Tuesday, April 16, 2013

 

WordPress Irresistible to Hackers

Failure to heed the most basic security advice has made tens of thousands of WordPress servers vulnerable to a massive brute force attack that ultimately could result in the creation of a botnet of Incredible Hulk proportions. This particular attack wouldn't be possible without the passive assistance of WordPress bloggers and site admins who chose feeble entries like "admin" as their usernames and easily guessed sequences like "123456" as their passwords.

An attack of unprecedented proportions has been hitting sites using WordPress, a free and open source blogging tool and content management system that powers more than 60 million websites worldwide.
Attacks have been launched from more than 90,000 IP addresses, according to HostGator.
CloudFlare said it blocked 60 million requests against its WordPress customers in one hour, according to reports.
It appears the hackers are trying to take over WordPress servers to give them added muscle for future attacks. Poor choice of passwords and inadequate server security are making their task easier.
"This particular style of brute force attack is not that difficult to defend against," Marty Meyer, president of Corero Network Security, told LinuxInsider. "The attackers are just trying to take advantage of people who implement WordPress-based blogs and sites who either do not understand basic security principles or who just choose to ignore them."
Easy Peasy
The attacker's botnet is hitting WordPress sites and trying to log in with the "admin" username and various passwords, said WordPress cofounder Matt Mullenweg.
Variations of the username "admin" and the word "root" are among the usernames the botnet is reportedly targeting. Passwords the botnet is said to be trying most often are "admin," "123456" and "12345678."
The problem can be traced to users and is also partly due to WordPress offering its users a choice. WordPress 3.0, released about three years ago, let users pick a custom username on installation and most people used "admin" as their default username, Mullenweg stated.
WordPress users employing the password "admin" should change it and use a strong password, he suggested. Those on WP.com should turn on two-factor authentication and ensure they've got the latest version of WordPress installed.
Filtering out suspect IP addresses or trying to throttle logins won't work, because with more than 90,000 IP addresses under its belt, the botnet could launch an attack from a different IP address every second for 24 hours, Mullenweg pointed out.
The WordPress Foundation did not respond to our request for further details.
The Weakness of the Many
"Vulnerabilities in WordPress have often been exploited with mass compromises," Charles Renert, vice president of Websense Labs, told LinuxInsider. "These attacks seem to come with an alarming frequency."
Joomla, an open source content management system, reportedly also has come under attack, and more such attacks can be expected in the future.
"As we predicted, the bad guys will routinely test the integrity of content management systems and service platforms as they increase in popularity," Renert remarked. "Attacks will continue to exploit legitimate Web platforms such as Joomla, Drupal and phpWind, requiring CMS administrators to pay greater attention to updates, patches and other security measures."
Security researchers warned late last year that hackers were attacking WordPress and Joomla sites, offering fake antivirus software to their users, TheNextWeb reported.
A Joomla spokesperson was not immediately available to provide further details.
Protecting Against Brute Force Attacks
Solutions to the brute force attacks have been offered by HostGator and by CloudFlare.
Changing usernames and implementing two-factor authentication "should prevent the attack from affecting the security of the data, but some accounts may experience performance or availability issues when trying to process all the unwanted traffic coming in as part of a brute force attack," Meyer said.
One good approach to eliminating unwanted traffic would be to have good perimeter security, such as firewalls, in front of servers hosting accounts, he suggested.
Users whose WordPress accounts are hosted by a third party should do due diligence on how data hosters protect servers from unwanted traffic and distributed denial of service attacks, said Meyer.
"Make sure you understand the network security capabilities of third-party server hosters," he stressed, "and use two-factor authentication for administrative accounts on these servers."
Tags : , ,

Share

Social

The idea behind the text.
Respect for the truth is almost the basis of all morality.
Nothing can come from nothing.



Follow

Popular Topics

Read

Well, the way they make shows is, they make one show. That show's called a pilot. Then they show that show to the people who make shows, and on the strength of that one show they decide if they're going to make more shows.

Like you, I used to think the world was this great place where everybody lived by the same standards I did, then some kid with a nail showed me I was living in his world, a world where chaos rules not order, a world where righteousness is not rewarded. That's Cesar's world, and if you're not willing to play by his rules, then you're gonna have to pay the price.

You think water moves fast? You should see ice. It moves like it has a mind. Like it knows it killed the world once and got a taste for murder. After the avalanche, it took us a week to climb out. Now, I don't know exactly when we turned on each other, but I know that seven of us survived the slide... and only five made it out. Now we took an oath, that I'm breaking now. We said we'd say it was the snow that killed the other two, but it wasn't. Nature is lethal but it doesn't hold a candle to man.

You see? It's curious. Ted did figure it out - time travel. And when we get back, we gonna tell everyone. How it's possible, how it's done, what the dangers are. But then why fifty years in the future when the spacecraft encounters a black hole does the computer call it an 'unknown entry event'? Why don't they know? If they don't know, that means we never told anyone. And if we never told anyone it means we never made it back. Hence we die down here. Just as a matter of deductive logic.