Security alert for all WordPress users. New activity by a botnet attacking WordPress Installations.
This botnet is working alongside hacked WordPress sites to attack further WordPress installations. There are already thousands of hacked WordPress sites participating in this attack.
Are You Wishing For Spam Free Secure Hosting
Do you wish you could host your WordPress blog (self-hosted) where spam wasn’t a problem, where hackers couldn’t damage your site, where your host took effective steps to keep spammers and hackers away from your blog?
Are you fed-up with all the spam and hacker attacks from China, the former Soviet states and other notorious regions, the sharply rising level of cyber-attacks from the middle east and northern Africa?
Are all the hacking attacks and login attacks from hacked web sites and bad-host web-servers giving you grey hairs?
Web Server Traffic Should be Banned
Opinions will differ about putting a ban on web server traffic. There are those who want their blogs and websites free from malicious activity, safe and secure for genuine valuable visitors. Then there are those who think there should be no restrictions on web traffic and activity (some even think spam is not bad).
Let’s clarify the web traffic we’re talking about. We’re not talking of banning referer traffic i.e. traffic from good back-links from websites resulting in genuine visitors.
Does the .htaccess File Slow Site Performance
Bloggers often ask the question “does using .htaccess for security or redirection slow down the site”? The answer should perhaps not be a simple yes or no. Some hosts recommend .htaccess should not be too large (not have a lot of rules) as it has a bad impact on performance. Then again some users have very long lists of rules in their .htaccess files and their sites are still fast enough to satisfy visitors and accepted Google page load speeds.
We need to weigh the benefits of using .htaccess for security, redirection and site configuration against any performance penalties (or advantages). Once we understand how .htaccess works on our blogs we can make the decision how we will this extremely useful file.
Are We Seeing an End to Timthumb Attacks on WordPress?
Lately we have seen a decline in the number of TimThumb RFI attacks against our WordPress sites. A year ago this was the most common hacking probe logged for every WordPress site we manage. Back then we’d see a lot; from 10 to 50, sometimes more, different sources a day. Hardly a day would go by without at least one hacker looking for the vulnerability.
Over the last 6 months, the number of witnessed attempts has declined. Sometimes we don’t see a single probe looking for the old, vulnerable, timthumb.php / thumb.php script for several days.
Massive Number of Hacked USA Websites Participate in WordPress Botnet Attack
For the past couple of days we’ve been watching a customers WordPress site being attacked by a botnet of websites trying to access site admin with user name “admin” and a variety of simple passwords.
Most of these attacks are coming from USA based web hosting services. One particular top level service provider, Provo Unified Layer, stands out above the rest as the most hacked network. Many 2nd tier providers use Provo Unified Layer infrastructure including Bluehost and Hostmonster. Of the hosts using Provo Unified Layer infrastructure, Bluehost is ahead of the pack in having hosted sites participating in the botnet. (Read more about Bluehost and the Botnet).
Latest Botnet Attacking WordPress wp-login.php
A botnet is currently attacking WordPress login (wp-login.php) with user name admin in a dDOS (Distributed Denial of Service) Brute Force attack intended to force the server and WordPress to allow the cyber-criminals access to the site
We’ve seen this botnet hammering some of our WordPress sites the last several days. So far we’ve seen attacks from the IPs listed below. (Note: These are only those used to attack our monitored sites – and the botnet will have more…
Be Pro-active and Defend Your WordPress Site
Roubaix Ovh Systems – Most Dangerous Host?
Is Roubaix Ovh Systems, a hosting and Internet Service Provider in France, one of the most dangerous ISPs and hosts in the world? We could be justified in thinking so. At least out of ISPs and hosting companies in the Western economic zone, outside of former Soviet Union states.
When you see a spambot active on your site, a hacking attempt, or a trackback spammer, there’s a pretty good chance it’s coming from an IP registered to Roubaix Ovh Systems, or another Ovh Systems IP.
Roubaix Ovh Systems Banned on Sight
We (Graphicline Web & Technology) have seen so much bad activity from IPs traced back to Roubaix Ovh Systems we now ban all their IPs as soon as I find them. Activity from all other OVH Systems networks are watched carefully
Apparent Botnet Attacked My WordPress Website
What appeared to be a botnet attacked one of my sites (tech.graphicline.co.za) this morning in a brute-force wp-login attempt from multiple IP addresses. This was the most coordinated attack against any of my sites I’ve experienced. Usually the hacker bots I see use up to 6 IP’s in these attacks – 146 IPs is serious stuff…
146 IP’s Used in Simultaneous Attack
The IP’s listed below are the guilty parties to this brute-force login attack on the site. The main attack started at 05h09 GMT this morning (November 25, 2012) and continued until 05h15 GMT. A second but less intense attacked followed; starting from 05h16 GMT tailing off until ending at 05h43 GMT
Banning the Bad Hosts
I’m a no-compromise banner. It doesn’t take much effort to get an IP banned from my websites. A single bad event will normally be enough to block access to my sites from an IP address. Several attempts from a range of IP’s with a common service provider will get the entire IP range banned, the hostname or domain banned.
Currently there are about 700 entries in the banned list – representing millions of IPs, and the list gets longer daily. I cannot recall a day this year when at least one new bad IP was not added to the list.
Sharing the Bad IP Info
Mostly these IP’s were simply denied access, and no record was kept about the reason for the ban. At one time I started keeping a record, then lost interest and lacked time to continue. So I decided to start again, this time publishing the info where I can get to it, and other bloggers can also find the details. So now it’s published as a page on this blog…