Enjoy unlimited access to all forum features for FREE! Optional upgrade available for extra perks.
Domain summit 2024

WARNING: A Global Attack on Wordpress sites in progress

Status
Not open for further replies.

Mark Talbot

Level 7
Legacy Platinum Member
Joined
Jun 13, 2003
Messages
931
Reaction score
164
Feedback: 0 / 0 / 0
(mods, please move this if this is wrongly placed)

(readers, dont dismiss this as the usual 'wordpress vulnerabilities' are expected)

This should apply to anyone using wordpress as a content site, or sales site, or any reason really.

My host has informed me that they are being hammered with support requests on domain accounts with wordpress instances. They suggested this new problem is global, affects ALL hosting providers, and anyoner using wordpress.

They also said this is an ongoing new attack specifically targeting these sites.

They said that one would first notice their wordpress acp pages rendering really slow, and that they cant bulk-fix as it would potentially make their acp inaccessable.

Yesterday I took down my sales site as it had become corrupted with a mailer bot script. My site was muling spam thru my server. I was on the latest wordpress build. I dont know if this was related to the announcement today, but I only submitted my nos ticket yesterday regarding my site.




I give this warning to anyone here who uses wordpress for mini-content sites, bigger sites, or sales sites, basically anyone using wordpress.
 
Domain summit 2024

Shane

Account Terminated
Legacy Platinum Member
Joined
Jul 6, 2012
Messages
1,720
Reaction score
354
Feedback: 38 / 0 / 0
The issue started popping up around the world about 14 hours before my site got infected.

My programmer found the problem.. It was a malicious trojan.

If your site is infected replace your index.php with an older version. Delete your cache and refresh.
 
Last edited:

Theo

Account Terminated
Joined
Feb 28, 2004
Messages
30,318
Reaction score
2,217
Feedback: 723 / 0 / 0
In other news, North Korea moves another missile in upright position.
 

Shane

Account Terminated
Legacy Platinum Member
Joined
Jul 6, 2012
Messages
1,720
Reaction score
354
Feedback: 38 / 0 / 0
In other news, North Korea moves another missile in upright position.

Meh. I'm no longer responsible for dealing with nuclear issues.
 

vinsdomains.com

Level 6
Legacy Platinum Member
Joined
Feb 21, 2012
Messages
517
Reaction score
109
Feedback: 39 / 0 / 0
Wow, within 10 minutes of me reading this post, ALL of my wordpress sites went down. Crazy cyber world we live in!

Contacted support, who indicated ALL WordPress sites will go down temporarily, while they address security issues - nothing to do with host - it is all Wordpress, but they are fighting back!
 
Last edited:

Shane

Account Terminated
Legacy Platinum Member
Joined
Jul 6, 2012
Messages
1,720
Reaction score
354
Feedback: 38 / 0 / 0
Wow, within 10 minutes of me reading this post, ALL of my wordpress sites went down. Crazy cyber world we live in!

Contacted support, who indicated ALL WordPress sites will go down temporarily, while they address security issues - nothing to do with host - it is all Wordpress, but they are fighting back!

Did your host shut them down?

Oh and thanks for the bid. :D
 

vinsdomains.com

Level 6
Legacy Platinum Member
Joined
Feb 21, 2012
Messages
517
Reaction score
109
Feedback: 39 / 0 / 0
It was not the host, but Wordpress, according to my hosting provider, installing security tweaks. My sites are back up but were down 1-2 hours today.
 

Shane

Account Terminated
Legacy Platinum Member
Joined
Jul 6, 2012
Messages
1,720
Reaction score
354
Feedback: 38 / 0 / 0
That's very strange. My WP site hasn't had any down time. I wonder if they suspended the sites which were still infected. It's definitely a security issue within WP. I checked my FTP logs and plugins just to be sure.. Hopefully they'll resolve the issue quickly.
 

amplify

Level 5
Legacy Exclusive Member
Joined
Sep 15, 2009
Messages
3,464
Reaction score
1,171
Feedback: 68 / 0 / 0
In other news, North Korea moves another missile in upright position.

I wondered why flights for 4 were only $1200 to Hong Kong... They used to be $1600-$2500 range. ;)

Family trip plus the afternoon in Hong Kong to celebrate my birthday when leaving on the 21st-- if I make it.

No problem with my Wordpress sites. I don't know if it has to do with a specific host or they are searching Google for Wordpress hosted sites. All mine are stripped of "wordpress" keyword, so they must pass over or it's due to a dedicated server.
 

draggar

þórr mjǫlnir
Legacy Exclusive Member
Joined
Dec 26, 2007
Messages
7,357
Reaction score
223
Feedback: 53 / 0 / 0
Yesterday was a coordinated brute force attack, it started for me around 4am local time and went through the day. I get email alerts when someone fails a login attempt for some of my sites, I had over 20,000 when I got home, I can only guess I had over 75,000-100,000 attempts on all my sites - most likely much higher.

As far as I know none of my sites are cracked but I also have login lockdown which eventually would have stopped it but word has it that the attackers / botnet used over 90,000-100,000 IP addresses (and I'm sure with each site compromised they added to it).

Just make sure your Wordpress software and plugins are up to date and have a damn good admin password. I don't want to get into other precautions since this post will become a "how to" for hackers.
 

Theo

Account Terminated
Joined
Feb 28, 2004
Messages
30,318
Reaction score
2,217
Feedback: 723 / 0 / 0
It's an internal issue not a brute force tactic. :)

The attacks aren't taking advantage of any current WordPress issues or vulnerabilities. They are simply linear attacks to 'guess' the admin password. The WP admin account should be renamed so that 'admin' would not even validate.
 

chipmeade

Level 7
Legacy Exclusive Member
Joined
Mar 13, 2007
Messages
943
Reaction score
137
Feedback: 6 / 0 / 0
message from Matt...the founder of WordPress. http://ma.tt/2013/04/passwords-and-brute-force/

Almost 3 years ago we released a version of WordPress (3.0) that allowed you to pick a custom username on installation, which largely ended people using “admin” as their default username. Right now there’s a botnet going around all of the WordPresses it can find trying to login with the “admin” username and a bunch of common passwords, and it has turned into a news story (especially from companies that sell “solutions” to the problem).

Here’s what I would recommend: If you still use “admin” as a username on your blog, change it, use a strong password, if you’re on WP.com turn on two-factor authentication, and of course make sure you’re up-to-date on the latest version of WordPress. Do this and you’ll be ahead of 99% of sites out there and probably never have a problem. Most other advice isn’t great — supposedly this botnet has over 90,000 IP addresses, so an IP limiting or login throttling plugin isn’t going to be great (they could try from a different IP a second for 24 hours).
 
Last edited:

EM @MAJ.com

Visit MAJ.com for domain forsale.
Legacy Exclusive Member
Joined
Sep 10, 2002
Messages
5,833
Reaction score
75
Feedback: 141 / 0 / 0

inquisitive

Level 3
Legacy Platinum Member
Joined
Aug 24, 2007
Messages
87
Reaction score
4
Feedback: 0 / 0 / 0
What I have noticed since reading the news / this post.

If you are installing a new blog, create a new user name for admin, do not just use admin :)

However, if you have an old installation of wordpress that you have upgraded thru the years, then your username is most likely admin.
So the suggestion out there is to create a new account, and demote or delete the old one (when you delete the old one you are given the opportunity to transfer the posts to the new account).

Unfortunately that is not really a solution (I did this to one of my sites already), because the bad guys can figure out the new username just by typing site.com/?author=1 and wordpress will redirect to the username of that ID, so then another solution is needed like this one.
http://wordpress.org/support/topic/author1-2-3-how-to-stop-it

However this may not be the best solution.. just one of them
 

amplify

Level 5
Legacy Exclusive Member
Joined
Sep 15, 2009
Messages
3,464
Reaction score
1,171
Feedback: 68 / 0 / 0
Simple fix going forward, install WP from cPanel and pick a username that's not "admin" then let it generate a strong password for you.
 
Status
Not open for further replies.

The Rule #1

Do not insult any other member. Be polite and do business. Thank you!

Sedo - it.com Premiums

IT.com

Premium Members

AucDom
UKBackorder
Be a Squirrel
MariaBuy

New Threads

Our Mods' Businesses

Free QR Code Generator by MerchArts
UrlPick.com

*the exceptional businesses of our esteemed moderators

Top Bottom