A botnet of more than 20,000 WordPress sites is assaulting other WordPress sites

Law breakers controlling a network of more than 20,000 already contaminated WordPress installations are utilizing these sites to dispatch assaults on other WordPress sites, disclosed by security firm Defiant.

Defiant, the organization which oversees and distributes the Wordfence plugin, a firewall framework for WordPress sites, says it recognized more than five million login attempts in the last month from effectively tainted sites against other and to clean WordPress portals.

The assaults are what security specialists call “dictionary attacks.” These are rehashed login endeavors amid which programmers test a progression of username and passoword blends, wanting to score a hit and access an account.

Defiant security scientist Mikey Veenstra says the organization has figured out an understanding into how this botnet works. The scientist said that the Defiant agents found that at the top of this botnet stands hydra-like head of four command and control servers that instuct already contaminated sites on which other sites to assault.

These servers send assault directions through a system of more than 14,000 intermediary servers leased from the best-proxies service, which at that point hand-off this data to malignant scripts put on officially tainted WordPress sites.

These scripts read a rundown of targets they get from the command and control server, gather a list of passwords based on a predefined list of password patterns and after that endeavor to utilize the recently generated password to sign into another site’s administrator account.

“If the brute force script was attempting to log on to example.com as the user alice, it will generate passwords like example, alice1, alice2018, and so on,” Veenstra explained the attack mechanism in his report. “While this tactic is unlikely to succeed on any one given site, it can be very effective when used at scale across a large number of targets.”

Under ordinary conditions, in light of the fact that the assailants utilized a system of proxies to shroud the location of their command and control servers, scientists wouldn’t have the capacity to detect this botnet’s activity.

Luckily, Defiant says that the team behind this botnet made “a few errors in their execution of the brute force scripts” that enabled specialists to uncover the botnet’s whole backend foundation.

Moreover, the missteps didn’t stop at the brute force scripts. Defiant says the botnet administrators likewise committed errors in actualizing the authentication systems for their botnet’s administration panel. Defiant scientists say they could bypass the botnet control panel login system and take a look inside the evildoers’ activity.

The organization says it shared the data it accumulated from the botnet with law enforcement. Tragically, the botnet’s four command and control servers couldn’t be brought down, as they are facilitated on the framework of HostSailor, an organization described some time ago as an impenetrable hosting provider that doesn’t respect takedown demands. This implies the botnet is as yet perfectly healthy, proceeding to assault more WordPress destinations.


Since the botnet’s automated login attempts aren’t coordinated at the WordPress login panel, yet rather at the WordPress XML-RPC verification system, changing a site’s admin panel URL won’t help.

Rather, Defiant suggests that WordPress site proprietors utilize a WordPress security plugin that can block brute-force or dictionary attacks carried out against the XML-RPC service.

Luckily, assaults on the XML-RPC authentication frameworks have been continuing for a couple of years now, and any decent WordPress firewall should be able to have the capacity to hinder these assaults.

Leave a Reply

Your email address will not be published. Required fields are marked *

Single Column Posts

Single Column Posts Subtitle

Hacking Mass-Scan Campaign Apprehended for Ethereum Miners

It has been apprehended that if one is not careful enough with the warnings about port 8545, he may outright...

Eventual forthcoming of Artificial Intelligence predicted by 23 World-Leading AI Experts

The AI-hype would've you believe that we'll before long be subjugated by incredibly smart beings or chased by executioner robots....

EOS Community faces Convulsive Challenges

The EOS blockchain protocol had infuriated the decentralization proponents for a second time. The reason being, EOS officially sanctioned Block...

Assailants are utilizing these five hacking tools to target you

Aggressors ranging from nation backed espionage groups to petty cybercriminals are progressively swinging to openly accessible hacking tools to help...

Data breach evasion 101

When a major information break makes the news, one thing that can lose all sense of direction in the commotion...