WordPress Installations Under Brute-Force Attack

There is an ongoing attack against some WordPress implementations that is trying to brute-force the passwords for the administrator accounts on the installations. The attack is being driven by an automated PHP script that tries thousands of possible passwords.

The SANS Internet Storm Center has posted an analysis of the WordPress attack script, which was found on a virtual private server. The script has the added ability to allow an attacker to run it on a number of different servers at the same time, as the passwords it tries are stored in a MySQL database that can be accessed remotely.

The wp_brute_attempt() function takes 3 parameters, $ch which is cURL's structure (cURL is a command line tools that can be used to perform HTTP requests). The other two parameters define the site and the password that will be tried. If the script logged in successfully, the page that gets returned by the server will contain the phrase "Log Out", and the function will return a true value.

Now, the interesting thing about the script is that it allows distributed cracking. Information is saved in a MySQL database and the script actually connects directly to the main database. This allows the attacker to run many simultaneous scripts – each of them will take 200 new URLs and mark them with the brute forcer's ID ($colo).

WordPress, a popular blogging platform, has been found to have a slew of vulnerabilities in recent months and attacks against the platform have become common. WordPress is used in a lot of corporate blogging environments and also is used by millions of individual bloggers.

Commenting on this Article is closed.