A very large distributed attack is targeting the admin login for WordPress powered websites and blogs. This brute force attack has been underway for a number of days from thousands of IP addresses around the world. We have seen a significant increase in this type of traffic across our systems and have blocked or mitigated some of the worst offending networks. However , due to the sheer number of IPs and networks involved in an attack of this nature it is difficult to stop this type of attack.
This attack appears to be specifically targeting the default “admin” username for WordPress. The attacker attempts to login to this “admin” user repeatedly by trying to guess the correct password. Because WordPress does not restrict the number of login attempts by default, the attacker can continue until he succeeds. You can read more about brute force attacks here: https://www.owasp.org/index.php/Brute_force_attack.
We recommend that all of our customers using WordPress take the following steps immediately:
- change your current “admin” user password if the account is enabled
- rename your “admin” user or create a new separate account for administration
- Check for and apply the latest WordPress updates AND any plugins or themes
Additionally we recommend limiting access to the wp-admin area of WordPress both by limiting the login attempts and by restricting access to trusted users or trusted IP Addresses via htaccess.
- Review the wp-admin section of Hardening WordPress
- Limit login attemps to wp-admin. A number of plugins exist that can help implement login limits such as
Limit Login Attemps. (note: we do not support or endorse any 3rd party plugins)
If you need any assistance with securing your WordPress site, or if you believe your admin account has been compromised, please open a support ticket, and we will be glad to assist.
Security Reasearchers have discovered a long standing vulnerabilty in many popular web application languages that can lead to a denial of service (DoS) attack. Most programing languages including PHP, Java, Python and ASP.NET are vulnerable to this HashDos vulnerabltily.
A denial-of-service attack (DoS) overloads the server with multiple requests, effectively making it unable to serve a website to new visitors. Usually such an attack strong enough to overwhelm a server requires a lot of horsepower on the attacker’s side. This vulnerability however makes things significantly easier for an attacker.
Microsoft has released an emergency/out-of-band update (KB2659883 and MS11-100) to mitigate this issue in ASP.NET and .NET Frameworks.
All our Windows Server systems have already been patched with MS11-100.
Researchers recently presented their research at the 28c3 Security Conference. The specific details relate to hashing algorithms and managing hash collisions. A specially crafted request can force a website to consume all CPU resources in an effort to resolve and manage the hash collisons. The net effect of this increased CPU load can lead to a DoS on the website.
Without fixing the core hashing algorithims and functions there are a number of workarounds that can be used to mitigate the impact of the HashDos vulnerability.
- Reduce the length/size of HTTP parameters that can send via POST.
- Reduce the number of HTTP parameters accepted by the web application framework.
- Limit the amount of CPU time that any given thread is allowed to run.
These workarounds may negatively impact the operations of your web application and should be reviewed and tested before being deployed into a production enviroment.
References and further reading:
One of the greatest things about the Internet is the incredible amount of innovation that occurs on an almost daily basis. New or improved products, software and services are released all the time. Improvements and updates are sometimes major releases and sometimes small but important fixes to resolve bugs or security issues. It can be challenge to keep up with all these updates and changes but in the end it is usually more costly, complicated, and risky to not stay current and keep pace. Put simply: You must stay current because falling behind is far more expensive, risky and problematic than updating.
If you don’t update…
Read more →
A few days ago Apache Foundation announced a denial-of-service vulnerability that affects all versions of Apache web server. According to the August 2011 Netcraft survey, over 65% of all websites are based on Apache.
A denial-of-service attack overloads the server with multiple requests, effectively making it unable to serve a website to new visitors. Usually such an attack strong enough to overwhelm a server requires a lot of horsepower on the attacker’s side. This vulnerability however makes things significantly easier for an attacker.
NOTE: An exploit utilizing this vulnerability is publicly available.
All our managed servers have already been patched against this vulnerability.
Read more →
Internet security (or lack thereof) has had its share of press in the recent weeks. We have seen the large scale breach of Sony’s PlayStation Network service by hackers, the websites of organizations like PBS and the CIA attacked by the LulzSec group and the data breach of Citigroup are just some examples. All these events serve as a sobering reminder that in today’s Internet it is not a question of if you will eventually get hacked, but when.
Read more →
Recently a friend contacted me with a now common but always anxiety-producing problem: “Help! One of my websites has been hacked!” I helped him begin the usual clean up processes: We looked at the site and found some hidden malware scripts, removed them, restored the site from a backup and updated an out-of-date script (with a known vulnerability) and rotated all the passwords.
After the dust settled we talked about the incident; I wanted to make sure that my friend would take steps to avoid or minimize the risk of this happening again. After talking with him I realized that he hadn’t visited this site in at least 2 weeks, and it appeared the site was hacked and remained hacked for almost as long!
Read more →