Botnet herders attack WordPress sites

Say, do you use WordPress? Button down the hatches and check your patches. A new brute-force attack is underway across the Internet. We know from first-hand experience. BetaNews took some heavy fire earlier today. Hackers use a botnet to hit blogs with fast-fire log-in attempts, seeking to snag passwords. The initial objective is to add more numbers to the botnet.

Brute-force attempts aren't all that uncommon, but this one is generating a fair bit of attention, with some reports that the core botnet is 90,000 computers and growing and an escalating number of attempted logins, too. It's all a guessing game really. Attempt enough logins and some will succeed, revealing passwords.

Daniel Cid, Sucuri CTO, took a look at his company's server logs to assess if reports of increased brute-force attacks might be true. He explains:

We were seeing 30 to 40 thousand attacks per day the last few months. In April 2013, it increased to 77,000 per day on average, reaching more than 100,000 attempts per day in the last few days. That means that the number of brute force attempts more than tripled. This sharp increase would lead us to believe that there is some reality to these reports.

Sucuri secures and also cleans up websites, including those running WordPress.

CloudFlare CEO Matthew Price observes: "One of the concerns of an attack like this is that the attacker is using a relatively weak botnet of home PCs in order to build a much larger botnet of beefy servers in preparation for a future attack. These larger machines can cause much more damage in DDoS attacks because the servers have large network connections and are capable of generating significant amounts of traffic".

CloudFlare offers services for improving a website's performance, reach and security, and like Sucuri, is in a unique front-line position to observe the brute-force attacks.

Hostgator's Sean Valant says that 90,000 PCs make up the botnet attacking WordPress sites. "Symptoms of this attack are a very slow backend on your WordPress site, or an inability to login. In some instances your site could even intermittently go down for short periods".

Default account "Admin" is the target, and Valant rightly advises to "change the password to something that meets the security requirements specified on the WordPress website".

The Webhost for my personal domains has posted no support docs about the log-in attempts. But we have first-hand experience here at BetaNews.

Eric Steil, BetaNews server administrator, describes what happened today:

Around 5:30 AM (ET) this morning, I got the nagios alert that one of the servers wasn't responding to HTTP.  I logged in to the server and saw that although the load was really high, there wasn't actually much odd about the open connections or database (as usually is the case when something stops responding to HTTP).

I checked out the access logs and saw a large number of POST requests to wp-login.php from numerous IPs, without a corresponding GET requests (you normally GET the form the POST it when it submits).  On a hunch, I blocked access to the file and system load went down and Apache started responding again, so I went back to sleep.

This morning I did some searches and saw it was a widespread problem, not just localized to our servers. We still have it blocked, and the bots still poke it occasionally to see if it's back.

The attempts failed here. You might not be so lucky. At the least, change your passwords.

Now.

Photo Credit: Gunnar Assmy/Shutterstock