Incident Response, Network Security, TDR

WordPress attacks showcase botnet owner’s expanding tricks

A botnet using more than 90,000 IP addresses to crack WordPress admin accounts may be used as part of a larger plot to disrupt online users, according to researchers.

WordPress founding developer Matthew Mullenweg took to his blog Friday to warn users of widescale hacking attempts underway.

WordPress users with the “admin” username are being targeted by a botnet consisting of compromised home PCs. The infected machines are brute-force hacking accounts, automatically inputting a list of commonly used passwords. Mullenweg advised anyone with the “admin” login to change it, as well as their password, and to turn on the site's newly implemented two-factor authentication feature.

CloudFlare, a San Francisco-based security and site performance service provider, and web hosting provider HostGator suggested the botnet could be using home-based machines to assemble a more destructive network capable of carrying out distributed denial-of-service (DDoS) attacks on the web.

Compromised WordPress servers would give the botnet much more bandwidth to use for malicious purposes, according to a blog post from CloudFlare, a San Francisco-based security and site performance provider.

CloudFlare co-founder and CEO Matthew Prince said a similar attack method was used to stage the ongoing DDoS campaigns against several banks in the United States.

In those incidents, hackers targeted WordPress users running an outdated TimThumb plug-in, a popular image resizing tool, to exploit the accounts and turn infected accounts into DDoS tools pointed toward American banking sites.

Prince said targeting WordPress servers gives attackers an “army of bots” with “fairly big connections to the internet."

“The harm is that, if your blog is compromised, the server resources can be used to launch attacks against other parts of the internet infrastructure,” he said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.