Wednesday, June 19, 2019
Home Entertainment Botnet from over 20,000 WordPress sites attacks other WordPress sites

Botnet from over 20,000 WordPress sites attacks other WordPress sites

best WordPress plugins

Hackers controlling a "botnet" of over 20,000 infected WordPress sites are attacking other WordPress sites, according to a report by the Defiant Threat Intelligence team. The botnets have been trying to create up to five million malicious WordPress logins in the last thirty days.

According to the report, the hackers behind this attack use four command and control servers to send requests to over 14,000 proxy servers of a Russian provider. These proxies are then used to anonymize traffic and send instructions and a script to the infected WordPress "slave" pages, which are aimed at which of the other WordPress sites should eventually be targeted. The servers behind the attack are still online, targeting WordPress's XML-RPC interface primarily to try out a combination of usernames and passwords for administrator logins.

"The wordlists associated with this campaign contain small sets of very common passwords. However, the script does have capabilities to dynamically generate passwords based on common patterns … Although unlikely to be used on a particular site, this tactic can be very effective when used on a large number of targets, "explains The Defiant Threat Intelligence. team

Attacks on the XML-RPC interface are not new and date from 2015. If you're worried that your WordPress account may be affected by this attack, the Defiant Threat Intelligence team will report that the best way to limit and block errors Activated logins. You can also use WordPress plugins that protect against brute force attacks, such as the Wordfence plugin.

The Defiant Threat Intelligence team has shared information about the attacks with law enforcement agencies. Unfortunately, ZDNet reports that the four command and control servers can not be taken offline because they are hosted on a provider that does not meet deactivation requirements. Researchers, however, will contact hosting providers identified with the infected slave sites to limit the scope of the attack.

Some data has been omitted from the original report of this attack because it can be exploited by others. Using the proxies also makes it difficult to find the location of the attacks. However, the attacker made mistakes that allowed the researchers to access the interface of the command and control servers behind the attack. All of this information is considered "very valuable data" for the investigators.


Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Must Read

New protest alliance on "Hambi": On the excavators, get set, go

"Fridays for Future" has discovered the Rheinische lignite mining district for the protest. Planned is a big "day of action". But the police are...

Facebook launches its own cryptocurrency Libra

The effort Facebook is doing with this project is enormous. It's not just a small sideline in the business of one of the largest...

Dax aktuell: Dax starts unchanged

FrankfurtOn Wednesday morning, the most important German index is unchanged in the trade and is just 0.1 percent weaker with 12,317 points. The previous...