Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
Security Botnet Cloud The Internet

Wordpress Sites Under Wide-Scale Brute Force Attack 110

Posted by Soulskill
from the pressing-all-the-words dept.
New submitter NitzJaaron writes "Some of us have been experiencing attacks on Wordpress sites for the last few days, but it's now beginning to be widely reported that there's a fairly large brute force attack happening on Wordpress users on multiple hosts, including HostGator and LiquidWeb. 'This attack is well organized and again very, very distributed; we have seen over 90,000 IP addresses involved in this attack.' CloudFlare has announced that they're giving all users (free and paid) protection from said attacks with their services. 'The attacker is brute force attacking the WordPress administrative portals, using the username "admin" and trying thousands of passwords.'" Further reports available from Immotion hosting and Melbourne server hosting.
This discussion has been archived. No new comments can be posted.

Wordpress Sites Under Wide-Scale Brute Force Attack

Comments Filter:
  • Seems like..... (Score:3, Insightful)

    by n3tm0nk (2725243) on Friday April 12, 2013 @04:38PM (#43435545)
    something they should have been prepared for in the first place......
    • Re:Seems like..... (Score:5, Informative)

      by jakimfett (2629943) on Friday April 12, 2013 @04:50PM (#43435679) Homepage Journal
      Yet another reason to specify a non-default administrator username in the original install. And to use passphrases instead of passwords. Easier to remember, and there's almost no way to brute force a thirty character password.
      • by Doug Otto (2821601) on Friday April 12, 2013 @05:02PM (#43435803)
        This.

        Based on the dictionary they're using for this attack, all that's required to thwart it is a capital letter.
      • by pspahn (1175617) on Friday April 12, 2013 @05:24PM (#43435981)

        Doesn't WP allow you to change the admin login URL as well?

      • by Anonymous Coward on Friday April 12, 2013 @05:24PM (#43435983)

        Also don't use standard directory structure like /wordpress/ or /blog/

      • by schlick (73861) on Friday April 12, 2013 @06:24PM (#43436497)
        And using the google authenticator plugin for 2 factor authentication.
        • by Anonymous Coward on Friday April 12, 2013 @07:03PM (#43436773)

          And using the google authenticator plugin for 2 factor authentication.

          That would be idiotic.^W^W^W^WI have some magic beans for you! Simply send any message to this email address: ihavewaytoomuchmoney@wesolvethat.com

      • Re:Seems like..... (Score:4, Informative)

        by Zamphatta (1760346) on Friday April 12, 2013 @07:55PM (#43437135) Homepage
        And it's another reason to temporarily lock out an account from logging in, if there's too many wrong guesses at the password in a very short period of time. There might be a Wordpress plug-in for something like that, but I don't think it's in Wordpress's core, and it really should be in the core of any web system. It adds tons of security all by itself.
        • by x_t0ken_407 (2716535) on Friday April 12, 2013 @08:51PM (#43437523) Homepage

          And it's another reason to temporarily lock out an account from logging in, if there's too many wrong guesses at the password in a very short period of time. There might be a Wordpress plug-in for something like that, but I don't think it's in Wordpress's core, and it really should be in the core of any web system. It adds tons of security all by itself.

          There are indeed plugins that do this. In fact, I was alerted to a few of my sites being bruteforced from a plugin that does just that. What really helps though, is having a .htpasswd enabled on the wp-admin directory -- I use a plugin for that as well ("AskApache Password Protect"), though admittedly it's not hard at all to implement without the plugin.

        • by thoughtlover (83833) on Saturday April 13, 2013 @04:12PM (#43442089)

          You should not use plugins to regulate login attempts, at this time. Check the post, below and link to his blog with the reasons why. http://it.slashdot.org/comments.pl?sid=3643255&cid=43436363 [slashdot.org]

          I'd also recommend that people reset their Secret Keys to resalt users' cookies. https://codex.wordpress.org/Editing_wp-config.php#Security_Keys [wordpress.org]

        • by betterprimate (2679747) on Sunday April 14, 2013 @02:00AM (#43444631)
          This. 100x this. It's the easiest way to block a brute force attack.
        • by Jason Levine (196982) on Monday April 15, 2013 @08:57AM (#43451185)

          Apocalypse Meow: http://wordpress.org/extend/plugins/Apocalypse-Meow

          It will not only lock users out if they fail to log in a certain number of times (defined by you but default is 5), but it can remove the meta data that tells people which version of Wordpress you're running (nothing like saying "Hey, hackers, attack me in this manner"), can rename the "admin" account easily, prevent direct PHP script execution of plugins (which might break some plugins so use with caution) and even keeps a log of failed login attempts. I've had it running for a few months on a couple of my sites and noted over 7,000 login attempts. I noted a few of the worst offenders (one tried 135 times in about 2 months' time) and IP banned them. (NOTE: This isn't a function of Apocalypse Meow. I simply ran a mySQL query on the database table it uses for its log and then added entries to the site's CPanel to ban the IP addresses.) Definitely recommend this plugin for any WordPress users.

      • by locater16 (2326718) on Friday April 12, 2013 @09:50PM (#43437849)
        Passphrase? Cracking it is called a dictionary attack, it's what almost every password cracking attempt uses anyway. It's just a list of words run against the password, and can be rather easy to crack. SAFE passwords are long enough series of random letters numbers and symbols, something an attempt would have to brute force character by character and thus wouldn't have much of a chance of getting. $57*ghU^61@nm is a far safer password that "Correct Horse Staple Battery" which would easily be crackable in a reasonable timeframe. Unfortunately $57*ghU^61@nm is friggen hard to remember. Maybe it's time to find convenient and cheap biometric scanners.
        • by rtb61 (674572) on Friday April 12, 2013 @10:33PM (#43438061) Homepage

          Dictionary attack fails due to time constraints as the complexity is just as great for completely mixed characters as for a pass phrase as you must guess all the words simultaneously rather than solve one word at a time. Pass phrase is quite simply the best realistic solution as it provides plenty of characters while being easy to remember and from the outside it is still unknown whether you are using any other characters in the pass word hence they still must be checked and PS spaces are never used is pass phrases why bother.

        • by Spiridios (2406474) on Saturday April 13, 2013 @02:04PM (#43441391) Journal

          Passphrase? Cracking it is called a dictionary attack, it's what almost every password cracking attempt uses anyway. It's just a list of words run against the password, and can be rather easy to crack. SAFE passwords are long enough series of random letters numbers and symbols, something an attempt would have to brute force character by character and thus wouldn't have much of a chance of getting. $57*ghU^61@nm is a far safer password that "Correct Horse Staple Battery" which would easily be crackable in a reasonable timeframe. Unfortunately $57*ghU^61@nm is friggen hard to remember. Maybe it's time to find convenient and cheap biometric scanners.

          I think you misunderstand. A brute-force attack on a password is "just" a dictionary attack using letters and symbols as your dictionary instead of English words. There's realistically 26 lower case letters, 26 upper case letters, 10 digits, around 32 symbols, and space (just looking at my keyboard), giving us a set of about 95 to compose our passwords from. According to Oxford Dictionaries [oxforddictionaries.com] there's around 171,476 words in current usage. Even if you constrain to what the average person knows, you've got anywhere from 12,000 to 60,000 words depending on who you trust for those kinds of statistics. Want to include your below average person? If XKCD [xkcd.com] is to be judged, you can still communicate somewhat by limiting yourself to the 1000 most used words. That ignores capitalization variations, so it assumes the attacker knows you only capitalize the first word of the sentence (or whatever your personal rule is). That actually puts a six word passphrase using a vocabulary of 1000 words as harder to brute force than an eight character password.

          Passphrases of equivalent length are easier to remember because we're trained to think in sentences, not letters. You can also use visualization techniques, as XKCD suggests, because we associate images with many words, not so much with letters. The biggest problem with passphrases are sites that put an upper limit on passwords, so we're forced to come up with pass phrases that operate as mnemonics for passwords, but then that limits our pool of characters in our password (unless you know a word that begins with the letter %).

      • by Anonymous Coward on Friday April 12, 2013 @10:37PM (#43438083)

        Anyone one can suggest me best plugin for wp security? My site affected itstarz [itstarz.com]

      • by radio4fan (304271) on Saturday April 13, 2013 @05:20AM (#43439371)

        Good advice.

        But really, there just shouldn't be a default username: you should have to enter your own. This has been standard practice for decades.

        Though I have to concede it works pretty well, WP is truly awful: a tiny bit object-oriented here, a bit finite state machine there; no coherent design at all.

        It's kind-of the PHP of PHP software: Crufty, inelegant, painful to develop with, yet also ubiquitous and loved by clients, who ask for it by name.

        WordPress needs a 100% rewrite by someone who has read a book or two on programming.

    • by Anonymous Coward on Friday April 12, 2013 @05:02PM (#43435797)

      As a host, you simply cannot vet everything an unmanaged customer uploads to their account or dedicated server. With Wordpress' security history though, you'd think that some relevant security features would have been rolled into every release by now.

  • by bmimatt (1021295) on Friday April 12, 2013 @04:39PM (#43435561)
    I see automated attacks on wordpress sites in the logs all the time.  Same with phpmyadmin and other popular FOSS software.  What else is new?
    • by Anonymous Coward on Friday April 12, 2013 @04:56PM (#43435741)

      What's new is the gigantic scale of it, nothing more. It appears to be one humongous distributed brute-force attack with the power to quite easily take down a server. This is not your average Wordpress brute-force attack.

    • by Anonymous Coward on Friday April 12, 2013 @04:57PM (#43435743)

      What is new is that these attempts are coming from so many IP's simultaneously that it's crashing servers.

    • by Anonymous Coward on Friday April 12, 2013 @06:43PM (#43436623)

      Finally another educated admin out there. Working for one of the top 5 web hosts in the company I saw atleast 10-20 compromised sites a day. All of which were WordPress, Joomla, Drupal and all of the other FOSS apps that mom and pops try to run without knowing how.

      CVE reports almost 150 active exploits for wordpress.

      http://www.cvedetails.com/vulnerability-list/vendor_id-2337/product_id-4096/

      This happens way to frequently for this to be considered actual news.

      • by Anonymous Coward on Friday April 12, 2013 @07:14PM (#43436827)

        When you have 11,000 IP's hitting the same wp-login.php at once, It's not your normal every day BS. I also work for a major web host. This is the most intense webapp brute force I've seen in 3-4 years. They're not trying to exploit any CVE's, just log in with 'admin' and common passwords.

  • by interkin3tic (1469267) on Friday April 12, 2013 @04:42PM (#43435589)

    advising all our clients who use WordPress to install an additional plugin 'Limit Login Attempts' that will help to prevent brute force attacks

    Not being familiar with wordpress, I'll ask why isn't that on by default?

  • by dragon-file (2241656) on Friday April 12, 2013 @04:56PM (#43435733)
    that the administrative account uses 'administrator' not 'admin'. They'll be attempting that brute force for quite a while.
  • by Anonymous Coward on Friday April 12, 2013 @05:21PM (#43435963)

    I've been seeing these for the past few days across a wide variety of customer servers, sometimes with enough traffic to push the box into swap death. All I've found online are people warning if it and how to defend against it, but has anyone done any forensics on a compromised install? If so, can you share what to look for?

  • by Anonymous Coward on Friday April 12, 2013 @05:23PM (#43435975)

    If I'm an internet service provider and I have a client who is sending request after request, at an inhumane rate, do I then have the right to put their service on hold for the sake of the guy at the other end of the line?

    I'm looking for where the ISPs stand in these situations.

  • by quixote9 (999874) on Friday April 12, 2013 @05:58PM (#43436271) Homepage
    I've used Wordpress since forever (2006?), and I seem to remember that at least back in the bad old days the admin username had to be "admin." Nothing else. There are probably millions of people who set their blogs up back then and haven't looked at that setting since.

    I wonder what they're doing this for? What does blowing up a planet's worth of little blogs get anyone? Does anyone know what this thing actually does?
    • by quixote9 (999874) on Friday April 12, 2013 @06:03PM (#43436313) Homepage
      Gaaa. That subject line should read "username," not password.
    • I saw this same question asked further up the comment line, and I think it's the key. They aren't targeting wordpress blogs. The attacks have to be a smoke screen for *something else*, whatever that something else is. Maybe this is yet another Chinese attack. Maybe it's anonymous (I'll wait while you finish laughing...and yeah, it's not anonymous, they couldn't pull off anything close to this order of magnitude and coordination level), or maybe it's th3j35t3r's evil twin. But it'll be something nasty if/when it ever comes to light.
      • by Anonymous Coward on Friday April 12, 2013 @07:45PM (#43437019)

        If I wanted to be a leet haxor...
        If I was in it for the lulz...
        If I had a grudge...
        If I owned a major news portal...
        If I had facebook stock...

        Hard to say. This seems high on the bumble-o-meter, like someone didn't care or didn't think it would get noticed.

      • by betterprimate (2679747) on Sunday April 14, 2013 @02:13AM (#43444665)

        I saw this same question asked further up the comment line, and I think it's the key. They aren't targeting wordpress blogs.

        What I think you are referring to is the unique authentication keys and salts. I have had to (reluctantly) fix a client's hacked site because they had set it up without them.

        If there's any newbies here, make sure you replace (WP provides a random generator) the definitions below in wp-config.php:

        /**#@+ * Authentication Unique Keys and Salts.
        *
        * Change these to different unique phrases!
        * You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ [wordpress.org] WordPress.org secret-key service}
        * You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.
        *
        * @since 2.6.0
        */
        define('AUTH_KEY', 'put your unique phrase here');
        define('SECURE_AUTH_KEY', 'put your unique phrase here');
        define('LOGGED_IN_KEY', 'put your unique phrase here');
        define('NONCE_KEY', 'put your unique phrase here');
        define('AUTH_SALT', 'put your unique phrase here');
        define('SECURE_AUTH_SALT', 'put your unique phrase here');
        define('LOGGED_IN_SALT', 'put your unique phrase here');
        define('NONCE_SALT', 'put your unique phrase here');

        • Not exactly what I was meaning...but definitely important.

          What I was actually meaning was that the important thing to take out of this is that the wordpress attacks are a smoke screen, a stepping stone, one gear in a machine rolling towards some unknown destination. Whoever is behind this has a plan beyond hacking blogs. The power available to them with this number of compromised machines is vast. Whatever their target is, it's going to get hit really hard.

          I'd be interested in seeing someone do a code analysis on this. The actual software that is loaded into a compromised machine, what is it capable of? Can it update itself? Is it static, with only certain functionality built in? Is there a command and control server? Can it be counter-hacked to reveal the attacker? what is the architecture of the compromised machines interactions with eachother?

    • by Anonymous Coward on Friday April 12, 2013 @06:38PM (#43436579)

      It's Kim's little joke on all the bloggers making fun of him. :)

    • by thegarbz (1787294) on Friday April 12, 2013 @07:08PM (#43436801)

      A cleaner internet?

    • by Anonymous Coward on Friday April 12, 2013 @07:10PM (#43436807)

      They do it for great justice! :D

      A bit more seriously:
      1. Create data-mining caching anti-DDOS company.
      2. DDOS away!
      3. Provide temporary free services publicly
      4. End attacks.
      5. End temporary free service.
      6. Gain new customers
      7. Profit!

    • by Josh Hackney (2895507) on Friday April 12, 2013 @08:02PM (#43437187)
      They're doing it because webservers come with a 15K SAS drive and a 10Gbit ethernet port to send spam out of and launch more attacks. would you rather have some dudes home computer or a web server in a state of the art datacenter? Point being, setting your logins to comon settings has always been a horrible idea just the same way you wouldn't want the lock to your house to open with a key you can buy from homedepot (read, admin//password as your login)
    • by Call A Developer (2895483) on Friday April 12, 2013 @08:07PM (#43437237)
      They are building a botnet of powerful webservers. We are already seeing them move on from Wordpress blogs, the attacks are not over. The current payloads are primarily spam and attacking other sites (using PHP and Perl scripts injected or uploaded to Wordpress sites), but the main point is to infect as many computers and servers as possible to gain more computing power. Now is a good time to secure your Joomla, Drupla, ZenCart, X-Cart, and even HTML (!) sites. It appears the attackers are now experimenting with various SSL attacks, pulling various configuration files, and trying to get into databases, primarily on shopping carts. This may just be another distration though, which is a common tactic in the world of hackers. If the distraction is big enough it will always draw attention away from what you are really doing...
  • by Anonymous Coward on Friday April 12, 2013 @06:07PM (#43436347)

    There's a plugin I use on my sites that utilized the tarpit concept. The more attempts that are made to brute force an id from a given IP, the slower the response time becomes. It's called Login Security Solution.

  • by Call A Developer (2895483) on Friday April 12, 2013 @06:08PM (#43436363)
    I have written a rather detailed article on next steps for anyone affected - which is just about anyone with a Wordpress site. Unfortunately at least 10% of accounts hit have been successfully compromised, and many are being used to send spam or attack other sites. The Global Wordpress Brute Force Attacks of 2013 - http://calladeveloper.blogspot.com/2013/04/global-wordpress-brute-force-attacks.html [blogspot.com] This includes the method to htaccess block direct automated requests for wp-login.php as well. The attackers have gotten around some fairly advanced countermeasures including mod_security rules so all Wordpress site owners should be following these steps.
    • by rduke15 (721841) <rduke15.gmail@com> on Friday April 12, 2013 @07:19PM (#43436867)

      The useful part of that blog post seems to be:

      RewriteEngine on
      RewriteCond %{REQUEST_METHOD} =POST
      RewriteCond %{HTTP_REFERER} !^http://(.*)?.example.com [NC]
      RewriteCond %{REQUEST_URI} ^/wp-login\.php(.*)$ [OR]
      RewriteCond %{REQUEST_URI} ^/wp-admin$
      RewriteRule ^(.*)$ - [R=403,L]

      (The logic makes sense. I haven't tested the syntax yet)

      It also suggests an insane 30-character password abomination:

      for example the relatively strong password: th1$l1ttl3p1ggy$3cur3dth31rW0rdpr3$$$1t3 is simply "thislittlepiggysecuredtheirWordpresssite" with i->1, s->$, e=3, and o->0 (zero)

      I prefer "wrong chicken battery staple [xkcd.com]", which is probably not in attacker's dictionnary.

      • by Call A Developer (2895483) on Friday April 12, 2013 @07:52PM (#43437107)
        You mean "correct horse battery staple" and unfortunately that is terrible advice - any password under 50 characters made of only lowercase letters will be broken by the most basic brute force. And their dictionary is impressive, we've been pulling the POSTDATA and checking what they are doing. The rotation of usernames in itself is scary - even non "admin" users are not protected. This is why I suggest a 30 character password and in fact you should be using a similar method to generate your admin username. Even that can be cracked with a botnet of sufficient size, which is exactly what they are trying to build. They have a LOT of CPU power at their disposal between the infected PCs and the infected servers (which often have 32+ cores and 100GB+ of memory to play with).
        • by Anonymous Coward on Friday April 12, 2013 @09:28PM (#43437731)
          26^50 / 2 = 2.8e+70. At 1000 attempts per second, it would take an average of 9x10^59 YEARS to brute force a 50 character string of lowercase letters. Something's off in your alarmist argument, and it's possibly your definition of either "most basic", "brute force", or "50". You do this is web-based, right?
        • any password under 50 characters made of only lowercase letters will be broken by the most basic brute force.

          The fact that the password is only lowercase letters is immaterial for a brute force attack. Unless the attacker already knows that the password is only lowercase letters, they will try guesses with numerals and symbols. It is very hard to imagine a brute force attack that would try every combination of lowercase letters up to 50 characters without trying anything with uppercase, numerals, or symbols, but even if they do it isn't a reason to worry.

          If they did try to brute force just lowercase, there are 5.6e70 combinations of EXACTLY 50 lowercase letters (this is not counting shorter passwords which adds to the total).Even if the botnet could send a trillion guesses per second, It would take over 1.7e51 years to exhaustively search the space of 50 character lowercase passwords. If they can send a trillion trillion guesses per second, it would still take 1.7e40 YEARS to exhaustively search. This is all assuming they are trying only lowercase letters to start

          I find it hard to believe they have a botnet capable of a trillion trillion guesses per second, and even harder to believe that the average WordPress site could handle that many requests without cratering or causing the hosting company to shut it down.

          They may get some sites with very weak admin passwords (think 'password' and '123456'), but you are spreading FUD about how vulnerable long passwords are.

        • You mean "correct horse battery staple"

          .

          No, I meant another animal, just in case the person who did the dictionary is an xkcd fan, and put that in for fun.

          But for the number of characters, I think you may have to revisit your math, as other have already pointed out. And this is an online attack, which severely limits the speed anyway (not the speed of trying, but the speed of getting a reply from the server).

  • Wordpress allowa for a space in the username which is nice and seems more unlikely to be guessed :)
  • by t4ng* (1092951) on Friday April 12, 2013 @06:16PM (#43436433)
    I've found the "Better WP Security" plugin to be pretty good at stopping all of this. You can set login limits, 404 limits, etc., and have it automatically deny offenders IP addresses from accessing your site by modifying the site's root .htaccess file.  But even it doesn't cover everything.

    Many WP attackers probe for themes and plugins with known weaknesses, or exploit the upload system to upload executables.  But what most people don't know (including most WP developers I've worked with) is that there is no reason for PHP files to be directly accessible anywhere in the /wp-content/ directory (which includes uploads, themes, and plugins).  Simply adding a .htaccess file to the /wp-content directory with something like the following in it will protect against poorly written themes, plug-ins, and most not-yet-known exploits of WordPress.

    # Add allowable extensions as needed
    Order Deny,Allow
    Deny from all
    <FilesMatch "\.(jpe?g|gif|png|mp3|mpe?g|flv|swf|js|css|pdf|xml|html|gz)$">
        Allow from all
    </FilesMatch>

    If that breaks a plugin or theme you use, then it's not written very well and you shouldn't risk using it.  Contact the developer and tell them they should not need direct access to executables in /wp-content
  • by edxwelch (600979) on Friday April 12, 2013 @06:33PM (#43436537)

    The root cause of this attack is that Wordpress allows unlimited login attempts for the admin account. I know there is some plugin that can fix it, but it should be built into the core.

  • And the blog I run is for my church. He said he did not know how this happened. Someone hacked a blog running an unpatched Drupal blog. This is what he said, anyway. Then used that breach to hack everything else. Since I could not determine what had been hacked/changed on the church blog, (user accounts wee created that I did not create!) I wiped it, deleted all the databases and started from scratch. So it isn't just crappy blogs - although if you happen to be a godless nerd you may think my church blog is crappy anyway.... B-) I support your right to be a godless nerd.
  • by trawg (308495) on Friday April 12, 2013 @08:20PM (#43437333) Homepage

    I ended up making some tiny changes to my WP install that basically causes requests to /wp-admin to die immediately, unless you're accessing it via a specific HTTP port that I've opened in Apache specifically for this purpose.

    I've got disk permissions set up so that the regular Apache user cannot write at all to the disk - a common source of WP problems seems to be exploits writing new files to disk, so stopping that seemed like a good idea. Unfortunately it also bones a lot of WP functionality like being able to automatically install skins/plugins.

    Using some Apache module (can't remember which one) I've set it up so that requests made to /wp-admin under the correct Apache port operate under a different user - one that /does/ have write access to the disk. So it means I can do any administrative stuff and take advantage of the full WP functionality without having to leave write access in there for normal use.

    Conceptually this seems like a much more default setup for WP - certainly I haven't had any security problems. As a side benefit it means I don't need to worry about random attacks like this.

    There's a few minor problems I haven't resolved (most notably when adding new posts, the URL it stores for them includes the administrative port in them and publicly displays them in things like the RSS feed :) but I'm hoping to find time one day to resolve those.

  • by Anonymous Coward on Friday April 12, 2013 @09:15PM (#43437661)

    duh....

    NEVER EVER use the default administrator login name for a public-facing site management interface.

    and if you can, at least lock down the admin interface login URL with an extra layer, even basic http auth or some htaccess deny/allow rules will help immensely.

    • by betterprimate (2679747) on Sunday April 14, 2013 @02:22AM (#43444679)

      Someone more informed can correct me, but that to me sounds like you having said to never use root. To not use admin as a general rule sounds like cutting off the nose to spite the face. Not to mention that it's impractical.

      If you have to come to the decision in excluding admin, then you probably have more issues and security policies that you need to focus on.

  • by Anonymous Coward on Friday April 12, 2013 @11:22PM (#43438263)

    I just enabled conn limit on the (CSF) firewall on the web server then limit port 80 to 30 connections per IP.. any more than 30 connections from an IP and it gets temp ban for an hour. Since they are hitting the server with so many connections its a instant ban for the abusers. Solved the whole problem for me..

  • by Zurd3 (574979) on Saturday April 13, 2013 @12:11PM (#43440715)
    all articles either are not saying what is the purpose or just talking about creating a zombienet for future use, but one wordpress I know of got hacked just 2 weeks ago by brute-forcing his way in, then someone was able to install a plugin call "boss" which was the r57shell and with this script, was able to put new files in the blog which was serving 7727 websites with a virus when someone visited their site and didn't had flash. The virus in question was the trojan Meredrop, so the wordpress got hacked and was already being used for spreading a trojan. It's high time that WordPress install by default Login Lockdown or Limit Login or some plugins like that, can't believe they don't put it by default.
  • by critter42b (657340) on Sunday April 14, 2013 @10:11AM (#43445777)
    " CloudFlare has announced that they're giving all users (free and paid) protection from said attacks with their services." - and there's the meat of this whole post. Like the "Unprecedented DNS attacks" from a couple of weeks ago, if you follow the trail of this article it is nothing but a press release from CloudFlare designed to whip everyone into a frenzy and buy their product to protect them. - 90,000 hosts? Haven't we seen attacks with half a million or more hosts?

Whenever people agree with me, I always think I must be wrong. - Oscar Wilde

Working...