Massive Number Websites in Botnet
Massive Number of Hacked USA Websites Participate in WordPress Botnet Attack
For the past couple of days we’ve been watching a customers WordPress site being attacked by a botnet of websites trying to access site admin with user name “admin” and a variety of simple passwords.
Most of these attacks are coming from USA based web hosting services. One particular top level service provider, Provo Unified Layer, stands out above the rest as the most hacked network. Many 2nd tier providers use Provo Unified Layer infrastructure including Bluehost and Hostmonster. Of the hosts using Provo Unified Layer infrastructure, Bluehost is ahead of the pack in having hosted sites participating in the botnet. (Read more about Bluehost and the Botnet).
Other hosts and regions are also included in the website botnet
Hacked sites participating in this botnet are not only USA sites. We’ve seen sources from servers located in the United Kingdom, Germany, Japan, Iceland and even South Africa. But so far only a handful. Most of the botnet websites are in the USA.
It’s not only Provo Unified Layer servers either, although, as mentioned, these stand out. You can find a sortable list of IPs and hostnames at the article linked to above, which is updated regularly as new hosts are seen.
Are Unified Layer Servers Especially Vulnerable?
Of course we don’t know if Provo Unified Layer servers are more vulnerable than average. Looking at the data gathered so far one could draw that conclusion, but we must emphasis another fact. There are a lot of shared hosting services using the Provo Unified Layer infrastructure.
Bluehost alone has tens of thousands of websites hosted on a large number of shared hosting web servers. And that’s just one, albeit large, hosting company. This fact alone means there’s a lot of vulnerable WordPress sites on these machines. Most shared hosting services don’t prevent users installing WordPress with the admin account (We do!).
Shared hosting doesn’t usually require additional WordPress security, or take preventative measures to secure WordPress installations. That level of service is the realm of Managed WordPress Hosting, like the service Graphicline provides, and costs a bit more than el-cheapo entry-level shared hosting.
Unusual Low Intensity Attacks
Unusual for a botnet attack, the intensity is slow; a limited number of login attempts from two or 3 IP’s at a time. Definitely not the more common DDoS type attack where hundreds of requests a minute or second try to overwhelm the server. Each attack is also between 30 and 90 minutes apart.
Why so slow? A good question. Possibly the hacker is restricting activity to avoid the hosts detecting a bot running from a hosted site. Maybe the hacker is waiting to build up to a number of hacked sites before unleashing the full destructive potential of the botnet.
Hacked Websites or Hacked Servers
Has this botnet hacked one or more websites hosted on these servers, or have the servers been hacked. We cannot tell from the information available. From the limited data available we can guess the most likely situation is hacked websites.
At first we considered that as the targets were WordPress sites, the hacked sites are also running WordPress. Since then more information has come available, and we’ve found sites using other CMS including Joomla and Microsoft Front page where the server is being exploited by the botnet.
Don’t be a WordPress Idiot
If your WordPress site gets hacked by a simple admin user name atack, you only have yourself to blame. Only idiots still insist on leaving the default admin account as a user account. There’s enough warnings all over the web about this security hole. Come on WordPress users – no WordPress site must ever have a user account “admin”, it’s not new news…
Blame WordPress for Vulnerabilty
It’s about time WordPress stopped setting a default account called admin! All the effort put into lower risk security closures like the latest ‘automatic updates’ is wasted when the most common exploit vulnerability remains in core – the default admin account.
This weakness is the one that should have been removed ages ago. Other things like automatic updates should be a plugin – it could even be one of the default plugins delivered with WordPress, instead of Matt’s useless ‘Hello Dolly’ nonsense.
- WordPress Security Alert (graphiclineweb.wordpress.com)
- WordPress admin accounts target of botnet attacks (venturebeat.com)
Posted on November 3, 2013, in Malware, Websites and tagged Botnet, Hacker, Hacking, Hosting, malware, Security Alert, Security Risks, Website, WordPress, WordPress Hacks. Bookmark the permalink. 1 Comment.