Huge brute force attack targets popular blogging platforms worldwide
Over the past 48 hours or so, a large, highly-distributed attack has been hitting WordPress and Joomla sites worldwide. Hosting providers have noted a significant uptick in the number of login attempts, particularly for WordPress (e.g., wp-login.php). The attacks are reportedly coming from a botnet using more than 90,000 servers. Hosting providers around the world have noted the prevalence of the attacks and detailed some security measures they’re taking, along with measures they encourage customers to take.
This, as many others have observed, is a brute force attack. That means: Attackers hit access points with thousands upon thousands of common username and password combinations in quick succession. In this case, the usernames that hosts/security experts are seeing are admin, Admin, administrator, test, and root. They are tried in combination with dictionary words and common passwords that everyone’s been warning about for years (e.g., 12345678, password, qwerty, monkey, etc). Sites that are hacked as a result of the brute force attack are infected with malware, laced with a backdoor that allows attackers to maintain access, and conscripted into the botnet perpetrating the attacks.
Security blogger Brian Krebs has a good summary of the attacks and a sample list of the username-password combinations being used, courtesy of security company (and StopBadware Partner) Sucuri. Sucuri also has an excellent article on the attacks and the data they’ve collected.
If you’re the owner of a WordPress or Joomla site (or any other site, for that matter):
- Make sure you’re using a strong password. This means long, it means complex, it means avoid those dictionary words.
- Not using a strong password? Log into your site and change it. Right now.
- Get rid of that “admin” or other default username. By keeping it around, you’re making half of your username-password combo easy to guess. Not sure how to delete the admin user? Here’s an easy how-to.
- Use two-factor authentication. You can find directions for doing this on WordPress.com here. If you’re using WordPress.org, there are a number of third-party plugins that allow you to do this.
- If you suspect you’ve been infected, get in touch with your hosting provider. Keep in mind that many hosts are dealing with the fallout from this attack and may be strapped for resources. You may also have trouble logging into your site because of the sheer volume of the attack.
The two hosting providers mentioned in the first paragraph, InMotion and Melbourne Hosting, have good information on the attacks and how to protect yourself. Our partners Sucuri, Sophos, and CloudFlare have also been covering the attacks and publishing useful data for site owners and security companies.
[More information on protecting your website or your WordPress site]
UPDATE (15 April 2013): One of our BadwareBusters.org volunteers contacted us with some useful information:
While many of the suggestions here are good, changing the username isn't slowing down the attacks. On our honeypots we've been seeing this:
http://www.(yourdomain.com)/(
http://www.(yourdomain.com)/(
http://www.(yourdomain.com)/(
This enumerates the userID's. If you've changed the admin username, the first one will return:
Sorry, but you are looking for something that isn’t here.
However, if you keep incrementing the last number, you'll eventually see this in your browser address bar:
http://www.(yourdomain.com)/(
blog)/author/( newadminusername)
Now the hacker knows the userID and username. They find this, add their dictionary of passwords and continue right along. Strong passwords and two-factor authentication seem to be the best. Captcha is an option as well, although we still see hackers trying various schemes to crack Captcha.
(Thanks to Thomas Raef of We Watch Your Website for the info.)