Jump to content


Photo

Extremely Large WordPress WP-Admin Brute Force Attacks

Informational

  • Please log in to reply
27 replies to this topic

#21 MikeDVB

MikeDVB

    Forum Administrator

  • Staff Administrator
  • PipPipPipPipPip
  • 2,900 posts
  • Gender:Male
  • Location:Central Indiana, USA

Posted 12 April 2013 - 01:06 PM

Pretty big coincedence - especially since I was in the backend of 2 within the past 48hrs & unless I was in a fugue state... I did not change the passwords.


Just thought I would give a heads up :D Have a great weekend.

Coincidence is coincidence, correlation does not imply causation.
  • 0
Michael Denney - MDDHosting LLC - Providing Hosting since 2007
Scalable shared hosting plans in the cloud! Check them out!
Highly Available Cloud Shared, Reseller, and VPS
http://www.mddhosting.com/

#22 Lightpix

Lightpix

    Newbie

  • Clients
  • Pip
  • 6 posts

Posted 12 April 2013 - 07:37 PM

@billh--I have been using WordPress for several years; love it. In the past few months, however, I have noticed a definite trend of hacker attempts against my account. At first, my ego was boosted because I noticed several of my accounts had hundreds or thousands of hits I could not explain. The increase was so dramatic that I was sure that my efforts at SEO, etc. were being rewarded. I was thrilled that people were paying attention to my work!

However, I began to carefully investigate the "hits." It soon became clear that the increased traffic had nothing to do with my accounts, and usually were of such short duration as to belie any interest in my web domains. After I installed WordFence I began to see that I was being systematically attacked by hackers trying to get access to my site. "Brute force" is exactly right, as the number of attempts was in the thousands, all to the UserId of "admin." I already knew not to use "admin" but I also made sure that my UserID was not the same as the name that might appear in any postings. On the domain that I allowed Wordfence to reveal that a userid was not valid, I noticed that the bots began plugging in alternate UserIDs: "administrator," "aaa," "user," "Admin," ... So it's not just the password.

I think that Mike's (and the administrator's) response was measured and intelligent. It is a known fact that one of the greatest vulnerabilities of WordPress is the use of the standard UserID: admin. [This is also true for joomla, which is also being subject to these "brute force" attacks.]

In fact, for the past 3 months I have systematically investigated every email I receive from a friend's email account, that has a suspicious link. In each case, a hacker has gained access by using "admin" as a UserID, always in a WordPress or Joomla web site, and has established a subdirectory in which they have placed a Trojan Horse. I have looked up the web site (usually legitimate) and contacted the web designer (usually listed at the bottom of the page) and let them know they have a Trojan Horse.

This activity is not a small operation. I suspect that this is a major, major (government-sponsored) operation (confirmed to me by the posting here) that could culminate in a major attack on the Internet, of which the recent record attack is just the beginning. I applaud MDDHosting's action, and it lets me know that they take this threat seriously, so much so that they want to prevent all of us from being affected by the negligence of a few.

To the folks at MDDHosting: Thank you!
  • 0

#23 roadmon

roadmon

    Newbie

  • Members
  • Pip
  • 2 posts
  • Gender:Male

Posted 14 April 2013 - 07:20 AM

Very nice to get this update.
MDDHosting not only busy taking subscription fee (LOL) but also taking steps forward to secure their customer's website.
Bravo MDDHosting. :)
  • 0

#24 Scott

Scott

    MDDHosting Staff

  • Staff Administrator
  • PipPipPipPip
  • 421 posts
  • Gender:Male

Posted 16 April 2013 - 04:17 PM

More information and advice regarding this attack from LastPass:
http://blog.lastpass...t-you-need.html

And the original CloudFlare article in case you missed it in our first post:
http://blog.cloudfla...he-wordpress-br
  • 0
Scott S - MDDHosting LLC - Providing Hosting since 2007
Scalable shared hosting plans in the cloud! Check them out!
Highly Available Cloud Shared, Reseller, and VPS
http://www.mddhosting.com/

#25 T0M

T0M

    Newbie

  • Members
  • Pip
  • 6 posts

Posted 16 April 2013 - 04:59 PM

Mike, I am curious as to how you notify the clients of resellers. Do you notify accounts directly or notify the reseller account of the changed user names and passwords for the affected domains? Thanks.
  • 0

#26 Scott

Scott

    MDDHosting Staff

  • Staff Administrator
  • PipPipPipPip
  • 421 posts
  • Gender:Male

Posted 16 April 2013 - 05:03 PM

Mike, I am curious as to how you notify the clients of resellers. Do you notify accounts directly or notify the reseller account of the changed user names and passwords for the affected domains? Thanks.


We never contact the client of a reseller directly. We only notify the reseller and it is up to them to notify their client, handle it for their client, etc.
  • 0
Scott S - MDDHosting LLC - Providing Hosting since 2007
Scalable shared hosting plans in the cloud! Check them out!
Highly Available Cloud Shared, Reseller, and VPS
http://www.mddhosting.com/

#27 T0M

T0M

    Newbie

  • Members
  • Pip
  • 6 posts

Posted 16 April 2013 - 05:34 PM

Awesome. I was certain that was the case but just wanted some clarification as I plan on opening a reseller account.
  • 0

#28 MikeDVB

MikeDVB

    Forum Administrator

  • Staff Administrator
  • PipPipPipPipPip
  • 2,900 posts
  • Gender:Male
  • Location:Central Indiana, USA

Posted 16 April 2013 - 06:51 PM

Awesome. I was certain that was the case but just wanted some clarification as I plan on opening a reseller account.

Sure thing :).
  • 0
Michael Denney - MDDHosting LLC - Providing Hosting since 2007
Scalable shared hosting plans in the cloud! Check them out!
Highly Available Cloud Shared, Reseller, and VPS
http://www.mddhosting.com/




1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users