Thousands of WordPress and Joomla sites are currently under attack from a massive botnet brute forcing passwords. Administrators should ensure that they use strong passwords and unique usernames for their WordPress and Joomla installations.
CloudFlare reports that over the past few days, the perpetrators have significantly stepped up their brute-force dictionary-based login attempts against WordPress blogs and Joomla sites.(opens in new window), HostGator, and a few other companies. The attack looks for common account names such as “admin” on the site and systematically attempts common passwords to break into that account.
Administrators want someone to interfere with their access to the site, as an attacker could tamper with the site or infect others with malware by embedding malicious code. plug. But the orchestrated nature of the attack and its large-scale operations imply an even more sinister goal. It appears that the attackers are trying to gain a foothold on the server in order to figure out how to take over the entire machine. Web servers are generally more powerful and have larger bandwidth pipes than home computers, making them attractive targets.
CloudFlare CEO Matthew Prince wrote on the company’s blog:
The Brobot botnet, which researchers believe was behind the massive denial-of-service attacks against US financial institutions that began last fall, consists of compromised web servers. “These large machines can do more damage in his DDoS attacks because the servers have massive network connections and can generate a lot of traffic,” said Prince.
Brute force account
Attackers are using brute force tactics to compromise user accounts on WordPress and Joomla sites. The top five targeted usernames are ‘admin’, ‘test’, ‘administrator’, ‘Admin’ and ‘root’. In a brute force attack, the attacker systematically tries all possible combinations until successfully logging into an account. Simple passwords such as sequences of numbers or words from a dictionary are easier to guess and figure out, and botnets automate the entire process. The top five passwords attempted in this attack happened to be ‘admin’, ‘123456’, ‘111111’, ‘666666’, and ‘12345678’.
If you use common usernames or passwords, change them to obscure ones immediately.
“If you do this, you’re better than 99% of the sites out there and you probably won’t have any problems,” says Matt Mullenweg.(opens in new window)the creator of WordPress writes on his blog.
Rapid increase in attack volume
Sucuri stats(opens in new window) Indicates an increase in attacks. The company blocked his 678,519 login attempts in December, followed by his 1,252,308 login attempts in January, and his 1,034,323 login attempts in February. , in March he blocked 950,389 login attempts. But in his first 10 days in April, Sucuri has already blocked him 774,104 login attempts, Cid said. This is a significant increase, from 30,000 to 40,000 to an average of about 77,000 attacks per day, and this month he has over 100,000 attacks per day. Some days, Sucuri says.
“In cases like this, just the fact that you’re using a username other than admin/administrator/root automatically excludes you from running,” Cid said, adding, “This is actually a good thing. It is,” he added.
Big botnet tips
Attack volume is a hint of the size of the botnet. HostGator estimates that at least 90,000 computers were involved in this attack, and CloudFlare believes “over tens of thousands of unique IP addresses” were used.
A botnet consists of compromised computers that receive instructions from one or more centralized command and control servers and execute those commands. In most cases, these computers are infected with some kind of malware and the users are not even aware that the attacker has control over their computers.
Strong qualifications, updated software
Attacks against popular content management systems are nothing new, but the sheer volume and exponential growth are worrying. At this point, there is little the administrator can do other than use strong username and password combinations and keep the CMS and related plugins up to date.
“If your blog still uses ‘admin’ as your username, please change it and use a strong password. If you’re using WP.com, turn on two-factor authentication. Of course, make sure it’s up to date. It’s dated the latest version of WordPress,” Mullenweg said. WordPress 3.0, released three years ago, allows users to create custom his usernames, so there is no reason to use “admin” or “Administrator” passwords.
image Via CloudFlare
do you like what you are reading?
Apply security watch Get a newsletter of top privacy and security stories delivered to your inbox.
This newsletter may contain advertising, deals or affiliate links. By subscribing to our newsletter, you agree to our Terms of Use and Privacy Policy. You can unsubscribe from our newsletter at any time.
