A glut of WordPress sites have fallen victim to both malware infections and a series of brute force attacks that have been making the rounds over the past several days, researchers claim.

According to Peter Gramantik, a malware researcher at Sucuri, highly obfuscated malware payloads have been targeting sites with out of date plugins and sloppy, weak passwords.

While the fact that malware is targeting outdated plugins and weak passwords isn’t particularly surprising, Gramantik claims what makes the attack interesting is the fact that the payload is being blindly injected. Bug-riddled PHP is apparently corrupting legitimate WordPress files, along with theme and plugin files that belong to the popular content management system.

The errors are prompting a series of PHP warnings, like the one below, which pop up in normal site content according to the firm.

Parse error: syntax error, unexpected ‘)’ in /home/user/public_html/site/wp-config.php on line 91

Sucuri claims the only way it knows how to fix the infected files is to restore the files from backup after the malware has been removed.

This week has also seen a series of brute force attacks wreaking havoc on WordPress sites, according to researchers at the SANS Institute.

The attacks appear to target XMLRPC.php, the same PHP library that was leveraged to cause a large-scale distributed denial of service attack on tens of thousands of WordPress sites earlier this year.

SANS incident handler Daniel Wesemann warned Tuesday that some Internet Storm Center readers have been experiencing a scourge of attacks on their sites.

The attacks specifically use the wp.getUsersBlogs function of XMLRPC to send out brute force password guessing attacks. Code posted by Wesemann on the InfoSec Handlers Diary Blog clearly shows requests trying to guess passwords (admin, admin123) on a targeted WordPress installation.

wp_bruteforce

(Image via Robert Paprocki, cryptobells.com)

Weseman goes on to point out that looking at the simple HTTP web server logs isn’t the best indicator of these attacks as the requests are approved by the web server and the XML message that the server returns as a payload includes an anticipated ‘403 – Not Authorized’ message.

The post warns that using “traditional” modes of security protection, like the plugin BruteProtect, are actually less effective.

“Most of these add-ons tend to watch only wp_login.php and the associated wp_login_failed result, which does not trigger in the case of an XMLRPC login error.”

WordPress experts are encouraging users looking to avoid getting hit with brute force attacks like these to use a strong password, not to use a common username and follow the Hardening WordPress FAQ on WordPress.org.

Jan Reilink, a Netherlands-based system administrator, claimed he noticed a rash of HTTP POST requests using XMLRPC.PHP on WordPress earlier this month but it’s unclear if the requests he noticed, which came in the form of a much larger payload, are related to the XMLRPC.PHP DDoS attack Sucuri noticed in March.

The brute force attack campaign sounds similar to attacks initiated by the massive 90,000-strong WordPress botnet that reared its head last spring. Those attacks used a combination of “admin” as a user name, and a list of common passwords to break its way into systems.

Categories: Vulnerabilities, Web Security

Comments (13)

  1. Anonymous
    1

    I too have been hit with this attack. More than 40 hours have passed and the attack is still going strong.

    I am getting about 5 hits/minute on xmlrpc.php. What is amazing is the number of IPs involved. I have been hit by about 3900 unique IPs till now, and about 8250 IPs including duplicate hits.

    Thankfully, the traffic isn’t too much, so the server hasn’t taken a beating.

    Reply
  2. Sam Hotchkiss
    2

    Hey Chris– I’m the founder of BruteProtect, and I wanted to take a minute to respond to this.

    First off– thank you for covering these issues. The more people know about security and vulnerabilities at play, the safer we’ll all be.

    However– the quote used above:
    “Most of these add-ons tend to watch only wp_login.php and the associated wp_login_failed result, which does not trigger in the case of an XMLRPC login error.”
    is incorrect. When XML-RPC authenticates a user (see class-wp-xmlrpc-server.php:182) it calls the “wp_authenticate” function. If you refer to that function (see pluggable.php:521), you can see that the wp_login_failed hook is called.

    Best,
    Sam

    Reply
  3. Swati
    4

    Hi I have been a victim of this attack and though I have been trying to get the attention of Happiness Engineer of wordpress there has been no response from him/her. Please let me know how much time will it take to restore the site, as my work is suffering,

    Reply
  4. RPF
    5

    Hi. Is wordpress down? I can’t access my account. I keep getting this message: HTTP ERROR: 504.

    Thanks!!

    Reply
    • Brian Donohue
      6

      Sorry I seemed to have missed this message on Friday. WordPress is up for me now. Let me know if you have any issues moving forward.

      Reply
  5. Crystal
    7

    Last night I got a call from Florida, Jay. That might mean something to all you IT guys and gals. He wanted to rent my apartment and wondered if I preferred girls. I believe he was of Indian decent. Between yesterday (I just started working on my website again) and today, I have been re-cut off using my Firefox Browser link process and yes PHP and hiding the link has something to do with it… appears they were watching my activity, as one of the affliate products had posted this process. Voila, we once again are cut off from the knees…. I guess they wanted whoever is tracking us to know… That this land of milk and honey, is not going to do your bidding of overtaking the world, by moving in with the women… or something like that… course I could have it backwards, maybe the design is to rescue the women and thus, they will be obliged to share the commerce… if we ever get to creating commerce. Been a few years now, little gremlins seem to wish to ensure we never get there… personally I think it has something to do with the year you are born an whether you have a nice butt or not.

    Reply
  6. Mayo Mick
    8

    I have been a victim of this hack last week. Took my 3 sites down. Jetpack monitor did not pick up that the sites were down either. Thankfully have good backups and did not loose any data. Very annoying though.

    Reply
  7. she32
    10

    Wordfence is helpful to me. I’m just using this free plug-in and it notifies me when someone tries to attack the site.

    Reply
  8. r109
    11

    Anyone keep on ModSecurity? How about a security rule that bans the ip(s) that are spamming xmlrpc.php? I am currently seeing thousands of attempts from DDoS botnet brute forcing wp.getUsersBlogs by unloading a dictionary.

    Would love feedback, I’m not much of keen on ModSec rules.

    Reply
  9. r109
    12

    There is a new brute force exploit for xmlrpc.php. Attackers are using XMLRPC API method wp.getUsersBlogs to brute force logins with dictionaries.

    Reply
  10. speedyk
    13

    I’m not technical enough to speak to some of the stuff here, but Wordfence can block whole networks with a couple of clicks, or if the network is too large, can block a range of IP’s. I tend to do a 10-address spread at first, if they come back outside that range I do 0 to 255 on the last digits, if they still come back I do that on the next set.

    Wordfence will then show me how many subsequent attempts were made. An alpha hotel on AWS is still banging away from the same range after almost a year.

    Bad Behavior is also useful, it can be set up to work with a blacklist and its logs are quite informative. I will often C&P IP’s from it and add them to the Wordfence list, often using a range plus or minus.

    Reply

Leave A Comment

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>