Botnets doing a brute force attack as of now, Friday 4pm EST

[Sulphur]

Google "wordpress brute force"
Apparently they're finding WP sites, and trying the username "admin" with thousands of passwords on each one. When they get in, they install a remote-control trojan script to allow them to use their own password, regardless of whatever you change the password to.
There are a few "login limit" type plugins... might want to look into them or check your last login date. And change your admin username, if you don't routinely do it already.

 

[Hurr-Durr]

So I can't use the word "admin" as my password anymore?

 

[Pheasant]

So I can't use the word "admin" as my password anymore?

Just use "Password" as your admin name and "Admin" as your password and you should be safe from this attack.

 

[Benji49]

So I can't use the word "admin" as my password anymore?

If you did, you're already fucked.

I checked my logs and yup, the bots are going nuts.

Just deleted the admin account anyways. It had a strong password but might as well be careful.

Note: Brute force attacks on account that post in wp. So if "Fred" posted an article in wp, then that account gets hammered too.

Gonna be a busy weekend for wp support, methinks.

 

[malloc]

So I can't use the word "admin" as my password anymore?

You should never use admin as the username. (edit: misread, but anyway, still right)

Wordfence is a decent security plugin and it allows to ban for login failures, password resets or even using an invalid username (which I have enabled on a few sites). The main issue is that this is a distributed attack so banning by IP is nearly pointless. It will slow the attempts a bit though since each IP will only get 1 try. According to my host, there are in the range of 50k IP addresses involved and I am seeing wordwide locations.

I am seeing tons of logs on these attempts. They are using more than "admin" however. Looks like this:

An unknown location at IP 201.59.26.x attempted a failed login using an invalid username "adm".
An unknown location at IP 200.40.46.x attempted a failed login using an invalid username "user".
An unknown location at IP 50.117.80.x attempted a failed login using an invalid username "admin".
An unknown location at IP 61.97.223.x attempted a failed login using an invalid username "root"
An unknown location at IP 201.92.70.x attempted a failed login using an invalid username "qwerty".
An unknown location at IP 125.166.61.x attempted a failed login using an invalid username "manager".
An unknown location at IP 200.76.103.x attempted a failed login using an invalid username "aaa".
An unknown location at IP 178.196.219.x attempted a failed login using an invalid username "test".

 

[Unarmed Gunman]

WordPress › Limit Login Attempts « WordPress Plugins

 

[harrymouni]

they've been doing these attacks for years. my server was compromised and instead of deleting the backdoor, i made it a honeypot and it's *always* trying this, their list of WP blogs is huge.

the C&C server IP is 94.242.251.250, which is a box belonging to root.lu who didn't reply to my numerous abuse emails. i hear online they don't really care.

actually just checked, and been hit by 185.8.104.85 now.

 

[thehobbster]

Yes, this has been pissing me off. It's not "as of now". It's been a couple days. It's keep a ton of my DNS's from being able to resolve at this new hosting company I'm wanting to try.

 

[BlogHue]

If you did, you're already fucked.

I checked my logs and yup, the bots are going nuts.

Just deleted the admin account anyways. It had a strong password but might as well be careful.

Note: Brute force attacks on account that post in wp. So if "Fred" posted an article in wp, then that account gets hammered too.

Gonna be a busy weekend for wp support, methinks.

I can re-affirm this. And my logs are screaming as much as mallocs -

It is ALWAYS a good idea to use different username/password combinations. Nothing apparent. Not the domain name. And definitely not admin, owner, manager, writer etc.

I have been helping another member here on clean up his servers since yesterday. LOTS of shell scripts uploaded/replicated throughout the server (wp-content/wp-content2.php etc.). Javascript obfuscation on in full force with files being modified. It's not just the themes being attacked anymore. Fake plugins are being uploaded and installed sometimes with names matching those of the current popular plugins. etc.

Stay updated and hardened bros.

 

[SethH]

Thanks for the heads up. Aside from manually checking each site via Sucuri, any advice on how to check if your sites have been compromised? I just fixed a bunch of mine up, but I've been guilty of using admin as the username for almost all my WP sites, and though I changed all I could think of its almost certain I managed to miss a few

 

[CCarter]

inb4 Limit Login Attempts is really a trojan horse....​

 

[contract]

This shit is so lame..

 

[HiGhPeR]

I already got hit. Bloghue saved me.

 

[avatar33]

These fuckers are all over my sites today. I just blocked their IP range.

 

[jhoffy22]

WordPress › Login Dongle « WordPress Plugins

 

[TheCheesePolice]

Perhaps a dumb question, but how do you double check if you're already hit?

 

[CCarter]

LOL @ 'peweps revenge' tag​

 

[BlogHue]

Thanks for the heads up. Aside from manually checking each site via Sucuri, any advice on how to check if your sites have been compromised? I just fixed a bunch of mine up, but I've been guilty of using admin as the username for almost all my WP sites, and though I changed all I could think of its almost certain I managed to miss a few

Perhaps a dumb question, but how do you double check if you're already hit?

You can try running a scan on sucuri.net - but it is not 100% accurate ever.

The best way would be to login to your FTP or your file manager via cPanel and look for the "Last Modified" timestamp on every file. cPanel adds a "Last Modified" timestamp to every file that is modified, either by you or by an attacker or a script.

If the timestamp is pretty recent such as a day or two before or is irregular when compared to the others (For instance other files show timestamps of February, when you last updated wordpress while one or two shows March or April) then it's time to investigate.

Also, when getting custom themes developed or downloading new ones, ask your developer about external readymade frameworks being used. For instance, timthumb.php is a heavily used thumbnail generation utility.(everyone and their brothers includes this in their theme) - an exploit for it last year resulted in widespread hacks and defacements of wordpress sites all over. The script author was quick in releasing a patch, but his was/is a little known site and not many were aware of this until was too fucking late.

Also, avoid cramping your site up with too many plugins. If you think you need a particular functionality, ask a competent developer to encode it right into your themes functions. You don't need 200 plugins to build a wordpress site.

 

[TheCheesePolice]

You da man.

 

[EricVonDoobie]

Perhaps a dumb question, but how do you double check if you're already hit?

^ This. Installing login lockdown also. Typically I don't really give a shit about this type of stuff since my sites suck ass anyway, at least a bulk of them, but still interested.