back to article SWARMS of ZOMBIES unleashed on innocent bloggers

Hosting providers are reporting a major upsurge in attempts to hack into blogs and content management systems late last week, with WordPress installations bearing the brunt of the hackers' offensive. WordPress installations across the world were hit by a brute force botnet attack, featuring attempts to hack into installations …

COMMENTS

This topic is closed for new posts.
  1. Bill the Sys Admin
    Unhappy

    My blog doesn’t use admin account, but this has given me a kick up the arse to get it updated to the most recent release...*Sigh*

    1. Anonymous Coward
      Anonymous Coward

      A quick fix

      A quick fix is to install the Better WP Security plugin and configure it to:

      1) Move the login and admin pages from the default location to somewhere else

      2) Set up automatic banning on multiple 404 errors or failed logins from the same IP address

      And of course to rename the admin username.

      I had login attempts from over 100 separate IP addresses in a 10 minute period in the early hours of Monday morning, thankfully I had already made those changes.

      1. Bill the Sys Admin

        Re: A quick fix

        Cheers for the plugin link.

      2. Ian 55
        Thumb Down

        Re: A quick fix

        That plugin crapped all over a client's site to the point where they couldn't login themselves.

        Overkill.

        1. Bill the Sys Admin
          Mushroom

          Re: A quick fix

          Rather than willy nilly install it then read what its going to do? Thats certainly what i did.

  2. frank fegert

    More the "just" attacks against WP going ATM?

    I've also noticed a recent upspike in user registration/login attempts towards DokuWiki based sites. The sources of the attempts are from all over the world, mostly from hosting providers, mostly Linux/Apache systems. I wonder if there is a connection between this, the WP attacks and the malicious Apache module injecting rogue iframes in the data-stream?

  3. Anonymous Coward
    Megaphone

    2 important steps to take...

    Actually, fellow WordPress users could consider to resort to only 1 step: download & install Better WP Security (link to plugin page).

    When I started using WP the first thing I did was rename the admin account; I do that on all environments I use (including my Win7 desktop and my Windows servers). And then I discovered this critter which also checks for this and a whole lot more...

    It will help you enforce stronger passwords, rename the admin account, perform intrusion detection (x number of wrong login attempts results in banning the IP address (or an even wider range)), but also help you with suggesting how you could make the thing even more secure.

    It goes pretty far, even a bit too far for my liking, but even so it's also very honest. Some options ("You should rename the wp-content directory of your site") are very plausible enhancements, but they come with risks since other plugins may depend on that directory being present. And as they should they also warn for that.

    From hiding your backend, to logon limitations, intrusion detection right down to a nice log page which will show you how the bad guys tried to gain access.

    This is one of those plugins which I consider to be a must-have if you're on WordPress.

    1. FutureShock999

      Re: 2 important steps to take...

      I had three joomla sites get hacked recently (they were older, on Joomla 1.5), so moved to WP. And discovered Better WP Security immediately. Made me glad I changed. Joomla is much better for building more complicated sites, but the availability of such a comprehensive security plug-in for WP makes up for that. Great tool, worthy of support. No, I am not the author... :-P

  4. nuked

    Strangely absent is any indication as to what purpose this serves? Surely a compromised site has been inspected to determine any changes made?

    1. Robert Carnegie Silver badge

      Whatever the purpose is, it's going to be nasty. But they may not have done anything yet, waiting until they pwn one million blogs or something, then they strike.

  5. g e
    Holmes

    Having used Wordpress for the last 6+ months with my current client

    I can safely say I am SO glad I use Concrete5 for my own projects.

    WP is hideous and has so little out-of-the-box get-stuff-done functionality with any plugins you may want to install having never been code-reviewed or security-checked by anyone other than the person (and their commensurate skills) that coded it. God forbid you ever want to move it onto another server as its own import/export stuff cannot be relied upon so you even need a third party plugin to achieve that (which I'm spending today evaluating), unless you really like having to go through the database to do string replaces where it's written its damned site domain into data.

    I'm utterly unsurprised it's a popular attack vector and would never ever dare recommend a client used it for anything.

    1. Anonymous Coward
      Anonymous Coward

      Re: Having used Wordpress for the last 6+ months with my current client

      The Xcloner plugin works well for me when I need to import or export Wordpress sites. It's a pretty straightforward task to be honest.

      1. g e

        Re: Having used Wordpress for the last 6+ months with my current client

        Works for multisite, too? I'll give it a look if so, cheers.

  6. Anonymous Coward
    Anonymous Coward

    > If you still use "admin" as a username on your blog, change it, use a strong password,

    If you're an idiot, stop being an idiot.

    Yeah, that'll work. Not.

  7. taxman
    Big Brother

    Surprised?

    31.184.238.38 country: RU

    178.151.216.53 country: UA

    91.224.160.143 country: NL

    195.128.126.6 country: RU

    1. ecofeco Silver badge
      Angel

      Re: Surprised?

      Shocked I tell.

      shocked

  8. Anonymous Coward
    Anonymous Coward

    "innocent blogger"

    Really? is there such a thing as an innocent blogger?

    I don't mean innocent in the belle du jour sense, more in the doesn't-deserve-to-be-ripped-apart-by-zombies sense.

    1. James O'Shea Silver badge

      Re: "innocent blogger"

      why do you want to poison the poor innocent zombies?

    2. Mr Spock
      Boffin

      Re: "innocent blogger"

      You make some very valid points. Thanks! I will be reading again.

      Zombie insurance zombie insurance zombie repellent zombie repellent zombie casino zombie viagra zombie satellite dishes zombie cheating wives zombie insurance zombie insurance zombie repellent zombie repellent zombie casino zombie viagra zombie satellite dishes zombie cheating wives zombie insurance zombie insurance zombie repellent zombie repellent zombie casino zombie viagra zombie satellite dishes zombie cheating wives

      1. Phil O'Sophical Silver badge

        Re: "innocent blogger"

        You forgot the Microsoft Zombie cheatsheet, and the naked zombie celebrities...

  9. Anonymous Coward
    Anonymous Coward

    It's a blog eat blog world

    A bot's gotta eat!

  10. Ian 55
    Megaphone

    Yeah, yeah Matt - get some things right from the start

    The number of versions of WP that gave the initial account the default username of 'Admin' is disgracefully high.

    It is even worse how the basic WP install does not do 'fail to get the password in n (for low n) attempts and your IP is banned for m hours (for high m)', and you have to rely on a plugin to do it for you. Limit Login Attempts is my recommendation, as it just does this, without the messing around with everything it can find of the one mentioned above.

  11. ecofeco Silver badge
    Trollface

    WordPress

    What took them (the hackers) so long?

    WP has to be one of the most admin unfriendly interfaces out there, although MySpace is still the world champeen with FB right up there.

    The trifecta of bad admin interface design and security.

    <derp derp derp for sure.

  12. Trev 2

    Why Wordpress - it gives really easy PHP uploads

    For login security, Limit Login Attempts plugin seems pretty good and you can lock people out for a long time with it. Not perfect when they're hitting from different IPs however. Still baffles me as to why the default doesn't include that.

    One really dumb thing about WP is that you cant easily change the admin account name which was until recently also the default. Can't actually remember if you could select another name, but that's why so many have admin as a name. Either needs a plugin or database editing.

    As for why hit Wordpress - going by a hack I saw a month ago it could work something like:

    - Hack into the Wordpress admin account

    - Go to plugins -> upload a PHP script pretending to be a plugin.

    - While it's waiting to install the "plugin", it puts the PHP file in a public directory not /tmp!

    - Said script is now available at example.com/blog/wp-uploads/evilscript.php from memory.

    No messy FTP details required, just access to the WP blog admin account and you're sorted. The one I saw even upgraded itself as required so I'm sure any new ones will too.

    1. Ian 55

      Re: Why Wordpress - it gives really easy PHP uploads

      Yep to the first two paragraphs. You could change the default when you created the initial account, but lots of people didn't.

      If they've got administrator account, you're shagged anyway.

      The other perennial WP issue is the 'non admin users can gain admin rights' exploit. There's been about one a year for ages.

This topic is closed for new posts.