April 12, 2013

Security experts are warning that an escalating series of online attacks designed to break into poorly-secured WordPress blogs is fueling the growth of an unusually powerful botnet currently made up of more than 90,000 Web servers.

Source: Cloudflare.com

Source: Cloudflare.com

Over the past week, analysts from a variety of security and networking firms have tracked an alarming uptick in so-called “brute force” password-guessing attacks against Web sites powered by WordPress, perhaps the most popular content management system in use today (this blog also runs WordPress).

According to Web site security firm Incapsula, those responsible for this crime campaign are scanning the Internet for WordPress installations, and then attempting to log in to the administrative console at these sites using a custom list of approximately 1,000 of the most commonly-used username and password combinations.

Incapsula co-founder Marc Gaffan told KrebsOnSecurity that infected sites will be seeded with a backdoor the lets the attackers control the site remotely (the backdoors persist regardless of whether the legitimate site owner subsequently changes his password). The infected sites then are conscripted into the attacking server botnet, and forced to launch password-guessing attacks against other sites running WordPress.

Gaffan said the traffic being generated by all this activity is wreaking havoc for some Web hosting firms.

“It’s hurting the service providers the most, not just with incoming traffic,” Gaffan said. “But as soon as those servers get hacked, they are now bombarding other servers with attack traffic. We’re talking about Web servers, not home PCs. PCs maybe connected to the Internet with a 10 megabit or 20 megabit line, but the best hosting providers have essentially unlimited Internet bandwidth. We think they’re building an army of zombies, big servers to bombard other targets for a bigger cause down the road.”

Indeed, this was the message driven home Thursday in a blog post from Houston, Texas based HostGator, one of the largest hosting providers in the United States. The company’s data suggests that the botnet of infected WordPress installations now includes more than 90,000 compromised sites.

“As I type these words, there is an on-going and highly-distributed, global attack on WordPress installations across virtually every web host in existence,” wrote HostGator’s Sean Valant.  “This attack is well organized and again very, very distributed; we have seen over 90,000 IP addresses involved in this attack.”

That assessment was echoed in a blog post Thursday by CloudFlare, content delivery network based in San Francisco. Cloudflare CEO Matthew Prince said the tactics employed in this attack are similar to those used by criminals to build the so-called itsoknoproblembro/Brobot botnet which, in the Fall of 2012, was responsible for a series of rather large cyber attacks against the largest US financial institutions.

“One of the concerns of an attack like this is that the attacker is using a relatively weak botnet of home PCs in order to build a much larger botnet of beefy servers in preparation for a future attack,” Prince wrote. “These larger machines can cause much more damage in DDoS attacks because the servers have large network connections and are capable of generating significant amounts of traffic.”

HostGator’s Valant urged WordPress administrators to change their passwords to something that meets the security requirements specified on the WordPress website.  These requirements are fairly typical of a secure password: upper and lowercase letters, at least eight characters long, and including “special” characters (^%$#&@*). For more on picking strong passwords, see this tutorial. Users can also restrict access to wp-admin so that it is only reachable from specific IP addresses.

Also, WordPress users can take advantage of a third-party plugin from Duo Security, which enables secure logins using one-time codes pushed via text message or an associated mobile app.

Matthew Mullenweg, the founding developer of WordPress, suggests site administrators chose a username that is something other than “admin”. In addition, he urged WordPress.com-hosted blogs to turn on two-factor authentication, and to verify that the site is running the latest version of WordPress. “Do this and you’ll be ahead of 99% of sites out there and probably never have a problem,” Mullenweg wrote.

Daniel Cid, chief technology officer of Sucuri Security, a company that helps site owners prevent and recover from security breaches, said his team isn’t seeing infected sites being used to attack others; according to Cid, most of the password brute-forcing is being conducted by desktop systems under the attackers’ control.

“We saw a big increase in the number of brute force attacks (almost tripled) since previous month’s average,” Cid wrote in an instant message interview. “However, at least from our data, they are not re-using the compromised sites to build a botnet to scan others. I assume that is speculation. On the sites we looked [at] that were hacked, the attackers injected backdoors and malware on them,” including the Blackhole Exploit Kit. Cid also shared a copy of the username/password list that the attackers have been using for the brute-forcing.

“The brute force attacks do not seem to be coming from servers, but from desktops,” Cid said. “However, this is still very early, since they are injecting backdoors (a variation of the Filesman backdoor) they can later use the sites to inject malware or even create a botnet and brute force other sites.”

According to Sucuri, WordPress administrators who have been hacked should strongly consider taking the following steps to evict the intruders and infections:

– Log in to the administrative panel and remove any unfamiliar admin users.

– Change all passwords for all admin users (and make sure all legitimate accounts are protected with strong passwords this time).

Update the secret keys inside WordPress (otherwise any rogue admin user can remain logged in).

– Reinstall WordPress from scratch or revert to a known, safe backup.

Update, 3:05 p.m. ET: Corrected Gaffan’s title.

Update, 6:29 p.m. ET: Added quotes and tips from Sucuri Security.

Update, Apr. 13, 2013, 12:14 p.m. ET: Added comments from Mullenweg.


68 thoughts on “Brute Force Attacks Build WordPress Botnet

  1. n0x00

    I have seen alot of this in my logs too on my own wordpress site, quite annoying, it’s always nice to password protect the ‘wp-admin’ folder and additionally I stick my google analytics code into all my error pages. I sometimes recon the origin addresses to see that they are usually compromised boxes .. I have seen this from well known companies such as a CISCO IP trying to log into my wordpress by brute force attemps – it’s a real annoying issue.

  2. andy1

    So what can be done to remove this backdoor from the wordpress install once it’s infected. How do you find out if you’ve got a problem in the first place? For me, I use passwordsafe to generate my passwords, so I don’t expect to see any brute force attacks on my interests, but I’m curious how this can be resolved for those who do fall prey.

    1. death

      http://wordpress.org/extend/plugins/better-wp-security/

      There is a nice plugin that already takes advantage of some good techniques in securing your wordpress installation. One good practice is to randomize your database prefix, move the panel area, rename your admin user and remove the ID 1 for that associated account. A few steps will prevent a lot of this automated bs and in result, lock em out as well.

      You can also easily add your own htaccess block access entries which will stop them, unless they begin to build a proxy chain linked to the software/application they’ve built.

    2. Peter Stolmar

      Here is the guide on cleaning up the hacks:

      http://calladeveloper.blogspot.com/2013/04/global-wordpress-brute-force-attacks.html

      It’s much easier to re-install clean WordPress files, but if you are interested in the technical details of cleaning these hacks feel free to contact me. I have a script that will check for common hack signatures that I run server-side. If you only have FTP or File Manager access (not SSH), it’s easier to use the above method to “reset” the whole WordPress installation.

  3. Ben

    Maybe it’s time WordPress started using more than one type of authentication?

    1. death

      WordPress by default, handles a lot on its own. A lot of the issue is a result of bad administration, lack of know-how and laziness in applying patches.

      You also have those that see the need to install multiple plugins. Plugins for the most part, or well maintained but a large part of the community abandons projects and leaves them to be out-dated and sit. The more plugins you have present, the more door ways an intruder has to gain entry. Not patching things appropriately is also going to leave intruders a way to gain entry.

      People also use quite a bit of the “nulled” versions of software that has built-in backdoors as well. I’ve seen so-called “developers” take these, use them in production and sell them to clients.

      You really just need to be more aware about your investments and the sites you have online.

  4. Rick Chisholm

    Nice to see you do a piece on this, I blogged about my experience with this phenomena back in January http://parasec.parallel42.ca/?p=232.

    I continue to see these attacks almost daily hitting every WordPress instance I manage. Unfortunately the attackers’ persistence often pays off in the end.

    1. death

      Why have you not null routed the address and blocked the known attack points? You’re only allowing their attempts to eventually, pay off.

      Unless you’re the type to wait until it happens and begin to try and bill the client, letting them know whats going on and of course knowing that they’re going to want it fixed.

      1. voksalna

        I believe because this is distributed and dominoed — he’d be constantly updating a constantly-shifting list that would just wind up shifting to another IP later, if this article is accurate — which is to say that each hacked box scans for other hacked boxes in turn. It’s not a worm but it does, in ways, act like one, from what I can make out.

  5. Lotta

    Ooooh, so that’s what’s been going on! Explains a lot, thanks.

    [Over the past week, my security plugin (Wordfence) has locked out out hundreds of IP addresses because they attempted to sign in using an invalid username (“admin”). One blog had more than 250 attempts in less than a day, with about 150/day on another.]

  6. death

    I can confirm that clients I have, are being sent emails from there hosting providers explaining why there was a recent slowdown in the datacenters, specifically naming an increase in massive amounts of bruteforce attempts.

  7. Mark

    Thanks, This is the issue my webhost had. They actually took down all the wordpress sites for a while on the host. We were down for 7 hours on 1&1 hosting. Totally unacceptable. I’m glad we were up and running soon. Very smart to have unique usernames and passwords.

    If anyone needs help creating or maintaining a wordpress site. That is what I do. I also generate content if needed.

    Thanks for explaining to us what happened a couple days ago.

    -Mark

    1. death

      I have a 1and1 server and I’ve experience no outages at all, they’re also good at what they do and respond a lot quicker than any other host I’ve been with. I’ve seen people give them a bad name but there isn’t an issue at all with them from what I can see.

      I’ve been with them for 3 years now and I also do design and dev work but I’d rather not advertise my services from someone elses blog.

  8. Peter Stolmar

    Yes this one is very bad – they have a very high success rate of compromising accounts also.

    If you were attacked (most sites were), please follow this guide to clean up and respond to the incident.

    http://calladeveloper.blogspot.com/2013/04/global-wordpress-brute-force-attacks.html

    Specifically it includes how to use .htaccess to block automated attempts to log in by checking the HTTP_REFERER (it should be from your site for legitimate users, but will be nothing or garbage for automated attempts).

    1. voksalna

      I’m not sure how that would really help in any long-term sense. It’s very easy to add a list of custom referrers to a brute-forcing script.

    2. pat

      HTTP_REFERER can be spoofed. That method is not really good.

    1. Peter Stolmar

      I wish people would stop recommending these plugins that will only make things worse.

      These attacks are severe – not hundreds per day, hundreds of thousands per day (on a single account).

      Handling this scale of attack by launching a PHP process for each login attempt (as ALL WordPress security plugins do) is the worst thing you could do and may very well crash your server (seeing this a lot with Wordfence today).

      Secure using .htaccess and if you MUST use a security plugin turn off any self-scan / auto-scan features or live firewalls.

      The only security plugin I ever recommend is WordPress File Monitor Plus – light, fast, does its job well.

      The “all in one” security plugins are just too heavy unless you are on a high end VPS or better, where you can use a non-PHP solution like CSF or OSSEC anyway.

      1. death

        My client has a high-traffic yield and it does perfectly fine. Loadtimes are under 3s. You’re sadly mistaken.

    2. BrianKrebs Post author

      Pretty simple really: Because I have experience with the plugin I mentioned, and none with yours. But glad to hear it works for you. Thanks for the recommendation.

      1. death

        How will Better WordPress Security make things worse? You obviously are not keen to know what you’re talking about at all.

        1. Peter Stolmar

          No, you’re right. I don’t deal with hundreds or WordPress installations every day. Your one client is a much better example.

          If you trust the plugin so much, try this:

          Turn off mod_security for the domain to allow the attack to resume.

          Let me know what your CPU usage is, and check your database queries.

          On a hacked site it will be 10 times worse.

          Let’s say you get 100,000 login attempts in 1 hour (it has happened a lot during the peak of this attack).

          That means not only 100,000 PHP process executions causing CPU usage, but also 100,000 database queries, and 100,000 INSERTS to log those attempts.

          Even Apache has trouble handling this volume of attacks.

          Your client is likely on a Dedicated Server, where they can only affect their own account and if it’s powerful enough (disk bandwidth-wise) it can handle the extra overhead.

          In addition, most of these plugins are always scanning all files on your site. Again, may be fine if you are all configured correctly, but install it on a hacked site with a symlink to / in public_html or a plugins directory and get ready to watch the disks burn if you do not use a throttling scheme.

          This one is not relevant yet but the fact that it is forcing SSL is going to be detrimental to those that have already been hacked who have it installed or install it after the fact (yes, believe it or not, people who have Better WP Security, Wordfence, Bulletproof, etc get hacked every day).

          I recommend using the WordPress hardening guide, htaccess, and WordPress File Monitor Plus to provide security and file monitoring because this is the optimized, speedy, light way of doing things. It’s just my preference, I can’t help it – I’m an optimization specialist and always will be. I pride myself on running a Linux kernel with all necessary services (SSH and web server included) on <20MB of RAM.

          Anyway, it's up to you whether you want to take my advice or not, I'm just trying to educate the average WordPress user using shared hosting about the proper way to deal with this attack.

          1. death

            Not allowing the plugin write access and manually using some of the features, if not all – works very well. For those who are not familiar with manually created entries, it works wonders.

            I can understand how resources would be used but also understand that if you complete deny access to the host – it would eliminate the overflow quite easily.

  9. Peter Stolmar

    Unfortunately they are not using one single attack vector, once they get in they have a field day.

    0 days, old and new shells, mailers, DDoS scripts, SEO hacks, it’s a wide variety.

    Best way to clean is to “reset” WordPress by quarantining the whole public_html and re-installing core files, your theme, and updated plugins:

    http://calladeveloper.blogspot.com/2013/04/global-wordpress-brute-force-attacks.html

    http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/

    The problem now is that they have moved on to non-Wordpress sites since most hosts have blocked the initial attack with varying degrees of success.

    If anyone with root access to their server (SSH) is interested in attack signatures for common WordPress shells / injections / mailers for the purpose of manually cleaning sites, contact me via email:

    calladeveloper [ at ] gmail.com

    Peter

  10. Beau Roberts

    For another layer of site protection from botnets and other attacks, WordPress site owners should consider the new IPVenger plugin. It blocks malicious traffic as well as providing live security analytics of your site’s traffic. It uses Norse’s live threat intelligence network to assess the risk level of every site vistor based on what that IP address has been doing on the Internet. Norse’s threat intelligence network is massive, global, and processes attack data within 5 seconds, so the data is never really out of date. The technology has been used in the ecommerce fraud prevention market for a while and is now being deployed in security products. There is a free plan for low traffic sites and a free -trial for larger sites. http://wordpress.org/extend/plugins/ipvenger/

    (Full disclosure: I work for Norse, the company that makes IPVenger.)

  11. WPupkeep

    We have seen the handiwork of this BotNet on some of our own servers and other 3rd party servers our clients use. Luckily none of our clients have been affected, since our WordPress Maintenance Service keeps all their sites up to date.
    I think this is a good wake up call to all WordPress website and blog owners.
    If you lack the time or the skill to handle the maintenance, you can signup for one of our WordPress maintenance plans at WPupkeep.com. Our service is specifically designed to keep all your WordPress sites updated and safe. Hacked websites welcome!

  12. Zarkti

    How about take site offline, reinstalling clean WordPress incl. plugins. Take md5 or whatever hash of each file. save that to db. make script in crontab that checks current hash against db and see if there are any changes. If so send alert. Contact me for script.

    1. voksalna

      This. Whenever you do a fresh WP install, you should also save a clean tarball of the directory. You can then just swap out the passwords each time you wipe and reinstall. Though hopefully you will make better passwords. 😉

  13. john senchak

    I see a huge amounts of phishing sites that are from compromised hosting sites that use the WordPress platform . It’s a shame that the people who run these C.M.S. sites don’t utilize better security practices. When their site gets black-listed, shut down or locked then they start changing their habits very quickly.

  14. DigiP

    I’ve been saying this for over a year, worked on two papers with another researcher, and was the reasons why I started Attack-Scanner.com and wrote my WordPress Login Alerts Plug-in. Why now, is it that people are taking notice, when its been going on WAY longer than any of these people coming forward are saying? And WordPress is NOT the only CMS being attacking, nor half the problem. Its the host companies, with faulty, outdated cPanel installs, poor base server security and path disclosure, default installations pre-packaged with outdated plug-ins and they all blame the end users for poor passwords or setups.

    Its a combination of poor user education on 1, how to setup wordpress(or any CMS) and 2, using admin as a default username on all of these systems since its the first account they look for and brute on all of them, not just WordPress. 1 click installer sites commonly setup the install for the users and email them plain text usernames and passwords, with admin as the main user as well. This has to stop…

    I’m just wondering why now, people are taking notice, when for the past year (and longer) I’ve been screaming about this to anyone who’d listen. Its gotten to the point that the hosts don’t even reply to my emails when I report sites that have been compromised or hosting bots.

    http://www.ticktockcomputers.com/brutes/brutes.log
    http://www.attack-scanner.com/brutes/brutes.log

    If you get some time, please check out attack-scanner.com and what we’ve been trying to do to help educate the community and we’d be more than happy to share our findings. We post bi-monthly reports on trends we see. We usually don’t post anything about the login attacks since thats part of a stand alone plug-in I wrote, but the above logs are a result of a combination of that plug-in modified as a honeypot for collecting attacks as well. Maybe we should start monitoring and collecting global stats on login attacks as well since people are just now waking up to this. There has been a tool on Packet Storm for a long time now to automate the brute forcing of WordPress sites which bot net owners have taken and modded to their needs. No longer do they need to use hydra or a live system, they just use compromised hosts to rummage other hosts for them over their bot nets and I see no end in sight..

  15. Uzzi

    .oO( Jerks using ‘admin’ as their login for a connected host should doulbe-opt-in #DeadLoss@AssistedLiving… ;-))

  16. Rick

    Read the brute force password list, who is Jessica and why do they hate her so much?

    1. voksalna

      Maybe it only seems random — and the spreading is to hide the actual target.

  17. Jim Walker

    Truthfully, none of this over hype of the situation is worthy.

    A simple email to clients stating the following would end the issue:
    “We recommend doing the following, due to [insert your take on the matter]. Start by: (1) removing your “admin” username and (2) add either of one of these three plugins)…”

    Book closed. Time to move on…

    Jim Walker
    The Hack Repair Guy

    1. BrianKrebs Post author

      Truthfully, I take exception to any comments that this has been over-hyped. So what if this kind of thing is going on all the time? Clearly, a big contributor to this ongoing problem is that not enough attention is drawn to this problem on a regular basis. It’s also clear that many, many site owners aren’t educated enough about how to securely run their sites. More frequent and detailed attention to this problem seems the appropriate response, not less.

      1. voksalna

        While we have had our differences of opinion, and I do believe this is hyped a lot, I would also agree it is important, since it is activities like this that make for such fertile ground for iframe injection on lower (and some higher) traffic sites.

      2. Uzzi

        IMHO the real problem is a bad sense of responsibility and the greed for easy money of most market participants like always. (And I hope authorities worldwide don’t wait as long as they regulary do with everything regarding consumer protection…)

    2. Maureen

      There’s always one person who feels it’s necessary to demonstrate how much cooler he is than the rest of us and feels driven to end his comments with “move on”. How about the next time you see a conversation that you deem over-hyped – and, oh by the way, it’s not your website, you move on.

  18. AlphaCentauri

    Don’t know much about WP — is it possible to create a user called “admin” with no privileges whatsoever and a god-awful complex password so they keep trying to hack that instead of looking for a different administrator name?

    1. Howard Lee Harkness

      That’s what I do. I have a login limit plugin that reports attacks, and I see that nearly all of the attacks are on “admin.” When I started seeing a lot of these, I changed all of my sites to have a real admin account with a name unrelated to “admin” and created an admin username with no role at all on the site. With a randomly-generated password (I don’t even remember how many characters I told LastPass to use, nor did I record the password anywhere), and two-factor authentication on that account. I set the login limit plugin to block IPs for an hour after the 3rd unsuccessful attempt, and 8000 hours on the 3rd block.

      A brute force attack should take, on the average, more than the current age of the universe.

      So far, that seems to be working, but I wonder how long it’ll be before somebody figures out how to break that.

      It may well be that the brute force attacks are merely a smoke screen to obscure the real threat.

  19. Isaac

    Over the last week my site was a target and I was informed by a company that I signed onto called sitelock when I first started my wp-press site. I’m glad I signed up for that extra security which at the time was not a lot of money. They informed me that there was a lot of sign in attemps to my sight and that they blocked all of them! I’m glad they did! I did sign up for a stronger security measure as what they call a firewall which runs me an extra $49.00 a month. The way I see it, you can’t have enough security in trying to keep your site secured. So I hope you all will invest your time and money into keeping your wp-press site secured.

  20. Marius Lixandru

    Thank you Brain for this article i hate this brute force attack. I also got different problems with latency.
    Why people do this? How hosting providers can help us?

  21. doruman

    ‘A “hacked website” is a nightmare for any webmaster or web site owner. Having your website hacked can be a frustrating experience – it can affect your rankings, cause your readership to be exposed to virus and trojan attacks, make you an unwilling promoter to subject material you may not actually endorse, the hacker may have infected your site with harmful code, which in turn can record keystrokes on visitors’ computers, stealing login credentials for online banking or financial transactions, manipulate search engine results or distribute malicious content and spam, in many cases cause the loss of valuable content…

    Having your website hacked can be a frustrating experience, but the first step to make before you respond to any security incident is to calm yourself down, to make sure you do not commit any other mistakes. If your site has been hacked or infected with malware, then you should act quickly to repair the damage.’

    (Quote from “Website Hack” article, posted: http://www.doruman-business.com/2013/03/18/website-hack/)

    Most times, the last upgrade of the WP blog and plugins, by using one or two plugins of security and scanning, a permanent monitoring by external programs, when your PC is well protected, using encrypted passwords – are usual elements, of common sense, who can keep hackers away from your site…

    Good luck everyone!

  22. Audra

    For those of us who are computer challenged and are lucky we were even able to set up a blog and and it took us forever to figure how to work the basic stuff, how do we do any of the suggested stuff beyond a password change?

    I have no idea how to use plugins (unless they are in the WP add on menu thingy) or how to go in and apply any of the suggestions in the article.

    Is there a Word Press for Dummies site somewhere that will explain all of this in simple, “Go here, click here, do that here” language?

    1. Valentin

      Hey Audra.

      There are tutorials out there for some of the more basic operations. Securing and hardening can be a bit more challenging and requires a certain level of expertise.

      Maybe our maintenance service is a good fit for you. Please visit our website at WPupkeep.com and check out our WordPress Maintenance Plans.

      Thanks,

      Valentin

Comments are closed.