1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

"Active malware campaign uses thousands of WordPress sites to infect visitors"

Discussion in 'BlackHat Lounge' started by HelloInsomnia, Sep 18, 2015.

  1. HelloInsomnia

    HelloInsomnia Jr. Executive VIP Jr. VIP

    Joined:
    Mar 1, 2009
    Messages:
    1,825
    Likes Received:
    2,936
    http://arstechnica.com/security/201...usands-of-wordpress-sites-to-infect-visitors/

    Relevant given the usage of Wordpress here.

    Basic WP security tips:

    1. Keep everything up to date, go update all plugins, themes and WP on all your sites.
    2. Drop useless plugins, (if you can do it yourself you don't need a plugin - e.g. plugin to add Adsense code)
    3. Use as little plugins as possible
    4. Don't use the "admin" username - or your site name or a variation of your site name
    5. Use a strong password, 30+ characters with all the goodies in it
    6. Change the Wordpress nicename in the database (Google it)
    7. Install Wordfence or something like it. Configure it to update automatically and to limit login attempts to lock out brute force attacks
     
    • Thanks Thanks x 6
  2. TayaX

    TayaX Jr. VIP Jr. VIP

    Joined:
    Dec 13, 2010
    Messages:
    3,471
    Likes Received:
    1,934
    Occupation:
    Skype : TayaxBHW
    Location:
    France
    Home Page:
    I believe all my sites got updated 2 days ago. It must be related.
     
  3. uncce

    uncce Junior Member

    Joined:
    Dec 24, 2014
    Messages:
    166
    Likes Received:
    27
    ...or just don't use wordpress and drop bad visitors
     
  4. Zwielicht

    Zwielicht Moderator Staff Member Moderator Jr. VIP

    Joined:
    Aug 31, 2013
    Messages:
    6,612
    Likes Received:
    11,754
    Gender:
    Male
    Occupation:
    Private Investigator
    Location:
    Riverside, California
    Home Page:
    In addition to limiting login attempts, you can also rename your wp-login.php. You can either use this plugin or do it yourself.

    That plugin I linked to intercepts the page requests and throws up a 404 error if unauthorised users try to access it with wp-admin or wp-login.

    It's a pretty good plugin I started using after the person who hacked one of my client's sites kept trying to go to the wp-login page. It's pretty funny because he still makes a few attempts with non-existent backdoor scripts and weird URLs (after he realised the regular wp-login and admin pages weren't working) once a week with some of my favourites being:
    • /wp-admin/matthew-eric-wrinkles
    • /wp-admin/tears-running-down
    • /wp-admin/dinosaur-kesha
    Edit: actually, since I posted this on Black Hat World, can someone confirm what exactly those URLs are used for? I assumed they were backdoor scripts after reading this article, but I was never really sure.
     
    • Thanks Thanks x 1
    Last edited: Sep 18, 2015
  5. Aluminium

    Aluminium Jr. VIP Jr. VIP Premium Member

    Joined:
    Dec 5, 2013
    Messages:
    1,744
    Likes Received:
    931
    Gender:
    Male
    Occupation:
    High-Quality Content Provider
    Location:
    Canada
    Home Page:
    Great stuff - you can always count on this community to provide you with relatively straight-forward fixes to problems like these.

    I have a question though, would manually blocking certain IP's/users just be too time consuming?
     
  6. Zwielicht

    Zwielicht Moderator Staff Member Moderator Jr. VIP

    Joined:
    Aug 31, 2013
    Messages:
    6,612
    Likes Received:
    11,754
    Gender:
    Male
    Occupation:
    Private Investigator
    Location:
    Riverside, California
    Home Page:
    Some people use different computers to access your site, so if they're blcoked from one device or network, they often just switch devices or networks. In the case of my client's site, there's only 1 guy trying to break in and it's the previous web designer who's a big loser who ripped my client off a couple of years ago and installed all kinds of funky things on the site. The only reason I don't try to block him from trying to access the site is because:

    1. He'll never get in
    2. I enjoy seeing him struggling
    3. I enjoy seeing what he'll type in next.
    There was this one time where he typed in something like "wp-admin/rape-sex-hard" and I thought that was really weird.
     
  7. bigballin6161

    bigballin6161 Jr. VIP Jr. VIP Premium Member

    Joined:
    Jul 16, 2011
    Messages:
    1,094
    Likes Received:
    423
    Nice! Bookmarked!
     
  8. puneetas3

    puneetas3 Senior Member

    Joined:
    Jan 8, 2012
    Messages:
    882
    Likes Received:
    386
    I just use nginx vpses for my WP sites. And whenever someone tries to login to WP, I just send its IP to my Cloudflare account blacklist via api and block it for next 6 hours. Its automated pieces of scripts that check logs for wp logins and then Cloudflare stops it from hogging server resources or brute force attack. So I save my server resources as IPtables rules don't need to run in such attacks and stopped at CF.
     
    • Thanks Thanks x 1
  9. cataratas

    cataratas Junior Member

    Joined:
    Apr 13, 2011
    Messages:
    167
    Likes Received:
    75
    Is there a huge worldwide wordpress brute force attack going on just now? 2 of my sites are getting battered every hour for the last week or so with login attempts. I've locked down with wordfence (paid version) and I feel quite safe but it really p1sses me off.
     
  10. blogzandstuff

    blogzandstuff Elite Member

    Joined:
    Jan 1, 2015
    Messages:
    5,196
    Likes Received:
    2,402
    Occupation:
    blog creator
    Location:
    UK
    i use two plugins for security, limit login attempts which blocks attempt after 3 for 24 hrs if not my ip. Also a secret question and answer plugin which combined with a strong password makes it more difficult. i get hack attempts near everyday. They need to get four things correct - the right question - right answer - admin username and password.