If you’re a blogger or online store using WordPress to run your site, a word of warning.
Several local sites have reported direct denial of service (DDoS) attacks over the last couple of days, all of which follow a similar enough pattern that they could be related.
Micheal van den Heerik, MD of e-commerce specialist WebWiser says that he became aware of suspicious activity on several clients’ sites yesterday. The attacks begin with a flurry of new user registrations, he says, followed by attempts to log in to the admin section of the site. One site saw 8 870 new users registered in just two hours, all using generic emails with a .pl suffix.
Attackers then flood the site with traffic, during which they attempt to gain access to the SQL database linked to the site. If successful, they change administrator passwords and gain full access to the WordPress backend. One of the first things you might notice if you’ve been infected is that any security plugins on the site may be changed. Attackers also attempt to change the Facebook tracking ID if possible.
“Everybody should keep an eye out for unusual registrations on their websites,” van den Heerik says.
“We notice that with most of the cases you will see that it starts with lots of ‘new customer’ registrations with @aol.com and @yahoo.com email addresses and non-descript users like ‘JLopes18836’. As soon as you see this you will also start seeing an huge increase in failed login attempts at /wp-admin.”
van den Heerik says that site admins should check their user lists for a burst of new registrations, and if possible turn off the ability for visitors to register in the control panel. If that’s not possible, brute force protection like fail2ban, which blacklists IP addresses that attempt to login too many times, or Wordfence should keep attackers out. Once counter-measures are in place, attackers usually give up after a couple of hours he added.
The attacks seemed specifically targeted, as email addresses belonging to separate .co.za domains which appeared to be compromised were used to register new users, although the IP addresses originated in Russia.
“It’s really important that people should always try to avoid user names like ‘Admin’, ‘Administrator’ and ‘Company Name’ for Administrator access,” he adds.
van den Heerik says he has seen at least 18 sites targeted, although we’ve had no reports as yet that the problem is more widespread. It’s possible that the attacks could be related to a couple of severe security issues which were addressed in the 4.7.2 update to WordPress at the end of January. Since the patch was released, hundreds of thousands of unpatched sites were successfully compromised worldwide. So make sure your installation is up to date.
[Via ZA Tech]