Brute Force Attacks Oct/Nov 2014 – UPDATE

Post # 3 – Brute Force Attacks Oct/Nov 2014 – UPDATE

Worpress Brute Force Attacks

Worpress Brute Force Attacks

Following the brute force attacks to our site in Oct/Nov 2014 we started working on securing our site.

We have been experiencing a problem with our streams 50s/60s & 70s/80s/90s streams including our website. We have been victims of several Brute Force Attacks on this (WordPress) Site. These incidents of attacks causing High Loads on our server creating server downtime.We have been working on the problem & are trying to resolve the issue ASAP.

We now seem to have solved the Brute Force Attacks on this  Site and are confident that we have solved the issues.

Most users of WordPress don’t give a second thought to this fact and until the day comes when a website has been hacked into and goes offline but most WordPress websites have a major security weakness by default.

2 facts you might not have considered

  1. by default the same username ‘admin’ is used for every single WordPress installation.
  2. there is no limit to the number login attempts to a WordPress website

Recently, there was a worldwide, highly-distributed WordPress attack. This attack was known for using forged or spoofed IP addresses. During the attack, we actively blocked the most common attacking IP addresses across our server farm. If this type of attack happens again, we will again take appropriate measures.

Measures You Can Take to Prevent Similar Attacks

The following steps can be used to secure (by password protection) wp-login.php for all WordPress sites in your cPanel account. This will help deter this type of attack.

How to Password Protect the wp-login.php File

There are two (2) steps in accomplishing this. First you need to define a password in the .wpadmin file, and then you activate the security in the .htaccess file.

You create a website, because it’s super easy these days, publish the content and within a few weeks people try to repeatedly log in. These login attempts come from botnets, they are automated and their goal is simple “break into as many websites as they can by guessing their passwords.” Once they find one that matches, they take over of the site and use it to distribute malware, spam and similar activities.

Here is a small example, from our own honeypots, where we see hundreds of login attempts per day, trying various combinations:

user: admin, pass: admin
user: admin, pass: 123456
user: admin, pass: 123123
user: admin, pass 112233
user: admin, pass: pass123
..

The passwords may seem silly, but after going through the most common 200/300 dictionary passwords, they can get into many web sites.

XMLRPC wp.getUsersBlogs

Originally, these brute force attacks always happened via /wp-login.php attempts, lately however they are evolving and now leveraging the XMLRPC wp.getUsersBlogs method to guess as many passwords as they can. Using XMLRPC is faster and harder to be detected, explaining this change in tactics. This is not to be confused with our post back in March where we reported XMLRPC being used to DDOS websites, oh no, in this instance they are leveraging it to break into websites. Be sure to read up on the differences between Brute Force and Denial of Service attacks.

This attack is being made possible because many calls in the WordPress XMLRPC implementation required a username and password. It these attacks, we are seeing wp.getUsersBlogs being used (and very few times wp.getComments), but it could be other calls as well. If you provide a user and a password to them, it will reply back if the combination is correct or not:

<methodCall><methodName>wp.getUsersBlogs</methodName><params><param><value>
 <string>admin</string></value></param>
  <param><value><string>112233</string></value></param></params>
</methodCall>

In the example above, the attackers tried the user admin with the password 112233.

Large Scale brute force

To examine the scale of this attack, we went back through our logs to get a better sense for the scale of the attacks. The past couple of weeks have been interesting, the attacks have increased ten-fold with almost 2 million attempts since the beginning of July coming from 17,000 different source attacking IPs. Some days we were seeing almost 200k attempts.

If you have any questions send us a reply or contact us on our contact page.

Technical Support – Endurance Radio

(Some information courtesy : http://wphow.org/wordpress-login-protection-from-brute-force-attacks/ and  also http://support.hostgator.com/articles/specialized-help/technical/wordpress/wordpress-login-brute-force-attack  and  also https://blog.sucuri.net/2014/07/new-brute-force-attacks-exploiting-xmlrpc-in-wordpress.html.)

Announcement List
Following the brute force attacks to our site in Oct/Nov 2014 we started working on securing our site. We have been experiencing a problem with our streams 50s/60s & 70s/80s/90s streams including our website. We have been victims of several Brute Force Attacks on this (WordPress) Site. These incidents of attacks causing High Loads on our server creating server downtime.We have been working on the problem & are trying to resolve the issue ASAP. We now seem to have solved the Brute Force Attacks on this Site and are confident that we have solved the issues. If you have any questions send us a reply or contact us on our contact page. Technical Support – Endurance Radio
The following two tabs change content below.

admin

Administrator & Support at Endurance Radio
I am the webmaster & stream admin guy here at Endurance Radio, monitoring our streams to ensure the smooth running of all Endurance Radio streams.

Latest posts by admin (see all)

One comment on “Brute Force Attacks Oct/Nov 2014 – UPDATE

Leave a Reply

Your email address will not be published. Required fields are marked *