If you read my post yesterday (April 14, 2013), you’ll be aware that there’s been a concerted effort to attack WordPress sites all across the world in the last several days.
So, what’s known so far, based on the collected and analyzed data is that a very large majority of the attacks are coming from local PC boxes. How did someone figure that out? It’s because their IP’s and incoming signatures are being seen.
What’s The Purpose of The Attack?
Best guess at the moment is the creation of a large WordPress botnet.
A botnet is a collection of internet-connected programs communicating with other similar programs in order to perform tasks. – Wikipedia
What kind of tasks? It could be sending out millions of spam emails. But, given how much more powerful a WordPress based botnet would be over a PC-based one, one likely use is in Distributed Denial of Service (DDoS) attacks on major websites. Such a tool could be used by hactivists – groups who are out to push a cause or an agenda of some kind.
On the other hand, a WordPress botnet might be turned to other uses. It’s simply too early to tell what the ultimate agenda is here. But you could this of this attack as a time-bomb; you know something’s happening (the bomb has been placed) but you can’t see the timer or specifically where the bomb is. It might detonate at some point in the future rather than right now.
The United States Computer Emergency Readiness Team (US-CERT) had this to say:
US-CERT is aware of an ongoing campaign targeting the content management software WordPress, a free and open source blogging tool and web publishing platform based on PHP and MySQL. All hosting providers offering WordPress for web content management are potentially targets. Hackers reportedly are utilizing over 90,000 servers to compromise websites’ administrator panels by exploiting hosts with “admin” as account name, and weak passwords which are being resolved through brute force attack methods.
CloudFlare, a web performance and security startup, has to block 60 million requests against its WordPress customers within one hour elapse time. The online requests reprise the WordPress scenario targeting administrative accounts from a botnet supported by more than 90,000 separate IP addresses. A CloudFlare spokesman asserted that if hackers successfully control WordPress servers, potential damage and service disruption could exceed common distributed denial of service (DDoS) attack defenses. As a mitigating strategy, HostGator, a web hosting company used for WordPress, has recommended users log into their WordPress accounts and change them to more secure passwords.
US-CERT encourages users and administrators to ensure their installation includes the latest software versions available. More information to assist administrators in maintaining a secure content management system include:
- Review the June 21, 2012, vulnerability described in CVE-2012-3791, and follow best practices to determine if their organization is affected and the appropriate response.
- Refer to the Technical Alert on Content Management Systems Security and Associated Risks for more information on securing a web content management system
- Refer to Security Tip Understanding Hidden Threats: Rootkits and Botnets for more information on protecting a system against botnet attacks
- Additional security practices and guidance are available in US-CERT’s Technical Information Paper TIP-12-298-01 on Website Security
Watch this space. This thing ain’t over yet!
Click Here To Secure Your Sites…
Next Article: Why WordPress?
Filed under: WordPress Security