A botnet of more than 20,000 WordPress sites is assaulting other WordPress sites

Law breakers controlling a network of more than 20,000 already contaminated WordPress installations are utilizing these sites to dispatch assaults on other WordPress sites, disclosed by security firm Defiant.

Defiant, the organization which oversees and distributes the Wordfence plugin, a firewall framework for WordPress sites, says it recognized more than five million login attempts in the last month from effectively tainted sites against other and to clean WordPress portals.

The assaults are what security specialists call “dictionary attacks.” These are rehashed login endeavors amid which programmers test a progression of username and passoword blends, wanting to score a hit and access an account.

Defiant security scientist Mikey Veenstra says the organization has figured out an understanding into how this botnet works. The scientist said that the Defiant agents found that at the top of this botnet stands hydra-like head of four command and control servers that instuct already contaminated sites on which other sites to assault.

These servers send assault directions through a system of more than 14,000 intermediary servers leased from the best-proxies service, which at that point hand-off this data to malignant scripts put on officially tainted WordPress sites.

These scripts read a rundown of targets they get from the command and control server, gather a list of passwords based on a predefined list of password patterns and after that endeavor to utilize the recently generated password to sign into another site’s administrator account.

“If the brute force script was attempting to log on to example.com as the user alice, it will generate passwords like example, alice1, alice2018, and so on,” Veenstra explained the attack mechanism in his report. “While this tactic is unlikely to succeed on any one given site, it can be very effective when used at scale across a large number of targets.”

Under ordinary conditions, in light of the fact that the assailants utilized a system of proxies to shroud the location of their command and control servers, scientists wouldn’t have the capacity to detect this botnet’s activity.

Luckily, Defiant says that the team behind this botnet made “a few errors in their execution of the brute force scripts” that enabled specialists to uncover the botnet’s whole backend foundation.

Moreover, the missteps didn’t stop at the brute force scripts. Defiant says the botnet administrators likewise committed errors in actualizing the authentication systems for their botnet’s administration panel. Defiant scientists say they could bypass the botnet control panel login system and take a look inside the evildoers’ activity.

The organization says it shared the data it accumulated from the botnet with law enforcement. Tragically, the botnet’s four command and control servers couldn’t be brought down, as they are facilitated on the framework of HostSailor, an organization described some time ago as an impenetrable hosting provider that doesn’t respect takedown demands. This implies the botnet is as yet perfectly healthy, proceeding to assault more WordPress destinations.


Since the botnet’s automated login attempts aren’t coordinated at the WordPress login panel, yet rather at the WordPress XML-RPC verification system, changing a site’s admin panel URL won’t help.

Rather, Defiant suggests that WordPress site proprietors utilize a WordPress security plugin that can block brute-force or dictionary attacks carried out against the XML-RPC service.

Luckily, assaults on the XML-RPC authentication frameworks have been continuing for a couple of years now, and any decent WordPress firewall should be able to have the capacity to hinder these assaults.

Leave a Reply

Your email address will not be published. Required fields are marked *

Single Column Posts

Single Column Posts Subtitle

A brief insight into North America Crypto Round-Up

The United States: JP Morgan has recently Launched a New Crypto asset. JP Morgan has been rated as one of...

QuadrigaCX Accidentally Transferred $500K in BTC to Forbidden Cold Wallets

According to a report published by Ernst and Young on 12th February ’19, one of the major crypto exchanges of Canada,...

Everipedia to Verify Sources through Blockchain-based Geospatial Software

Everipedia is a crypto-based information doorway which was branched from Wikipedia in the year 2017. Everipedia has now decided to...

Airbus detected Data Breach issues

Recently, Airbus reported a data breach. In addition, Airbus is the world's second-largest aircraft manufacturer giant. Airbus manufactures, designs and...

Collaboration between Litecoins and Beam to create a more private system

A bitcoin transaction often discloses the information about the sender’s address, amount sent and receiver’s address, this lead to the...