Massive botnet chews through 20,000 WordPress sites

By Danny Bradbury, Sophos

December 10, 2018

WordPress users are facing another security worry following the discovery of a massive botnet. Attackers have infected 20,000 WordPress sites by brute-forcing administrator usernames and passwords. They are then using those sites to infect even more WordPress installations.

The botnet, which WordPress security company Wordfence discovered last week, infects sites using a feature known as XML-RPC. This is an interface that lets one piece of software make requests to another by sending it remote procedure calls (RPCs) written in the extensible markup language (XML).

Legitimate blogging programs use this feature to send blog content for WordPress sites to format and publish. Attackers can also use it to try multiple passwords and then manipulate a site if they gain access.

The attackers wrote a script that would launch an XML-RPC-based brute force attack, automatically generating a range of usernames and passwords in the hope that one of them will work and give it access to a privileged account. At that point, they can use that account to infect that site with the botnet software.

The password-building mechanism takes lists of usernames along with lists of common passwords and uses simple algorithms to create new password combinations from the usernames. So it might try the username ‘alice’ with passwords like alice123, alice2018, and so on. It might not be very effective on a single site, but when used across many sites, the attackers’ chances of success increase, says Wordfence.

Like any botnet, infected sites take instruction from the bot herders via a command and control (C2) server. In this case, however, the C2 infrastructure is relatively sophisticated. The attackers send their instructions to infected sites from one of four C2 servers that communicate via proxy servers, chosen from a large Russian list. Three of the C2 servers are hosted by HostSailor, which cybersecurity journalist Brian Krebs has reported on in the past.

While the C2 servers presented a login screen, Wordfence found that they did not, in fact, require authentication and it was able to view details of the infected slave machines, along with the proxy lists used to access them.

Terms of Use | Copyright © 2002 - 2016 CONSTITUENTWORKS SM  CORPORATION. All rights reserved. | Privacy Statement