Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


US CERT: WordPress Sites Under Attack
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

US CERT: WordPress Sites Under Attack

emgemg Veteran
edited April 2013 in General

Original release date: April 15, 2013

US-CERT is aware of an ongoing campaign targeting the content management
software WordPress, a free and open source blogging tool and web
publishing platform based on PHP and MySQL. All hosting providers
offering WordPress for web content management are potentially targets.
Hackers reportedly are utilizing over 90,000 servers to compromise
websites administrator panels by exploiting hosts with admin as account
name, and weak passwords which are being resolved through brute force
attack methods.

CloudFlare, a web performance and security startup, has to block 60
million requests against its WordPress customers within one hour elapse
time. The online requests reprise the WordPress scenario targeting
administrative accounts from a botnet supported by more than 90,000
separate IP addresses. A CloudFlare spokesman asserted that if hackers
successfully control WordPress servers, potential damage and service
disruption could exceed common distributed denial of service (DDoS)
attack defenses. As a mitigating strategy, HostGator, a web hosting
company used for WordPress, has recommended users log into their
WordPress accounts and change them to more secure passwords.

US-CERT encourages users and administrators to ensure their installation
includes the latest software versions available. More information to
assist administrators in maintaining a secure content management system
include:

  • Review the June 21, 2012, vulnerability described in CVE-2012-3791,
    and follow best practices to determine if their organization is affected
    and the appropriate response.

  • Refer to the Technical Alert on Content Management Systems Security
    and Associated Risks for more information on securing a web content
    management system

  • Refer to Security Tip Understanding Hidden Threats: Rootkits and
    Botnets for more information on protecting a system against botnet
    attacks

  • Additional security practices and guidance are available in US-CERTs
    Technical Information Paper TIP-12-298-01 on Website Security

Relevant URL(s):
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3791

http://www.us-cert.gov/ncas/tips/ST06-001

http://www.us-cert.gov/sites/default/files/publications/TIP-12-298-01-Website-Security.pdf

http://www.us-cert.gov/ncas/alerts/TA13-024A

Comments

  • TimTim Member

    Thanks for posting this, I'm glad the US-CERT has taken notice and posted a bulletin about it. I blogged about it a couple of days ago--make sure to use a secure password, change the admin username to make it harder on the automated attacks, and limit the number of allowed log-in attempts. If your site is still getting slammed with traffic/log in page requests by these bots, you should also contact your host to see if they can block at least some of the bots before the traffic hits your VPS/ect.

    In short, do everything you can to make yourself an undesirable target to these guys. Also, if you know any other WordPress users, let them know about this security bulletin and offer to help to secure their sites :) Right now, it seems the bots are going after the low-hanging fruit, by using "admin" for the username and trying many-thousands of commonly used passwords. Take a few basic steps to protect your site, and you can at mitigate the risk and sleep better at night knowing your blog is not being compromised :).

    http://verrytechnical.com/wordpress-sites-are-being-targeted-by-a-large-botnet-here-are-some-basic-steps-you-should-take-to-protect-yourself/

  • superpilesossuperpilesos Member
    edited April 2013

    I'm getting hit too. after they break into a site they start spamming to russian email lists after waiting 2-4 days

Sign In or Register to comment.