Pwnd Aethra Routers Used To Brute-Force WordPress Sites

An anonymous reader writes: Security researchers found around 8,000 Aethra routers (with no admin passwords) as part of a botnet that attacked WordPress sites, trying to brute-force admin accounts. Most routers were deployed in enterprise networks in Italy. Each device could have be used to launch DDoS attacks with a capability between 1 to 10 Gbps, based on the company's bandwidth. Things could be worse, though: Additional investigation also revealed that some of the routers were also susceptible to various reflected XSS and CSRF attacks that would also allow attackers to take control of the device, even if using different login credentials. Using Shodan, a search engine for locating Internet-connected devices, researchers found over 12,000 of Aethra routers around the world, 10,866 in Italy alone, and over 8,000 of these devices were of the model detected in the initial brute-force attack (Aethra Telecommunications PBX series). At that time, 70% of these Aethra routers were still using their default login credentials

Wordpress needs brute forcing?

[DCFusor]

It always worked on the first try for most!

Wake me up...

[ls671]

zZZzzz....

What? Please wake me up when something really new happens.

zzZZZZzzzz....

Re:

[ls671]

Same old, same old. I have come to adapt to this. Here an interesting link tending to show that people make the same mistakes over and over again without relevance to the the era:

http://www.tamingdata.com/2010... [tamingdata.com]

I have to a point where I don't react to such event that much...

I get more concerned with stuff like Heartbleed or Shellshock and other security updates.

I run my own Linux router at home and in the data center. I would never use the ones provided by the provider.

Re:

[KGIII]

My ISP has been trying to get me to use their provided equipment for years now. I have three separate lines (long story, don't ask) and they send out three new router/modem combinations at least once a year. Last year I got six for some reason. They've called and told me I must. They've emailed me. I just tell them that I'd rather not and thank them for offering. I have a small stack of unopened ISP routers (from Fairpoint) at the house. They're certainly wasting money as they've never once asked for any of

Re:

[KGIII]

You missed last night. I don't normally drink but I had a couple with the kids and g/f. Fortunately, not too many and I didn't go off the rails ranting about something different. I'm kinda tired tonight so you'll have to find a new bedtime story.

I recommend some awful (so bad it's good) science fiction.
http://www.baenebooks.com/10.1... [baenebooks.com]

Breaking News...

[pellik]

Shodan search results mistakenly selected as Slashdot article for fourth time in a single month. Details at eleven.

Protecting WordPress, Basics

[Qbertino]

- 'Rename Login' Plugins - there are various. Use them.
- Use random character strings for usernames, especially admin users. Rename the nicename and the displayname to the role using a db tool.
- use a db prefix other than wp_ , I use random strings.

Do all this upon or directly after the WP installation. This very basic security stuff deters attacks like the one mentioned in TFA and mitigates most of its effects.

Re:

[Anonymous Coward]

Thanks. I'll post this as AC though I doubt I'll have time to fill up my alloted 50 posts today. I'm actually consider a WP install (I've not done one in years) and will keep those in mind. There are a few security plug-ins as well, some paid and some free. I'll probably do some research but I'll keep those things in mind and make sure I figure out how to do them.

That post, the one right above mine, is one of the reasons I come to Slashdot. I've said it before, I'll say it again. Some of you are really smar

Re: Protecting WordPress, Basics

[Qbertino]

Language?

100 Million installs, 8000 succsessful hacks with the method mentioned in TFA - I'd say thats a pretty good security record. Even if WP is a mess - its a mess thats works.

Yup.

[Anonymous Coward]

You should have renamed Admin when you created the site. You should never have a test ID. And you should have https://wordpress.org/plugins/... [wordpress.org] to spam you in times like these...

"Pwnd"?

[NormalVisual]

Really? Such a professional-sounding headline. "Compromised" might have offered a little more credibility rather than years-old teen l33t speak.

Re:

[Fnord666]

Because "Posted by timothy on Saturday ..."

So how many routers were actually infected ?

[Fly Swatter]

They mention numbers like 8000, but nowhere do they directly say how many were infected. Only that such number had the default (no) password. Damn fine journalism if you ask me!

Aethra? WTF!?!?!

[Hognoxious]

It's like a tube. A tube full off piss.