|gif|png|mp3|mpe?g|flv|swf|js|css|pdf|xml|html|gz)$">
    Allow from all
</FilesMatch>

If that breaks a plugin or theme you use, then it's not written very well and you shouldn't risk using it.  Contact the developer and tell them they should not need direct access to executables in /wp-content

Lack of security in Wordpress (1)

edxwelch (600979) | about a year and a half ago | (#43436537)

The root cause of this attack is that Wordpress allows unlimited login attempts for the admin account. I know there is some plugin that can fix it, but it should be built into the core.

Re:Lack of security in Wordpress (1)

jest3r (458429) | about a year and a half ago | (#43436661)

Agreed!

MY ISP got hacked... (2)

PoconoPCDoctor (912001) | about a year and a half ago | (#43436601)

And the blog I run is for my church. He said he did not know how this happened. Someone hacked a blog running an unpatched Drupal blog. This is what he said, anyway. Then used that breach to hack everything else. Since I could not determine what had been hacked/changed on the church blog, (user accounts wee created that I did not create!) I wiped it, deleted all the databases and started from scratch. So it isn't just crappy blogs - although if you happen to be a godless nerd you may think my church blog is crappy anyway.... B-) I support your right to be a godless nerd.

Off topic (1)

Gazzonyx (982402) | about a year and a half ago | (#43440611)

Your user name... you don't happen to live in the Mount Pocono area, do you?

Re: Off topic (1)

PoconoPCDoctor (912001) | about a year and a half ago | (#43443759)

Nope. East Stroudsburg. Used to fix PC's on the side a while back. Hence the name.

Re: Off topic (1)

Gazzonyx (982402) | about a year and a half ago | (#43444019)

Huh, small world. I grew up on the Stroudsburg/Bartonsville line and went to Pocono Mountain. But I left there in 2004. There used to be a couple of computer shops in the area, but I think they're mostly gone now.

Disable the usual admin interface (1)

trawg (308495) | about a year and a half ago | (#43437333)

I ended up making some tiny changes to my WP install that basically causes requests to /wp-admin to die immediately, unless you're accessing it via a specific HTTP port that I've opened in Apache specifically for this purpose.

I've got disk permissions set up so that the regular Apache user cannot write at all to the disk - a common source of WP problems seems to be exploits writing new files to disk, so stopping that seemed like a good idea. Unfortunately it also bones a lot of WP functionality like being able to automatically install skins/plugins.

Using some Apache module (can't remember which one) I've set it up so that requests made to /wp-admin under the correct Apache port operate under a different user - one that /does/ have write access to the disk. So it means I can do any administrative stuff and take advantage of the full WP functionality without having to leave write access in there for normal use.

Conceptually this seems like a much more default setup for WP - certainly I haven't had any security problems. As a side benefit it means I don't need to worry about random attacks like this.

There's a few minor problems I haven't resolved (most notably when adding new posts, the URL it stores for them includes the administrative port in them and publicly displays them in things like the RSS feed :) but I'm hoping to find time one day to resolve those.

using the username "admin" (0)

Anonymous Coward | about a year and a half ago | (#43437661)

duh....

NEVER EVER use the default administrator login name for a public-facing site management interface.

and if you can, at least lock down the admin interface login URL with an extra layer, even basic http auth or some htaccess deny/allow rules will help immensely.

Problem solved.... (0)

Anonymous Coward | about a year and a half ago | (#43438263)

I just enabled conn limit on the (CSF) firewall on the web server then limit port 80 to 30 connections per IP.. any more than 30 connections from an IP and it gets temp ban for an hour. Since they are hitting the server with so many connections its a instant ban for the abusers. Solved the whole problem for me..

404 errors (1)

tibbar (30026) | about a year and a half ago | (#43439023)

change the wp-login.php name to wp-ThwartSupidScriptBotts-login.php or whatever variant you like
(and one other place in the code, if i remember correctly)
I'm getting 3000+ 404 errors a month from seemingly random IP

scripts cant deal with various names (though you may want to remember what the log in is )

missing info (1)

Zurd3 (574979) | about a year and a half ago | (#43440715)

all articles either are not saying what is the purpose or just talking about creating a zombienet for future use, but one wordpress I know of got hacked just 2 weeks ago by brute-forcing his way in, then someone was able to install a plugin call "boss" which was the r57shell and with this script, was able to put new files in the blog which was serving 7727 websites with a virus when someone visited their site and didn't had flash. The virus in question was the trojan Meredrop, so the wordpress got hacked and was already being used for spreading a trojan. It's high time that WordPress install by default Login Lockdown or Limit Login or some plugins like that, can't believe they don't put it by default.

Re:missing info (0)

Anonymous Coward | about a year and a half ago | (#43443009)

No plugin will help, I'm sorry. It's just too large of an attack - one IP, one login attempt.

Follow this guide:

http://calladeveloper.blogspot.com/2013/04/global-wordpress-brute-force-attacks.html

It's not just trojans, a variety of very advanced malware is being distributed, including TDL3 or TDSS. If your blog was infected, you need a security professional to look for rootkits on your computer. Some of the hacked blogs do nothing, some send spam, some attack other sites, and some distribute malware, or any combination of these tasks and several others.

Follow the guide above and get your computers cleaned. Also keep sharing the guide so people know the correct way to respond. There is far too much bad advice being passed around right now about this attack and what people affected should be doing. Educating users should be the first priority if we want to get past this.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>