
Huge attack on WordPress sites could spawn never-before-seen super botnet - toekneestuck
http://arstechnica.com/security/2013/04/huge-attack-on-wordpress-sites-could-spawn-never-before-seen-super-botnet/
======
uptown
Rate-limiting login attempts out-of-the-box is something Wordpress should have
included a LONG time ago. Maybe 1% of installs will setup the plugin to do
this. No idea why they haven't added this yet.

~~~
dadum
Unfortunately it doesn't look like that would do any good here.

With over 200k different botnet controlled machines, all that tracking the IP
sources would do here is create massive blocklists. There's already evidance
growing that the botnet is trying 2-3 passwords per source IP - effectively
bypassing existing limiting plugins.

A solution to the above is to limit the logins per account per timeframe, but
that just locks the legitimate users out, causes the botnet to spread out the
attack over longer periods, and ultimately only has a negitive affect for the
user.

The Hosts are feeling the pain though, i've seen some hosts are disabling
access to wp-login.php entirely, this tells me that the shared hosts are
having resource issues, so a limit-login style plugin would do zero to help
them, it'd still cause massive problems for the host.

WordPres, Joomla, and other smaller CMS's are being targetted here, so this is
by no means just WordPress's problem either.

~~~
uptown
I get what you're saying but if the default setup were to rate-limit per-
account logins, there'd be little reason for these botnets to do what they're
doing. They don't want to block admin access to their CMS. They want to have
actual access. Effective rate-limiting per-account would kill the
effectiveness of their efforts.

------
modernerd
Use a two-factor auth plugin like
<https://wordpress.org/extend/plugins/google-authenticator/> It works with the
Google Authenticator app.

Duo Security is also good: <http://wordpress.org/extend/plugins/duo-
wordpress/>

The WordPress.com team have already announced two-factor auth support for
wp.com blogs, and are working on an official solution for wp.org sites:
[http://macmanx.com/2013/04/12/two-step-authentication-on-
wor...](http://macmanx.com/2013/04/12/two-step-authentication-on-wordpress-
com/)

~~~
yaix
Simply use five random dictionary words as a password and you are fine. The
browser will store then the password easy login.

Two-facor auth just adds to complexity, and that is a bad thing when it comes
to secutiry. You want to be able to easily understand that a system is secure.
The more complex a system is, the larger the likelyhood of a surprise "whoops,
I overlooked that" somewhere down the road.

~~~
ra
Or any slightly obscure memorable phrase. e.g. mycatmiffylikesbiscuits or
tallspeakerswithoutafaceplaterattle or emptyhandlebeerglasshasfoam ...

~~~
ZoFreX
No. The key word in the comment you replied to was "random".
"mycatmiffylikesbiscuits" is a pretty terrible password.

~~~
danenania
How so? Assuming about 100,000 common words in the English language, with a
five word phrase aren't you talking about 10000000000000000000000000
combinations for a dictionary attack to churn through? Even if you narrow it
down to phrases that make grammatical sense (which certainly isn't a trivial
thing to do algorithmically), you're still talking pretty astronomical
numbers, and that doesn't account for the large increase in the corpus that
would be needed for an attack that could include a name like "miffy" in its
attempts.

~~~
ZoFreX
Have you ever used SwiftKey or Swype on Android? Vaguely the same principles
apply here. It actually wouldn't be hard to generate passphrases where you try
the most "predictable" phrases first. E.g. if you start your brute-forcing at
"my cat" you would try "my cat likes" a long time before you tried "my cat
algorithmically".

Also, 100,000 common words is a bit more than you would need. If people are
plucking words from their heads, rather than rolling dice and picking from a
list, you can assume a more limited corpus and still crack a lot of passwords.

~~~
andyakb
Nobody starts brute forcing at "mycat." Even if they somehow knew that's how
it started, that barely helps them. They don't know how many other words there
are, or what the next one is. Simply because it is more likely to be "my cat
likes" does not mean it is now feasible to crack. Without social engineering,
that password is not crackable for all practical purposes and is far from a
terrible password.

~~~
ZoFreX
No, but we're talking about brute forcing billions of attempts per second, and
we're not up against randomness, we're up against "the best pseudorandomness
the human brain can muster", so the odds _aren't_ 1 / <number of
possibilities>. A password is severely weakened if it isn't sufficiently
random.

~~~
legutierr
What Wordpress site can accept billions of login attempts per second?

------
socillion
"...the distributed attacks are attempting to brute force the administrative
portals of WordPress servers, employing the username "admin" and 1,000 or so
common passwords."

I'm a little surprised that such a simple attack vector is a legitimate threat
in creating a "super botnet."

~~~
minimaxir
On older Wordpress installs (pre-3.0 I believe), you couldn't change the
username of the first user from "admin" when setting up a blog, and you had to
manually change it later. Yes, it was stupid.

~~~
FuzzyDunlop
I remember having to perform some magical incantation to actually pull that
off around then. Set up WP, log in, create new user, set it as admin, log in
as the new user, try to delete the admin account, log back in as admin because
you forgot something, log in as the new user again, actually delete account.

No wonder everyone stuck with 'admin'.

------
jameswyse
Another nice bit of advertising for Cloudflare..

There's some more about this on their blog:

[http://blog.cloudflare.com/patching-the-internet-fixing-
the-...](http://blog.cloudflare.com/patching-the-internet-fixing-the-
wordpress-br)

~~~
micheljansen
Exactly what I thought when I read "Operators of WordPress sites can take
other measures too, including installing plugins such as this one and this
one, which close some of the holes most frequently exploited in these types of
attacks. Beyond that, operators can sign up for a free plan from CloudFlare
that automatically blocks login attempts that bear the signature of the brute-
force attack.".

Then I saw the source for this "news": Cloudflare's blog.

------
ajtaylor
I've used WordPress in the past because it was easy to setup and use. However,
given the consistently bad security record I'd love to try something
different. Anyone have recommendations for other open source CMS's? Similar
functionality to WP is enough - I don't need anything fancy.

~~~
recusancy
Drupal

------
js4all
It is time for every Wordpress user to consider to switch to Octopress. Static
sites have no attack vector, don't need security updates and are faster out of
the box. Octopress has importers for many blogging systems including
Wordpress:

<https://github.com/mojombo/jekyll/wiki/blog-migrations>

P.S.: I have migrated a few days ago myself from Posterous to Octopress. It
was a piece of cake.

~~~
modernerd
Static site generators require a lot of sacrifices:

What about non-technical users? Multi-author blogs? Idiot-proof extensibility?
Updates from phones and tablets? Huge sites with thousands of posts? Editorial
and review systems? Access to thousands of cheap or free themes?

The ideal static site user is in a pretty privileged group. Most WordPress
users would be better off securing WordPress and using a caching plugin that
gives them the benefits of a powerful, dynamic platform while serving static
files with automatic serverside compilation:
<http://wordpress.org/extend/plugins/wp-super-cache/>

~~~
kmfrk
Exactly. My own static blog is pretty much the perfect CMS that I wouldn't
recommend to anyone for the life of me.

At the very least, it needs something like <http://prose.io/> on top of it,
and since their website keeps not working, you don't want to put all your eggs
in one basket, if shit hits the fan.

------
callmeed
I can confirm. We host a lot of WordPress blogs (for photographers) and our
scans have have detected an uptick in installs infected with malicious files.
I'm not sure if it's the same attack mentioned in the article but the last 2
weeks have been the worst I've seen.

In my experience people get compromised due to bad folder permissions or old
versions of WP. I hadn't considered brute-force password attacks.

~~~
bigiain
Can I suggest it might be worth investigating the "Wordfence Security" plugin?

I use it pretty much everywhere that I have anything to do with WordPress -
I'd noticed an uptick early this week of random ip addresses from far-flung
countries getting locked out after 5 login attempts or multiple lost password
attempts.

(One site in particular gets a _lot_ of drive-by login attempts - it's got the
word "anonymous" in the domain, which I suspect attracts mostly the wrong sort
of traffic... Wordfence is locked down _much_ tighter on that site.)

~~~
krapp
I was just about mention this ... I'm using Wordfence on a wordpress site
right now, already had logins limited.

And the 'live scan' is scary -- constant attempts to login as 'admin'.

------
sikhnerd
It's actually two separate, but extremely similar attacks. One is exactly as
described in the article, fairly distributed dictionary attack with user admin
against wp-login.php. The second one is slightly more advanced, much much more
distributed and I've seen it go for Joomla and wordpress, trying common
usernames at times (though generally sticking to administrator/admin) and
going through what appears to be a dictionary of about 3000 passwords. The
bigger issue is these are coming in so fast and from so many directions, on
resource constrained machines this is essentially ending up like a DDoS, which
has a lot of ancillary effects. mod_sec and other similar methods of
identifying these incoming before hitting apache and spawning a php thread are
proving to be very much not enough.

------
ushi
Ahaha, great headline...

Seriously, the security of password protected systems are a disaster(, when
combined with the average user).

We should push static content generators like jekyll & co the reduce the
surface, till somebody solves the authentication problem.

------
archagon
I'm a new WordPress user. Are there any guides online with best practices that
I can follow? (Some suggestions I see in this thread: rate-limiting plugin,
don't have user id #1, don't have user "admin".)

~~~
ereckers
Start here: <http://codex.wordpress.org/Hardening_WordPress>

Find a good host, use a secure password password, pay attention to the 3rd
party plugins you're installing, and keep your install updated.

------
joshaidan
What URL is the login requests sent to? Would changing the wp-admin directory
to something random help avoid the attacks? Or does wordpress have another
point of entry for authentication?

------
ChuckMcM
Not surprisingly one of the most commonly scripted search query at Blekko is
for wordpress themes in one way or another. We do what we can to not return
them any useful data.

------
infinity
I write all (futile) login attempts on my site to a log file. I can confirm
this rise in password bruteforcing attempts during the last days.

This is what the bruteforce passwords look like, these tried to login as
"admin":

    
    
      [Sat Apr 13 05:30:31 2013]   nevalidniipass 
      [Sat Apr 13 05:30:34 2013]   gfhjkm 
      [Sat Apr 13 05:30:37 2013]   gggggggg 
      [Sat Apr 13 05:30:39 2013]   ghbdtn 
      [Sat Apr 13 05:30:41 2013]   ghgftmn6 
      [Sat Apr 13 05:30:43 2013]   ghghgh 
      [Sat Apr 13 05:30:44 2013]   ghjkju 
      [Sat Apr 13 05:30:46 2013]   ghjrdjcn 
      [Sat Apr 13 05:30:48 2013]   gjkzyjxr 
      [Sat Apr 13 05:30:50 2013]   globax123 
      [Sat Apr 13 05:30:52 2013]   go0gle 
      [Sat Apr 13 05:30:54 2013]   go2fuck 
      [Sat Apr 13 05:30:55 2013]   gogogo 
      [Sat Apr 13 05:30:57 2013]   goldz 
      [Sat Apr 13 05:30:59 2013]   gthtw112 
      [Sat Apr 13 05:31:02 2013]   guest 
      [Sat Apr 13 05:31:05 2013]   h69s9t 
      [Sat Apr 13 05:31:07 2013]   hackett 
      [Sat Apr 13 05:31:08 2013]   hal9000 
      [Sat Apr 13 05:31:10 2013]   hazem200 
      [Sat Apr 13 05:31:12 2013]   heccrbqh 
      [Sat Apr 13 05:31:14 2013]   herbie 
      [Sat Apr 13 05:31:16 2013]   hghgh 
      [Sat Apr 13 05:31:18 2013]   hhhh1 
      [Sat Apr 13 05:31:20 2013]   hhhhhaaaaa 
      [Sat Apr 13 05:31:21 2013]   hockey 
      [Sat Apr 13 05:31:23 2013]   home555 
      [Sat Apr 13 05:31:25 2013]   honda 
      [Sat Apr 13 05:31:27 2013]   htrdbtv 
      [Sat Apr 13 05:31:29 2013]   http 
      [Sat Apr 13 05:31:31 2013]   hycvibck 
      [Sat Apr 13 05:31:33 2013]   i_am 
      [Sat Apr 13 05:31:35 2013]   ib6ub9 
      [Sat Apr 13 05:31:37 2013]   icing 
      [Sat Apr 13 05:31:38 2013]   icq123 
      [Sat Apr 13 05:31:40 2013]   icqpass 
      [Sat Apr 13 05:31:42 2013]   if6was9 
      [Sat Apr 13 05:31:44 2013]   ifhgtq79 
      [Sat Apr 13 05:31:46 2013]   ifyfif 
      [Sat Apr 13 05:31:48 2013]   iiiiiiii 
      [Sat Apr 13 05:31:50 2013]   ikaihsot 
      [Sat Apr 13 05:31:52 2013]   il0vey0u 
      [Sat Apr 13 05:31:54 2013]   iloveaol 
      [Sat Apr 13 05:31:56 2013]   iloveu 
      [Sat Apr 13 05:31:57 2013]   iloveyou 
      [Sat Apr 13 05:31:59 2013]   inferno 
      [Sat Apr 13 05:32:01 2013]   infinity 
      [Sat Apr 13 05:32:05 2013]   infree 
      [Sat Apr 13 05:32:08 2013]   iof314 
      [Sat Apr 13 05:32:11 2013]   jake4440 
      [Sat Apr 13 05:32:13 2013]   jamie1 
      [Sat Apr 13 05:32:15 2013]   janice 
      [Sat Apr 13 05:32:16 2013]   jay18birdman 
      [Sat Apr 13 05:32:18 2013]   jc5000 
      [Sat Apr 13 05:32:20 2013]   jeffery 
      [Sat Apr 13 05:32:22 2013]   john1 
      [Sat Apr 13 05:32:24 2013]   joomla 
      [Sat Apr 13 05:32:26 2013]   joshua 
      [Sat Apr 13 05:32:27 2013]   keys 
      [Sat Apr 13 05:32:29 2013]   kholmsk3 
      [Sat Apr 13 05:32:31 2013]   kir11421 
      [Sat Apr 13 05:32:33 2013]   kkkkkk 
      [Sat Apr 13 05:32:35 2013]   kngvhpg 
      [Sat Apr 13 05:32:37 2013]   ko#]|7sz 
      [Sat Apr 13 05:32:39 2013]   kxvq4k2d 
      [Sat Apr 13 05:32:41 2013]   laksmi 
      [Sat Apr 13 05:32:42 2013]   lefty 
      [Sat Apr 13 05:32:44 2013]   lex1977 
      [Sat Apr 13 05:32:46 2013]   linux 
      [Sat Apr 13 05:32:48 2013]   lol 
      [Sat Apr 13 05:32:50 2013]   lol777 
      [Sat Apr 13 05:32:52 2013]   lollol 
      [Sat Apr 13 05:32:54 2013]   lovelove 
      [Sat Apr 13 05:32:55 2013]   lucille2000 
      [Sat Apr 13 05:32:57 2013]   lyxasgje 
      [Sat Apr 13 05:32:59 2013]   m@$ter 
      [Sat Apr 13 05:33:02 2013]   m@ster 
      [Sat Apr 13 05:33:07 2013]   m1911a1 
      [Sat Apr 13 05:33:11 2013]   google 
      [Sat Apr 13 05:33:13 2013]   facebook 
      [Sat Apr 13 05:33:15 2013]   microsoft 
      [Sat Apr 13 05:33:17 2013]   obama 
      [Sat Apr 13 05:33:18 2013]   twitter 
      [Sat Apr 13 05:33:20 2013]   wp 
      [Sat Apr 13 05:33:22 2013]   wordpress 
      [Sat Apr 13 05:33:24 2013]   060890 
      [Sat Apr 13 05:33:26 2013]   060891 
      [Sat Apr 13 05:33:28 2013]   060893 
      [Sat Apr 13 05:33:30 2013]   060988 
      [Sat Apr 13 05:33:32 2013]   060989
    

They also try to get access as "administrator".

~~~
OGC
nitpick: that's a dictionary attack, not brute-force

~~~
infinity
Yes, of course you're right, my mistake. Mainly I wanted to share some
information and give examples of passwords.

Here are some more observations which I made during the last months:

Most of the time it seems that the attackers are using a list of popular
passwords, the same passwords appear over and over again: 12345, qwerty,
1q2w3e4r, and so on.

Most of the time they try to login as "admin", "Admin", "administrator",
"root" or the name of the domain or blog or a part of that name, for example
omitting a ".com".

In the HTTP requests, the parameters "log" (for the user name) and "pwd" (for
the password) are always transmitted, but the parameters "wp-submit=Log In"
and "testcookie=1" are not always transmitted.

Many of these attacks do not transmit a user-agent field in the HTTP headers.
Blocking the empty user-agent seems like a good idea to me.

These attacks look simple, but I guess that they are successful on a big
number of sites.

------
ianstormtaylor
Don't know if this is a dumb question: but would it be possible for a good
party to use the same method to get admin access and install rate-limiting
login plugins on all of these insecure WordPress blogs? Seems like that would
be badass.

~~~
pwim
See this post for an explanation why it isn't a good idea:
[http://www.schneier.com/blog/archives/2008/02/benevolent_wor...](http://www.schneier.com/blog/archives/2008/02/benevolent_worm_1.html)

------
navs
I've also noticed an increase in spam comments and trackbacks that akismet
doesn't catch. Is this possibly related? At least on two occasions I've
noticed the ip address of a spam comment match against an attempted login.

------
medell
Attacks are continuing, I've logged two more attempts from todays. There is no
reason these sites have login attempts from said countries: 79.28.255.65
(Italy) 80.35.80.139 (Spain)

------
nwh
The effect is probably reasonably limited though. Most of the time you're
going to be in safe mode or on shared hosting, which means no SYN floods and
no bitcoin mining.

------
ck2
If you still have user id #1 and/or the user "admin" on your wordpress
install, you just haven't been using wordpress long enough to know what bad
ideas those are.

~~~
lenazegher
I've not heard of the problem of a user with id #1 before, can you explain
please? What's the issue with a user id #1 when the username is not admin?

~~~
francescolaffi
if user #1 is still an admin but with a different name you can just go to
wpurl/?author=1 and if url rewriting is enabled you'll be redirected to
wpurl/author/nicename and nicename is usually equal to the username

~~~
pdkp
I don't think this adds the layer of security you think it does, merely a
minor bit of obscurity. In context of the specific vector you reference,
author={$user_id}, it probably doesn't do anything at all to protect you.

Not that there is anything wrong with adding a bit of obscurity, not using
'admin' as a username and using a non-privileged author for posts can go a
long way.

However, if you are worried about someone getting your username from
"author={$user_id}," using a user_id of 2,3,4,5, ect, probably isn't going to
protect you. I think you are incorrectly assuming that the person that would
use this method to get a username is going to stop if they get a 404 at #1(or
even after just a single attempt.)

------
mmuro
In my opinion, Better WP Security is a requirement for any WordPress site.

------
desbest
Just get the Login Lockdown plugin and install it.

~~~
lousy_sysadmin
1) Login Lockdown

2) WP Better Security

3) WPScan (<https://github.com/wpscanteam/wpscan>)

Should be sufficient for most small/medium installation

------
thefreeman
tldr; automated scripts attacking default wordpress username with weak
password. Welcome to the internet.

------
nichols
Time to start moving away from TurdPress.

------
brittohalloran
I'm sorry but white on black makes my eyes angry

------
eof
I wonder if this is related to the DDOS that has been off and on against the
bitcoin exchanges.

