Massive Number Websites in Botnet


Massive Number of Hacked USA Websites Participate in WordPress Botnet Attack

website botnet thumbnail imageFor the past couple of days we’ve been watching a customers WordPress site being attacked by a botnet of websites trying to access site admin with user name “admin” and a variety of simple passwords.

Most of these attacks are coming from USA based web hosting services. One particular top level service provider, Provo Unified Layer, stands out above the rest as the most hacked network. Many 2nd tier providers use Provo Unified Layer infrastructure including Bluehost and Hostmonster. Of the hosts using Provo Unified Layer infrastructure, Bluehost is ahead of the pack in having hosted sites participating in the botnet. (Read more about Bluehost and the Botnet).

Other hosts and regions are also included in the website botnet

Hacked sites participating in this botnet are not only USA sites. We’ve seen sources from servers located in the United Kingdom, Germany, Japan, Iceland and even South Africa. But so far only a handful. Most of the botnet websites are in the USA.

It’s not only Provo Unified Layer servers either, although, as mentioned, these stand out. You can find a sortable list of IPs and hostnames at the article linked to above, which is updated regularly as new hosts are seen.

Are Unified Layer Servers Especially Vulnerable?

Of course we don’t know if Provo Unified Layer servers are more vulnerable than average. Looking at the data gathered so far one could draw that conclusion, but we must emphasis another fact. There are a lot of shared hosting services using the Provo Unified Layer infrastructure.

Bluehost alone has tens of thousands of websites hosted on a large number of shared hosting web servers. And that’s just one, albeit large, hosting company. This fact alone means there’s a lot of vulnerable WordPress sites on these machines. Most shared hosting services don’t prevent users installing WordPress with the admin account (We do!).

Shared hosting doesn’t usually require additional WordPress security, or take preventative measures to secure WordPress installations. That level of service is the realm of Managed WordPress Hosting, like the service Graphicline provides, and costs a bit more than el-cheapo entry-level shared hosting.

Unusual Low Intensity Attacks

Unusual for a botnet attack, the intensity is slow; a limited number of login attempts from two or 3 IP’s at a time. Definitely not the more common DDoS type attack where hundreds of requests a minute or second try to overwhelm the server.  Each attack is also between 30 and 90 minutes apart.

Why so slow? A good question. Possibly the hacker is restricting activity to avoid the hosts detecting a bot running from a hosted site. Maybe the hacker is waiting to build up to a number of hacked sites before unleashing the full destructive potential of the botnet.

Hacked Websites or Hacked Servers

Has this botnet hacked one or more websites hosted on these servers, or have the servers been hacked. We cannot tell from the information available. From the limited data available we can guess the most likely situation is hacked websites.

At first we considered that as the targets were WordPress sites, the hacked sites are also running WordPress. Since then more information has come available, and we’ve found sites using other CMS including Joomla and Microsoft Front page where the server is being exploited by the botnet.

Don’t be a WordPress Idiot

If your WordPress site gets hacked by a simple admin user name atack, you only have yourself to blame. Only idiots still insist on leaving the default admin account as a user account. There’s enough warnings all over the web about this security hole. Come on WordPress users – no WordPress site must ever have a user account “admin”, it’s not new news…

Blame WordPress for Vulnerabilty

It’s about time WordPress stopped setting a default account called admin! All the effort put into lower risk security closures like the latest ‘automatic updates’ is wasted when the most common exploit vulnerability remains in core – the default admin account.

This weakness is the one that should have been removed ages ago. Other things like automatic updates should be a plugin – it could even be one of the default plugins delivered with WordPress, instead of Matt’s useless ‘Hello Dolly’ nonsense.

me on google plus+Mike Otgaar

Advertisements

About Mike

Web Developer and Techno-geek Saltwater fishing nut Blogger

Posted on November 3, 2013, in Malware, Websites and tagged , , , , , , , , , . Bookmark the permalink. 1 Comment.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: