Brute-Force Attack on WordPress blogs and Joomla Sites

April 15th, 2013

At present, Thousands of WordPress and Joomla sites are under brute-force passwords attacks by a large botnet. This calls for administrators to take the charge by making sure that they all have strong passwords and uncommon usernames for their installations on WordPress and Joomla.

According to reports from CloudFlare, HostGator, and several other company reports, the cyber criminals have been significantly stepping up on brute-force, dictionary-based login attempts, during the past few days against the WordPress blogs and Joomla sites. These kinds of cyber attacks looks for familiar account names, such as “admin,” and tries to systematically enter with common passwords on the site in order to break into the WordPress or Joomla accounts.

These kinds of cyber attacks warns the administrators, which in turn let them stop perpetrators from breaking in getting access to their sites, as that would lead attacker to mutilate the site or embed malicious codes to infect other people with malware. However, the highly organized nature of the cyber attacks, and its large-scale application implied even more menacing goals. It appears now, that the attackers are likely to make an attempt to get a foothold onto the server in order to figure out a way to take over the entire machine. Generally, web servers are more powerful and carry bigger bandwidth pipes than home computers, making them more attractive targets for the cyber criminals.

“The attacker is using a relatively weak botnet of home PCs in order to build a much larger botnet of beefy servers in preparation for a future attack,” informed Matthew Prince – CEO of CloudFlare, on his company blog.

According to researchers, they believe that “The Brobot botnet” are behind all the massive denial-of-service attacks or cyber attacks which were against the U.S. financial institutions, made up of compromised Web servers. Following this discussion, Prince said, “These larger machines can cause much more damage in DDoS attacks because the servers have large network connections and are capable of generating significant amounts of traffic.”

Accounts that are Brute-Forced

For the purpose of attacking the WordPress blogs and Joomla sites, the cyber criminals are using brute-force tactics to break into the user accounts of these sites. And the top five user names being targeted by the attackers were “admin,” “test,” “administrator,” “Admin,” and “root.” In order to brute-force attack a particular site, the perpetrators systematically tried  out all the possible combinations of passwords until they successfully logged in to the accounts and hacked it ultimately. For the attackers, it is easy for them to predict and figure out simple passwords which are in number sequences and dictionary words, also when a botnet automates the entire process. The top five passwords being attempted in this attack happen to be “admin,” “123456,” “111111,” “666666,” and “12345678.”

When a user creates an account on these sites with a common username and common password, they should immediately change it to something less obvious and familiar, to avoid any kind of cyber attacks.

“Do this and you’ll be ahead of 99 percent of sites out there and probably never have a problem,” Matt Mullenweg, creator of WordPress, wrote on his blog.

Surge in Cyber Attack Volume

As per Sucuri’s statistics, indicates that the attacks were still increasing. And the company had already blocked 678,519 login attempts in December, followed by 1,252,308 more login attempts blocked in the month of January, 1,034,323 login attempts in February, and 950,389 attempts in March, Daniel Cid, CTO of Sucuri, on the company blog. However, in the beginning 10 days of April, Sucuri has already blocked 774,104 login attempts, Cid said. That’s is quite a significant jump, going from 30 thousand to 40 thousand cyber attacks per day to about 77,000 per day on an average, and there have been days when these attacks even exceeded 100,000 per day, this month, Sucuri said.

“In these cases, by the sheer fact of having a non- admin / administrator / root usernames you are automatically out of the running,” Cid said, before adding, “Which is kind of nice actually.”

Hints of a Large Botnet

The cyber attacks volume is a hint at the size of a botnet. Sites like HostGator made an estimate of at least 90,000 computers involvement in these kinds of attacks, and CloudFlare believes “more than tens of thousands of unique IP addresses” are being used for the same.

What is a Botnet?

A botnet is basically, made up of several compromised computers receiving instructions from one or more than one centralized command-and-control-servers, and then executing those commands as per the requirements. For most of the times, these computers have been infected with some kind of malware and sometimes, the user is even unaware of the fact that the attackers are controlling the machines.

Updated Software and Strong Credentials

The actual thing to worry about all these attacks is that the cyber attacks against the popular content management systems are not new, but the sheer volume and sudden increment in them. At this situation, there is not much an administrator can do, apart from using a strong username and password combination making it more complex for the attackers and also by ensuring the CMS and associated plugins are up-to-date.

“If you still use ‘admin’ as a username on your blog, change it, use a strong password, if you’re on turn on two-factor authentication, and of course make sure you’re up-to-date on the latest version of WordPress,” Mullenweg said. An updated version of WordPress released three years ago, that was WordPress 3.0, which allowed its users to create a username which can be customised too, so there was no reason to use an “admin” or “Administrator” as a password.

Protect yourself with Alertsec

Organisations are now made aware about their data security and are implementing data encryption techniques. Alertsec uses encryption software to protect data from breaches and theft.

Alertsec Xpress is backed up by Check Point Full Disk Encryption and is used by over 4 million users worldwide, with single deployments exceeding 150,000 laptops and PCs. This is the most deployed software of its kind and is seen as today’s market leader.

Enhanced by Zemanta