back to article Web service automates WordPress password cracking

Hackers have developed a distributed Wordpress admin account cracking scheme that poses a severe risk for the security of blogs whose owners select insecure passwords. PHP scripts located on a virtual server run bruteforce (password guessing) attacks on targeted sites. Many sites can be attacked at the same time by the system …

COMMENTS

This topic is closed for new posts.
  1. amanfromMars 1 Silver badge

    What if Deep Secrets are a Ridiculous Plant to Halt Shared Progress

    "Blog administrators are advised to use strong (hard to guess) passwords and to limiting access by IP address as a security precaution to prevent getting pwned." .... and Porned in Pirating Fields of Private Opportunity, where the First Person Present Indicative meets the Third Person Future Imperative, when IMPudent and Matured, is well ..... let us just settle to say, today, Spell Binding, which guarantees promises with tomorrow.

  2. abigsmurf

    Doesn't make sense

    Even if it was a fast loading wordpress site, wouldn't you be looking at something like 2-3 guesses a second? You could probably ramp it up to 20 or so a second with multiple systems attacking but you'd be limited by how many mysql connections the site can take.

    That would be painfully slow for any password above 4 letters.

  3. Jason Togneri
    FAIL

    Yawn

    Oh, another "weak passwords = insecure" non-story. What's the point of posting these, particularly in an IT community new portal? We've all known this for the past few decades. If there was a fatal flaw in the WP architecture that allowed any old attacker to gain admin access, perhaps you'd have a story. But this? Nothing to see here, please move along.

  4. Carter Cole
    Boffin

    man i love php

    i think this will be a growing trend compromised web hosts will be used in bot-net style attacks using php as more and more c&c and "bulletproof hosting" options are taken down or disconnected on the internet

  5. iamapizza
    Thumb Up

    SOA

    If this doesn't endorse SOA's usefulness, I don't know what does!

  6. Neal 5

    @abigsmurf

    Bruting would take a long time regardless, before you even begin to get as far as attacking a password you've got to build your dictionary, easy enough for simple 1,2 and 3 letter combinations, get beyond that and into special symbols, numbers and mixed upper/lower case then you could quite well never finish your dictionary. An alternative would be rainbow tables, but again you're talking eons to build them.

    The number of attempts is only limited by max_user_connections, set at whatever value deemed appropiate by the database manager. So 2-3 a second would seem low to me, that's like only allowing 2-3 people at a time to read The Register, and no else can until any of the 2-3 already reading, leave. (Not quite right, but I'm sure you get the idea)

    1. Tom Chiverton 1

      The title is required, and must contain letters and/or digits.

      rainbow tables are only useful if you already have the password hash, which isn't the case here.

  7. Andy Enderby 1
    Stop

    This attack has to be addressed pronto....

    It might be a bit unfashionable to point this out but - a heck of a lot of regular folks use blogs, they also use the same passwords for everything they interact with, 'cos they're regular folk, not pros. This is exactly the kind of attack that whilst scaring off some of the dumb ass Youtube twerps like the infamous Milk Foam MW2 Boy, could just as easily scare off, regular, right thinking, serious minded internet users at large. The kind of folks that book holidays, buy books, services, whatever..... It needs closing pronto.

    Before the last remaining pros in the country end up outsourced to god knows where.

  8. Winkypop Silver badge
    Thumb Down

    Or...

    ...simply don't blog.

    Save us the boredom.

  9. Anonymous Coward
    Anonymous Coward

    Wordpress Insecure

    It is rank amateur hour if you are using WordPress.

    There are some shady characters who push Wordpress commercially, but you would have to be a bit of a fool to go for WordPress as a CMS and pay money for it.

  10. amanfromMars 1 Silver badge
    Alien

    The Virtual Market Place is a Personal Sovereign Space with Inalienable Rights

    "There are some shady characters who push Wordpress commercially" .... Anonymous Coward

    Posted Tuesday 1st December 2009 10:02 GMT

    A Vital Alternative Cog in the Commercial Sector with SMARTer Enabling Communications, nowadays, for Shadowing Mentor Organisations. Well, if you can Monitor, it is a Failure of Intelligence to not Offer Virtual Leadership Controls.

  11. This post has been deleted by its author

  12. Jason Croghan
    WTF?

    Limit???

    Why don't they limit the amount of attempts per IP address like every other login page? It seems absurd that brute force attacks are still possible, what, 15 years after they first surfaced??

    abigsmurf: Brute forcing tools can attampt anywhere between 50 and 1000 passwords per second depending on the speed of the site. It's called Socket Threading :)

    You know when you open 20 tabs in Firefox, well imagine they were all to the same page and you've got your brute forcer.

    1. SImon Hobson Bronze badge

      Do I really need a title ?

      >> Why don't they limit the amount of attempts per IP address like every other login page?

      Good question. I've had complaints at work when I've set up new services with such a restriction - and then someone triggers it and blocks everyone out for 5 or 10 minutes (all behind one shared IP via NAT). On the other hand, that's why the nasties out there are moving to distributed tools - instead of one IP that gets blocked, they attack from many thousands of different IPs and vastly multiply the number of attempts they get (as well as the computing power and bandwidth available to them).

      I usually use fail2ban which is specifically designed to watch logs and block IPs that cause certain patterns (typically authentication failures). But configuring that effectively on a shared hosting server would be something of a sysadmin nightmare - the user can't do it as they don't have the access required.

      1. Jason Croghan

        @SImon Hobson

        I used to do that with Yahoo! email accounts in the mid 90's (distributed brute forcing) but it has huge drawbacks - especially seeing as they were smart and added multiple layers of security such as number of attempts per username coupled with number of attempts per I.P. That way even if you distribute an attack on one particular username it locks that account for an hour which hinders the attack tremendously. Sometimes the simplest of solutions is the better for all.

This topic is closed for new posts.