A botnet of over 20,000 WordPress sites is attacking other WordPress sites

Botnet is still up and running but law enforcement has been notified.
Written by Catalin Cimpanu, Contributor

Crooks controlling a network of over 20,000 already-infected WordPress installations are using these sites to launch attacks on other WordPress sites, ZDNet has learned from WordPress security firm Defiant.

The company, which manages and publishes the Wordfence plugin, a firewall system for WordPress sites, says it detected over five million login attempts in the last month from already-infected sites against other, clean WordPress portals.

The attacks are what security experts call "dictionary attacks." These are repeated login attempts during which hackers test a series of username and password combinations, hoping to score a hit and gain access to an account.

Defiant security researcher Mikey Veenstra says the company has managed to gain an insight into how this botnet operates. In a report published a few minutes ago and shared with ZDNet, the researcher said Defiant investigators discovered that at the top of this botnet stands hydra-like head of four command and control servers that instruct already-infected sites on which other sites to attack.

Image: Defiant

These servers send attack instructions through a network of over 14,000 proxy servers rented from the best-proxies[.]ru service, which then relay this information to malicious scripts placed on already-infected WordPress sites.

These scripts read a list of targets they receive from the command and control server, assemble a list of passwords based on a predefined list of password patterns and then try to use the newly generated password to log into another site's admin account.

"If the brute force script was attempting to log on to example.com as the user alice, it will generate passwords like example, alice1, alice2018, and so on," Veenstra explained the attack mechanism in his report. "While this tactic is unlikely to succeed on any one given site, it can be very effective when used at scale across a large number of targets."

Under normal circumstances, because the attackers used a network of proxies to hide the location of their command and control servers, researchers wouldn't be able to track this entire botnet's activity.

Fortunately, Defiant says that the people behind this botnet made "some mistakes in their implementation of the brute force scripts" that allowed researchers to expose the botnet's entire backend infrastructure.

Furthermore, the mistakes didn't stop at the brute force scripts. Defiant says the botnet operators also made mistakes in implementing the authentication systems for their botnet's administration panel. Defiant researchers say they were able to bypass the botnet control panel login system and take a peek inside the crooks' operation.

Image: Defiant

The company says it already shared the information it gathered from the botnet with law enforcement. Sadly, the botnet's four command-and-control servers couldn't be taken down, as they are hosted on the infrastructure of HostSailor, a company characterized a while back as a bulletproof hosting provider that doesn't honor takedown requests. This means the botnet is still alive and kicking, continuing to attack more WordPress sites.

What to do?

Because the botnet's automated login attempts aren't directed at the WordPress login panel, but instead at the WordPress XML-RPC authentication mechanism, changing a site's admin panel URL won't help.

Instead, Defiant recommends that WordPress site owners use a WordPress security plugin that can block brute-force or dictionary attacks carried out against the XML-RPC service.

Fortunately, attacks on the XML-RPC authentication systems have been going on for a few years now, and any decent WordPress firewall should be able to block these attacks.

WordPress 5.0 is out. Here's a tour of the new features!

More security news:

Editorial standards