WordPress Installations Under Brute-Force Attack

Type threatpost
Reporter Dennis Fisher
Modified 2018-08-15T14:03:09


There is an ongoing attack against some WordPress implementations that is trying to brute-force the passwords for the administrator accounts on the installations. The attack is being driven by an automated PHP script that tries thousands of possible passwords.

The SANS Internet Storm Center has posted an analysis of the WordPress attack script, which was found on a virtual private server. The script has the added ability to allow an attacker to run it on a number of different servers at the same time, as the passwords it tries are stored in a MySQL database that can be accessed remotely.

The wp_brute_attempt() function takes 3 parameters, $ch which is
cURL’s structure (cURL is a command line tools that can be used to
perform HTTP requests). The other two parameters define the site and
the password that will be tried. If the script logged in successfully,
the page that gets returned by the server will contain the phrase “Log
Out”, and the function will return a true value.

Now, the interesting thing about the script is that it allows
distributed cracking. Information is saved in a MySQL database and the
script actually connects directly to the main database. This allows the
attacker to run many simultaneous scripts – each of them will take 200
new URLs and mark them with the brute forcer’s ID ($colo).

WordPress, a popular blogging platform, has been found to have a slew of vulnerabilities in recent months and attacks against the platform have become common. WordPress is used in a lot of corporate blogging environments and also is used by millions of individual bloggers.