Tópico: Ataques bruteforce WordPress
12-04-2013, 05:10 #1
- Data de Ingresso
- Feb 2012
- Lisboa, Portugal
Ataques bruteforce WordPress
Patching the Internet in Realtime: Fixing the Current WordPress Brute Force Attack - CloudFlare blog
There is currently a significant attack being launched at a large number of WordPress blogs across the Internet. The attacker is brute force attacking the WordPress administrative portals, using the username "admin" and trying thousands of passwords. It appears a botnet is being used to launch the attack and more than tens of thousands of unique IP addresses have been recorded attempting to hack WordPress installs.
One of the concerns of an attack like this is that the attacker is using a relatively weak botnet of home PCs in order to build a much larger botnet of beefy servers in preparation for a future attack. These larger machines can cause much more damage in DDoS attacks because the servers have large network connections and are capable of generating significant amounts of traffic. This is a similar tactic that was used to build the so-called itsoknoproblembro/Brobot botnet which, in the Fall of 2012, was behind the large attacks on US financial institutions.
12-04-2013, 06:59 #2
12-04-2013, 10:04 #3
Siga-nos em nosso twitter: @wht_brasil
- Data de Ingresso
- Sep 2010
12-04-2013, 12:24 #4
- Data de Ingresso
- Sep 2011
- São Paulo / SP
Uma boa seria alterar a senha o mais breve possível.
12-04-2013, 13:12 #5
Mas sabe como é... é como conversar com uma porta. Apenas 1% das portas conseguem te ouvir.
O que mais me chateia e me deixa irado realmente é que a maioria tá cagando-e-andando para segurança. Quando é invadido reclama logo de segurança do servidor e lá vem reclamação no difameaqui.
12-04-2013, 13:52 #6
Stopping Brute-force Logins Against Wordpress
Não testei, se alguém puder testar e compartilhar...
13-04-2013, 14:17 #7
WordPress Attacks Hammer Web Hosts
O ataque força-bruta para descobrir senhas admin de blogs WordPress está se estendendo a sites rodando Joomla.
Estima-se que o ataque está utilizando 90 mil servidores comprometidos -- a maioria hospedado em data centers.
A large-scale attack – powered by 90,000 web servers – has been launched against WordPress blogs with weak admin credentials, and web hosts are being warned to update passwords immediately.
The attacks have also extended to Joomla websites, and Go Daddy has been working at mitigating the attacks for its WordPress and Joomla customers this week.
A post by KrebsOnSecurity says that analysts from a range of security and networking firms have tracked “an alarming uptick in so-called ‘brute-force’ password-guessing attacks against websites powered by WordPress, perhaps the most popular content management system in use today.”
Marc Gaffan, co-founder of Incapsula, a security firm, told Krebs that the attacks are creating chaos at some web hosting firms.
It’s hurting the service providers the most, not just with incoming traffic. But as soon as those servers get hacked, they are now bombarding other servers with attack traffic. We’re talking about web servers, not home PCs. PCs maybe connected to the Internet with a 10 megabit or 20 megabit line, but the best hosting providers have essentially unlimited Internet bandwidth. We think they’re building an army of zombies, big servers to bombard other targets for a bigger cause down the road.
HostGator has warned its customers with WordPress websites to change their passwords to something that meets the requirements specified on the WordPress website: something with upper and lowercase letters, at least 8 characters long, and including ‘special’ characters.
The main force of this attack began last week, then slightly died off, before picking back up again yesterday morning. No one knows when it will end. The symptoms of this attack are a very slow backend on your WordPress site, or an inability to log in. In some instances your site could even intermittently go down for short periods. We are taking several steps to mitigate this attack throughout our server farm, but in the same breath it is true that in cases like this there is only so much that can actually be done. The servers most likely to experience service interruptions will be VPS and Dedicated servers hosting high numbers of WordPress installations, due to the incredibly high load this attack has been seen to cause.
ResellerClub is also working hard at mitigating the WordPress attack, but says it has noted the issue before.
To give you a little history, we recently heard from a major law enforcement agency about a massive attack on US financial institutions originating from our servers.
We did a detailed analysis of the attack pattern and found out that most of the attack was originating from CMSs (mostly WordPress). Further analysis revealed that the admin accounts had been compromised (in one form or the other) and malicious scripts were uploaded into the directories.
Today, this attack is happening at a global level and WordPress instances across hosting providers are being targeted. Since the attack is highly distributed in nature (most of the IP’s used are spoofed), it is making it difficult for us to block all malicious data.
Melbourne Server Hosting has seen signs of attempted WordPress and Joomla access as well.
Like many other hosting providers, we’ve seen signs over the past 48 hours of increased attempts to access and compromise popular CMS and blog web applications such as WordPress and Joomla.
Whilst there is the clear risk of having your CMS compromised, the more immediate threat posed here is that of a denial of service attack, which will render your sites slow and in some cases, completely exhaust the resources available to your services causing a system crash.
For web hosts that use CloudFlare, their customers should be protected from this brute-force WordPress attack as CloudFlare has rolled out a fix to all of its customers automatically, even users on the free tier.
We just pushed a rule out through CloudFlare’s WAF that detects the signature of the attack and stops it. Rather than limiting this to only paying customers, CloudFlare is rolling it out the fix to all our customers automatically, including customers on our free plan. If you are a WordPress user and you are using CloudFlare, you are now protected from this latest brute force attack.
Because CloudFlare sits in front of a significant portion of web requests we have the opportunity to, literally, patch Internet vulnerabilities in real-time. We will be providing information about the attack back to partners who are interested in hardening their internal defenses for customers who are not yet on CloudFlare.
Tony Perez at Sucuri Blog says WordPress knew that it wasn’t equipped to handle brute-force attacks.
It was not long ago that I was sitting on a call with other members of the WordPress community in which we were talking about brute-force. When asked why WordPress core didn’t offer more out of the box features to address the issue, the response was it’s just not a relavent issue.
As interesting a response as that was, the latest trends seem to contradict that statement head on. It goes to show us that with the technological improvements things like latency and other network considerations are becoming less of a barrier to entry for attackers.
13-04-2013, 14:22 #8
Go Daddy Joomla, WordPress Hosting Customers See Spotty Admin AccessGo Daddy hosting customers continue to experience intermittent access to admin pages to their Joomla! and WordPress websites on Friday, according to a system alert in its support blog.
According to Go Daddy, the issue of accessibility of admin pages for WordPress and Joomla customers started on Thursday, and it continues to mitigate an Internet-wide attack attempting to gain access to its customers’ websites.
While admin pages may not be accessible, Go Daddy says the websites will remain online.
Go Daddy has also recommended that customers change their passwords once they regain access to their site, directing customers to a blog post that offers tips for generating a strong password.
A year ago, more than 2 million WordPress sites were installed with Go Daddy’s hosting connection one-click installer, and with the majority of its customers being small businesses, it is likely that the number of WordPress sites it hosts has grown over that time period. It is unclear specifically how many WordPress or Joomla customers were impacted by Thursday’s issue.
Earlier this week, Go Daddy Linux web hosting customer experienced intermittent connectivity to their sites, and there was a partial power outage overnight on Monday in a data center that houses some of its virtual private and dedicated hosting services.
Go Daddy shared the service updates through its support blog, and acknowledged the issues on Twitter and Facebook as well.
In March, Go Daddy’s EU hosting environment was hit by a DDoS attack that caused an intermittent service disruption.
Go Daddy is planning an expansion to the Seattle region, and is seeing early success in recruiting engineers from Microsoft and other large tech companies, according to a report by GeekWire on Thursday. Go Daddy CEO Blake Irving was a long-time Microsoft executive, and recently served as chief product officer at Yahoo!, so he likely has a lot of contacts to build out a west coast office.
For now, Go Daddy is establishing a temporary office in Kirkland, Washington, and the plan is to build a permanent office in Kirkland or Bellevue, starting with around 10,000 square feet of space. Last month, Go Daddy established an office in Sunnyvale, California. The aim for Go Daddy is to have a presence in the Bay Area and Seattle, according to Irving.
For a company that has focused on its marketing message to small businesses and its customer service initiatives, its recent efforts at expanding its engineering team come at a time when Go Daddy’s infrastructure is clearly under some strain.
Go Daddy Joomla, Wordpress Hosting Customers See Spotty Admin Access
13-04-2013, 14:30 #9
A Microsoft também oferece instalação "1-clique" (inclusive no Azure) do WordPress, Joomla, Drupal, e muitos outros. Sites vulneráveis não faltam
Windows Web App Gallery - Featured Apps
NOTA: Em post de 22-06-2012, 13:19
Rodam WordPress (números não comprovados que são festejados em artigos):
74 milhões de sites
16% de todos os dominios registrados no mundo
22 de cada 100 novos dominios registrados nos EUA
150 mil sites do top 1 milhão sites mais visitados no mundoWordPress › WordPress Plugins
20,035 plugins, 316,926,560 downloads, and counting
"Plugins can extend WordPress to do almost anything you can imagine"
Most Popular »
All in One SEO Pack
Downloaded 11,282,746 times
Jetpack by WordPress.com
Downloaded 1,738,243 times
Downloaded 11,138,390 times
WordPress SEO by Yoast
Downloaded 1,545,919 times
Contact Form 7
Downloaded 7,266,981 times
Google XML Sitemaps
Downloaded 7,868,499 times
Última edição por 5ms; 13-04-2013 às 14:34.
13-04-2013, 14:41 #10
Eu não entendi muito bem,
Mas parece que aquela dica do mod security p/ bloquear por 5 minutos já não está funcionando...
Encontrei um outro blog comentando sobre o assunto:
Blocking Wordpress Brute Force Attacks against wp-login.php