back to article Kinda goes without saying, but shore up your admin passwords or be borged by this brute-forcing botnet

Servers are being targeted with a malware attack that uses its infected hosts to brute-force other machines. Known to Akamai researchers as Stealthworker, the infection preys on weak passwords then uses a massive arsenal of malware to overtake Windows and Linux servers running popular CMS, publishing, and hosting tools. …

  1. Pen-y-gors Silver badge

    Nasty

    But mitigation isn't too difficult.

    I have some WP sites (thankfully few) but security plugins (All-In-One???) really reduce the risk. Not using default login page names, locking out the site after multiple failed logins etc.

    But I've noticed for years that my server logs are full of failed attempts at logging in to WP, even when I don't use WP!

    Surely there is some way to develop IP blacklists for addresses that clock up, say, 50 failed WP login attempts in 24 hours, and the ISP then kills the IP address and tells all the others.

    1. IGotOut Silver badge

      Re: Nasty

      I've noticed big uptick in login attempts (DigitalOcean looking at your clients).

      Mitigated 99% of these by Cloudflare by blocking any variation of Wp-admin or wp-login from outside the uk. Known bad ISPs from UK get challenge response before they can proceed.

      Then it has to get past wordfence and 2FA.

    2. Robert Carnegie Silver badge

      Re: Nasty

      A home IP address may change from day to day. Even a business one. Or it could be your boss's PC. You can't block every IPv4 address, there aren't enough anyway.

      1. IGotOut Silver badge

        Re: Nasty

        Hence I block every country except the UK.

    3. DJV Silver badge

      Re: IP blacklist

      Yes, there is. One of the sites I administer was getting repeated attacks (lots trying Wordpress logins and the site isn't Wordpress, others trying SQL injections). I developed some code in PHP that recognised lots of the common attacks and, if found, added "Deny from [IP]" to the .htaccess file so they can no longer get access and then calls die() with a message that basically tells them to sod off!

    4. Anonymous Coward
      Anonymous Coward

      Re: Nasty

      I've got all sites (WP and Joomla) on 2FA, and all immediately blacklist anyone trying to log in as "admin" or "administrator". On WP this gets also triggered when someone attempts to access the default admin login URL as that has been moved, and on Joomla it needs a magic word in the URL or it gets booted as well.

      Naturally, I've given the latter a few chances, just in case it's too early and I do this myself on account of not having had enough coffee yet :)

  2. HildyJ Silver badge
    Megaphone

    Goes Without Saying

    In this day and age, why do so many things that should go without saying, especially when it comes to security, have to be said over and over again?

    1. joesomeone

      Re: Goes Without Saying

      Because internet security is like condoms or car insurance. Their value isn't appreciated until its too late.

  3. Gene Cash Silver badge

    My sympathies

    to Larry Cashdollar

    1. Robert Carnegie Silver badge

      Re: My sympathies

      I wonder what his password is? ca$hlarry maybe? :-)

      1. djnapkin

        Re: My sympathies

        I'd love to discover where that surname came from. Perhaps an anglicisation (?) of a European or Russian name.

        1. WolfFan Silver badge

          Re: My sympathies

          It’s German. Kirtchthaler, ‘Church Valley’. Or some such.

  4. djnapkin

    I recognise my site is too small and not a target for this, but the distributed attack surely would punch a hole in our "five shots and you are out" defence against brute force login attempts.

    Darn.

    1. Robert Carnegie Silver badge

      Is any site too small? If only to recruit you into performing the next distributed attack.

      Sometime really I should improve my password for this forum. It's left over from much more innocent days.

      1. Anonymous Coward
        Anonymous Coward

        really I should improve my password for this forum. I

        No need to bother. We've just done it for you :-)

  5. Ian 55
    Mushroom

    It is appalling

    .. that WordPress will still, in 2020, allow attackers as many attempts to bruteforce your login details as they like, as fast as they like and do absolutely nothing to detect or stop this unless you install a plugin or similar. Which they KNOW that most users don't.

    They also make it easier for attackers to do this by providing an interface that can be - and they KNOW is - abused to try a 100+ username / password combos at once. Again, attackers can do this as fast as they like and for as long as they like.

    Instead, Automattic are far more concerned with forcing the pile of steaming bloatware that is Gutenberg on its users, complete with its own set of security holes.

    1. The obvious

      Re: It is appalling

      Because “It is open source and runs on Linux so it’s secure.”

      I’ve been told that in those exact words.

    2. Captain Scarlet Silver badge

      Re: It is appalling

      My experience from a Wordpress specific host is they will implement a change of login url, username and install a rate limit login at the time of install or in our case migration.

      This should hopefully mean anyone who has never had a website before can be more secure from the get go without needing to know how to change these!

  6. sitta_europea

    People still use Wordpress?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020