A WordPress attack is impacting web hosting providers and their customers
Related Topics: hackers and hacks, joomla, security issues, wordpress, wordpress attack
A large-scale attack – powered by 90,000 web servers – has been launched against WordPress blogs with weak admin credentials, and web hosts are being warned to update passwords immediately.The attacks have also extended to Joomla websites, and Go Daddy has been working at mitigating the Joomla and WordPress attacks this week.
A post by KrebsOnSecurity says that analysts from a range of security and networking firms have tracked “an alarming uptick in so-called ‘brute-force’ password-guessing attacks against websites powered by WordPress, perhaps the most popular content management system in use today.”
Marc Gaffan, co-founder of Incapsula, a security firm, told Krebs that the WordPress attacks are creating chaos at some web hosting firms.
It’s hurting the service providers the most, not just with incoming traffic. But as soon as those servers get hacked, they are now bombarding other servers with attack traffic. We’re talking about web servers, not home PCs. PCs maybe connected to the Internet with a 10 megabit or 20 megabit line, but the best hosting providers have essentially unlimited Internet bandwidth. We think they’re building an army of zombies, big servers to bombard other targets for a bigger cause down the road.
HostGator has warned its customers of the WordPress attack, and encouraged customers with WordPress websites to change their passwords to something that meets the requirements specified on the WordPress website: something with upper and lowercase letters, at least 8 characters long, and including ‘special’ characters.
The main force of this attack began last week, then slightly died off, before picking back up again yesterday morning. No one knows when it will end. The symptoms of this attack are a very slow backend on your WordPress site, or an inability to log in. In some instances your site could even intermittently go down for short periods. We are taking several steps to mitigate this attack throughout our server farm, but in the same breath it is true that in cases like this there is only so much that can actually be done. The servers most likely to experience service interruptions will be VPS and Dedicated servers hosting high numbers of WordPress installations, due to the incredibly high load this attack has been seen to cause.
ResellerClub is also working hard at mitigating the WordPress attack, but says it has noted the issue before.
To give you a little history, we recently heard from a major law enforcement agency about a massive attack on US financial institutions originating from our servers.
We did a detailed analysis of the attack pattern and found out that most of the attack was originating from CMSs (mostly WordPress). Further analysis revealed that the admin accounts had been compromised (in one form or the other) and malicious scripts were uploaded into the directories.
Today, this attack is happening at a global level and WordPress instances across hosting providers are being targeted. Since the attack is highly distributed in nature (most of the IP’s used are spoofed), it is making it difficult for us to block all malicious data.
Melbourne Server Hosting has seen signs of attempted WordPress and Joomla access as well.
Like many other hosting providers, we’ve seen signs over the past 48 hours of increased attempts to access and compromise popular CMS and blog web applications such as WordPress and Joomla.
Whilst there is the clear risk of having your CMS compromised, the more immediate threat posed here is that of a denial of service attack, which will render your sites slow and in some cases, completely exhaust the resources available to your services causing a system crash.
For web hosts that use CloudFlare, their customers should be protected from this brute-force WordPress attack as CloudFlare has rolled out a fix to all of its customers automatically, even users on the free tier.
We just pushed a rule out through CloudFlare’s WAF that detects the signature of the attack and stops it. Rather than limiting this to only paying customers, CloudFlare is rolling it out the fix to all our customers automatically, including customers on our free plan. If you are a WordPress user and you are using CloudFlare, you are now protected from this latest brute force attack.
Because CloudFlare sits in front of a significant portion of web requests we have the opportunity to, literally, patch Internet vulnerabilities in real-time. We will be providing information about the attack back to partners who are interested in hardening their internal defenses for customers who are not yet on CloudFlare.
Tony Perez at Sucuri Blog says WordPress knew that it wasn’t equipped to handle brute-force attacks.
It was not long ago that I was sitting on a call with other members of the WordPress community in which we were talking about brute-force. When asked why WordPress core didn’t offer more out of the box features to address the issue, the response was it’s just not a relavent issue.
As interesting a response as that was, the latest trends seem to contradict that statement head on. It goes to show us that with the technological improvements things like latency and other network considerations are becoming less of a barrier to entry for attackers.
Talk back: Have you seen any suspicious attempts at logging into WordPress or Joomla sites? Has this WordPress attack impacted your customers yet? Let us know in a comment.
No comments:
Post a Comment