15 Apr 2013
Attackers are aiming at blogs running poorly-secured WordPress configurations in an attempt to create a powerful botnet that, according to independent security researcher Brian Krebs, already counts some 90,000 IPs.
The attack appears to use “brute force” password–guessing, as revealed by security and networking companies in separate investigations and incident forensics.
It appears campaigners focus on websites running the popular WordPress content management system. They meticulously scan the Internet for WordPress and try to get into the admin panel via repeated login attempts, trying the 1,000 most common username and password combinations on a custom list, according to website security company Incapsula.
All vulnerable sites are planted a backdoor to allow attackers to access these sites from afar. In the meantime, the compromised sites are incorporated into the attack botnet to go after other websites running WordPress.
“It’s hurting the service providers the most, not just with incoming traffic,” Marc Gaffan of Incapsula told KrebsOnSecurity. “But as soon as those servers get hacked, they are now bombarding other servers with attack traffic. We’re talking about Web servers, not home PCs. PCs maybe connected to the Internet with a 10 megabit or 20 megabit line, but the best hosting providers have essentially unlimited Internet bandwidth. We think they’re building an army of zombies, big servers to bombard other targets for a bigger cause down the road.”
"These larger machines can cause much more damage in DDoS attacks because the servers have large network connections and are capable of generating significant amounts of traffic," wrote CloudFlare CEO Matthew Prince in a blog post expressing concerns of a possible link between this outbreak and the 2012 Brobot botnet attacks against some American banks.
All readers with WordPress blogs need to enforce the security of their servers immediately: keep just the admin users that you trust. Change old passwords with secure log-in credentials for all admin accounts. Make sure the WordPress version you run is safe, and update the secret WordPress key.