Matthew Prince, writing in the CloudFlare blog, warned, “There is currently a significant attack being launched at a large number of WordPress blogs across the Internet. The attacker is brute force attacking the WordPress administrative portals, using the username ‘admin’ and trying thousands of passwords.”
One concern is that the attackers might be using an existing botnet of home PCs in order to build a far more powerful botnet of commercial servers. The massive increase in available bandwidth could then be used to generate hugely more powerful and destructive DDoS attacks against selected targets. It isn’t known who is behind the current attack, but comparisons with Izz ad-Din al-Qassam and the use of compromised web servers to attack the US banks discovered earlier this year will be drawn. It is, notes Prince, “a similar tactic that was used to build the so-called itsoknoproblembro/Brobot botnet which, in the Fall of 2012, was behind the large attacks on US financial institutions.”
An alternative motive could be to seed drive-by attacks in a manner similar to the Darkleech campaign against the Apache web server reported last week – a connection noted by Ars Technica. It gains credence from comments made by Daniel Cid, CTO at Sucuri Security, to Brian Krebs: “However, at least from our data, they are not re-using the compromised sites to build a botnet to scan others. I assume that is speculation. On the sites we looked [at] that were hacked, the attackers injected backdoors and malware on them,” including, says Krebs, the Blackhole Exploit Kit.
But whatever the motive, the solution is to prevent a compromise. Matt Mullenweg, the founding developer of Wordpress, has offered the following advice: “If you still use ‘admin’ as a username on your blog, change it, use a strong password, if you’re on WP.com turn on two-factor authentication, and of course make sure you’re up-to-date on the latest version of WordPress.” He adds that most other advice isn’t that good. “Supposedly this botnet has over 90,000 IP addresses, so an IP limiting or login throttling plugin isn’t going to be great (they could try from a different IP a second for 24 hours).”
Since there are reports that Joomla is also being attacked, this is valid advice regardless of the personal web publishing platform being used.