Increasing Distributed, Brute-Force Attacks Against WordPress
IntelliShield: Security Activity Bulletin
2013 April 15 15:50 GMT
2013 April 30 19:10 GMT
Additional information is available regarding the brute-force attacks against WordPress sites.
Distributed, brute-force attacks against WordPress sites have been reported. These attacks could allow remote attackers to gain unauthorized access or conduct denial of service attacks against the targeted sites.
The highly distributed attack activity is reported to have used about 90,000 forged or spoofed IP addresses and to be actively attacking the /wp-login.php and /wp-admin WordPress administrator authentication scripts. The admin, test, administrator Admin, and root account names have been observed to be the primary names used to conduct the brute-force attacks.
Successful brute-force attempts could allow the attacker to gain unauthorized access to the WordPress Content Management System (CMS) account and take actions in the application with the privileges of the compromised user account.
Recent reports have suggested increased activity of this distributed attack. Sites that use WordPress CMS could be slow to respond because of high rates of incoming network traffic.
According to unclassified U.S. Federal Bureau of Investigation reports, some brute-force dictionary attacks appear to originate from a botnet named UpBot-V5. In the event of a successful brute-force attack, the botnet has been observed to upload GIF image files with PHP scripts to the compromised web server, modify server files, and execute arbitrary code on the server. Attackers may also install a custom SSH service to facilitate unauthorized remote connections to compromised servers.
Signature-based detections that monitor for repeated login attempts can help detect brute-force attacks. In addition, signatures that monitor for uploads of GIF images using PHP code could detect the observed post-exploitation methods that upload malicious files to compromised servers.
Users are advised to use strong passwords for their WordPress accounts.
Administrators could limit user access by password protecting all hosted WordPress access files through the .htaccess file.
Administrators are advised to implement an intrusion prevention system (IPS) or intrusion detection system (IDS) to help detect and prevent attacks.
Administrators are advised to monitor affected systems.
Version 1, April 15, 2013, 3:50 PM: Distributed, brute-force attacks against WordPress sites have been observed. These attacks could allow a remote attacker to gain unauthorized access or cause a denial of service condition on a targeted site.
The security vulnerability applies to the following combinations of products.
Security Activity Bulletin
Alerts and bulletins on the Cisco Security Intelligence Operations Portal are highlighted by analysts in the
Cisco Threat Operations Center and represent a subset of the comprehensive content that is available through Cisco Security IntelliShield Alert Manager Service.
This customizable threat and vulnerability alert service provides security staff with access to timely, accurate, and credible information about threats and vulnerabilities that may affect their environment.
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.