• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Bad Sites   »   Joomla and WordPress Sites Under Constant Attack From Botnets

Joomla and WordPress Sites Under Constant Attack From Botnets

  • Posted on:September 5, 2013 at 12:58 pm
  • Posted in:Bad Sites
  • Author:
    Philippe Lin (Senior Threat Researcher)
0

Compromised websites are part of many attacks online. They can be used to host a variety of threats, ranging from simple spam pages, to redirection pages, to actual malicious files.

We recently came across a case that highlighted the scale of this threat. A backdoor (detected as BKDR_FIDOBOT.A), was being used to brute-force many WordPress blogs. It tries to log into Joomla and WordPress administrator pages at /administrator/index.php and /wp-login.php. To do this, it connects to a C&C server, where it downloads a list of sites to target as well as passwords to use. (It consistently uses admin as the user name.) Successful logins are also uploaded to the same C&C server.

Over the course of a single day, this backdoor was used to try and attack more than 17,000 various domains. This would total more than 100,000 domains in the course of a single week. This was from a single infected machine alone; with any botnet of decent size many more sites would have been at risk from this attack.

The targeted sites were mostly found in the United States, with almost two-thirds of the attacked sites being from that country. Countries in Europe made up the rest of the top five. Majority of the sites affected are either owned by individuals or small businesses, as they are the sectors likely to use WordPress and Joomla as content management system.

WordPress-Sites-Under-Constant-Attack

Figure 1. Distribution of targeted sites

This attack in itself is particularly troubling. However, when looked at a bigger picture, such massive attempts to login into numerous WordPress sites can be a possible precursor of a more menacing attack. The Stealrat botnet operation, for example, uses several compromised WordPress sites to generate spam and conceal its operations.  The notorious Blackhole Exploit kit has also used several WordPress sites to redirect users to its final payload.

Threats like these highlight how important it is for site administrators to properly secure content management systems (CMSes) like WordPress. Best practices like keeping the software up to date as well as using strong passwords are a must to prevent sites from being compromised. A compromised site could affect many thousands of users, so it is much more important for administrators to secure their passwords. Settings and plug-ins to help secure CMSes are available to administrators, and they should use them appropriately.

One more interesting thing about the backdoor that was used to carry out this attack. Its file properties claim that it was published by a legitimate software vendor, as well as making a reference to the NSA’s PRISM program:

Figure 2. File properties

The Smart Protection Network was able to provide the information necessary to help us analyze this threat, as well as protect our users against it. In addition, we use the Smart Protection Network to provide multiple layers of defense against this threat – including blocking the malicious C&C server and detecting the malicious backdoor.

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: brute force attacksjoomlaWordpress

Featured Stories

  • systemd Vulnerability Leads to Denial of Service on Linux
  • qkG Filecoder: Self-Replicating, Document-Encrypting Ransomware
  • Mitigating CVE-2017-5689, an Intel Management Engine Vulnerability
  • A Closer Look at North Korea’s Internet
  • From Cybercrime to Cyberpropaganda

Security Predictions for 2019

  • Our security predictions for 2019 are based on our experts’ analysis of the progress of current and emerging technologies, user behavior, and market trends, and their impact on the threat landscape. We have categorized them according to the main areas that are likely to be affected, given the sprawling nature of the technological and sociopolitical changes under consideration.
    Read our security predictions for 2019.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • February Patch Tuesday: Batch Includes 77 Updates That Cover Flaws in Internet Explorer, Exchange Server, and DHCP Server
  • Trickbot Adds Remote Application Credential-Grabbing Capabilities to Its Repertoire
  • Windows App Runs on Mac, Downloads Info Stealer and Adware
  • Linux Coin Miner Copied Scripts From KORKERDS, Removes All Other Malware and Miners
  • Various Google Play ‘Beauty Camera’ Apps Send Users Pornographic Content, Redirect Them to Phishing Websites and Collect Their Pictures

Popular Posts

  • Going In-depth with Emotet: Multilayer Operating Mechanisms
  • February Patch Tuesday: Batch Includes 77 Updates That Cover Flaws in Internet Explorer, Exchange Server, and DHCP Server
  • Various Google Play ‘Beauty Camera’ Apps Send Users Pornographic Content, Redirect Them to Phishing Websites and Collect Their Pictures
  • Linux Coin Miner Copied Scripts From KORKERDS, Removes All Other Malware and Miners
  • Trickbot Adds Remote Application Credential-Grabbing Capabilities to Its Repertoire

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.