Welcome to WebmasterWorld Guest from 54.163.40.152

Forum Moderators: rogerd & travelin cat

Message Too Old, No Replies

Wordpress hack connects users to botnet

     

travelin cat

1:54 pm on Mar 13, 2014 (gmt 0)

WebmasterWorld Administrator travelin_cat is a WebmasterWorld Top Contributor of All Time 10+ Year Member



More than 100,000 Wordpress websites have conscripted into a botnet which forces them them to inadvertently launch DDoS attacks.
Security firm Sucuri found the botnet when analysing an attack targeting one of its customers and traced the source of the attack to legitimate WordPress sites.

[techradar.com...]

lorax

3:09 pm on Mar 13, 2014 (gmt 0)

WebmasterWorld Senior Member lorax is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



I wish there was a way to shut down these sites. Maybe we need to have a license for WordPress site owners. If you're too stupid to keep your site updated, then you lose your license and the site goes offline.

graeme_p

6:06 pm on Mar 13, 2014 (gmt 0)

WebmasterWorld Senior Member 5+ Year Member Top Contributors Of The Month



Wordpress could also help by

1) disabling things that not everyone needs, like XML-RPC (used in this attack) by default.
2) making hardening easier - e.g. making /wp-admin easily relocatable
3) disable file editing by default - or remove the damn stupid misfeature altogether.
4) do not use the same default admin username on every install.

lorax

6:13 pm on Mar 13, 2014 (gmt 0)

WebmasterWorld Senior Member lorax is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



@graeme_p, yep.

dvduval

6:36 pm on Mar 13, 2014 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



I don't use wordpress for my own sites, but if a customer asks for it I warn them there will be ongoing maintenance costs to prevent them from being hacked.

webdevfv

11:26 pm on Mar 13, 2014 (gmt 0)

10+ Year Member



I use an older version but can't upgrade as my host won't upgrade php to the level required to install the newer Wordpress.

super70s

12:39 am on Mar 14, 2014 (gmt 0)

5+ Year Member



@webdevfv, I had the exact problem (are you with Yahoo SB too by any chance?). The older WP's have serious security issues and your domain can be hijacked for a Viagra page that isn't even on your site. My entire site isn't in WP (thank God), just a blog was, so I said the hell with WP and moved the blog to Blogger.

Now all those bogus Viagra pages go to my 404 page where there's a link to my main page. Thanks for the free traffic jerks, lol.

pawas

3:51 am on Mar 14, 2014 (gmt 0)

10+ Year Member



I do have some sites running very old versions, but I have never faced any hacking problems. It's because I always password protect 'wp-admin' directory on all installations/versions.

thecoalman

7:35 am on Mar 14, 2014 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Protecting the admin folder or other non public folders with .htaccess is always a good practice since those files can typically cause the most damage but I wouldn't depend on it for securing an installation. Public scripts can be just as damaging.

Security for any site is about layers and keeping up to date to remove exploits should be priority number one.

lorax

1:29 pm on Mar 14, 2014 (gmt 0)

WebmasterWorld Senior Member lorax is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



+1 thecoalman

Angonasec

4:36 pm on Mar 14, 2014 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



"I have never faced any hacking problems."

What I suspect you mean is you've not yet been hacked into.

Simply observe the hack attempts, in your raw access logs. The bulk are clearly focussed on the WP framework.

Then decide if that level of abuse of your CPU and BW is not a problem.

alika

6:45 pm on Mar 17, 2014 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Public scripts can be just as damaging.


When my sites were constantly under attack, my managed webhost put a password protect on my Wordpress login and Google slammed me with "increase in authorization errors" pointing to the login pages. Here's the discussion to that problem I raised [webmasterworld.com...] Traffic plummeted - not the drastic drop-from-the-cliff kind, but the slow-but-sure kind that is sooo hard to climb back up.

I had to put the WP login pages in my robots.txt file to get rid of Google's authorization error messages.

I moved to a different managed server webhost with stronger protection layers against hacking. So far, no problems. Keeping my fingers crossed.

Hacking is just something many website owners don't think about until it happens to them. Just like me. When I got hit -- and boy, it was non stop -- it was painful. Only then did I take protecting against malwares and hacking seriously, and now religiously updates every Wordpress install and plugins as soon as available.

lorax

1:00 pm on Mar 18, 2014 (gmt 0)

WebmasterWorld Senior Member lorax is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



>> Traffic plummeted

But if the traffic was from the bot attack this would make sense. No?

robzilla

1:29 pm on Mar 18, 2014 (gmt 0)

WebmasterWorld Senior Member 5+ Year Member



If you're too stupid to keep your site updated, then you lose your license and the site goes offline.

This attack has nothing to do with updates, though. It's just the way pingbacks work, and they're enabled by default in many content management systems, not just Wordpress.

lorax

5:00 pm on Mar 18, 2014 (gmt 0)

WebmasterWorld Senior Member lorax is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



Good point robzilla - I wan't very clear. I should have included "and locked down"

You can disable them in the Admin panel for all future posts/pages. To disable them for already published posts/pages in bulk [wordpress.org...]

alika

6:18 pm on Mar 18, 2014 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



But if the traffic was from the bot attack this would make sense. No?


NO - the big decrease was Google traffic. The bot attack came as referral traffic

eddiemayan

7:49 am on May 23, 2014 (gmt 0)



WordPress has many vulnerabilities that can be exploited very easily. Most people do not know that their WordPress blog is a part of a large DDoS attack being carried out against a target.
Most commonly pingbacks and trackbacks are used in WordPress to send requests to a target website. DDoS attackers make use of this vulnerability launch a Application Layer DDoS attack.
We all should take steps to hardened our WordPress security so it can not be used to launch a large scale DDoS attack. Learn how to protect and prevent your WordPress website to be used in DDoS attack.

[edited by: lorax at 12:11 pm (utc) on May 23, 2014]

lorax

12:24 pm on May 23, 2014 (gmt 0)

WebmasterWorld Senior Member lorax is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



Let's be clear without the sensationalism. Pingbacks are a feature that WordPress allows. Some people find them useful, others find them less so. Some exploit the function to coordinate attacks.

Just because we have roads and people use those roads to deliver car bombs or crash their cars, doesn't mean the roads are a vulnerability. Roads can be used for bad and good - they're job is to allow transport. The job of pingbacks is to allow notification. Either one can be used against you. If you want a truly safe CMS then don't use a CMS.
 

Featured Threads

Hot Threads This Week

Hot Threads This Month