Cybercrooks are running a wide-ranging password-guessing attack against some of the most widely used blogging and content management systems on the net. The so-called Fort Disco cracking campaign began in late May this year and is still ongoing, DDoS mitigation firm Arbor Networks warns. Arbor has identified six command-and- …
Fort Disco is named after one of the strings found in the executable metadata field
Really? I could have sworn it was name of the military themed 70s night at our local gay bar!
That's odd, because I was imagining it in my head as a late 70s western made in dody 3D. The brave army soldiers out there in the west come under attack by a band of Indians, construction workers, cops and bikers... with the expected outcome...
My Wordpress blog was attacked about 4 weeks ago. About 61,000 password guess attempts over about 15 hours from about 30 different IP addresses. They didn't get in because the password was very secure. I have since removed the "admin" account altogether.
One of the reasons I finally put down my long dying website powered by the php CMS e107, I would get days where bots would bombard the site trying to find a vulnerability or simply to spam everything with an input.
each of which caused infected machines to phone home to a hard-coded command and control domain.
Why does this hard-coded domain still exist?
Because it contains no copyrighted material
And is thus not a threat to be stopped by the Department of Homeland Security.
The purpose of this attack, as near as I can tell, is to serve up the W32/Kuluoz malware from compromised sites.
The attack comes in stages:
1. Launch a brute-force password-guessing attack on Joomla and Wordpress sites;
2. Deposit a malicious backdoor script on the hacked site;
3. Install a file, nowadays usually but not always named "main.php" (earlier versions of the attack used different script names) on the compromised sites. On WordPress sites, it may be installed on the root level of the site, in the /images folder, or in a folder called /img; on Joomla sites, it is often placed at the root level of the site or in the /components directory;
4. Send out spam emails directing marks to the location of the main.php script, usually disguised as DHL or Fedex notifications.
The main.php script is interesting. It checks the browser's user agent when a visitor arrives, and some variants appear to check the IP address against a blacklist as well.
If it sees a vulnerable Windows user agent string, it downloads the W32/Kuluoz malware using a number of different drive-by download exploits.
If it doesn't see a vulnerable user agent string (or if the IP address is blacklisted), early versions presented a phony 404 error page. This error page was generated by the script and looked different from the site's true 404 error page.
More recent versions of the script, which I've seen in the past few weeks, do an internal redirect to a real 404 error page, making them more difficult to detect.
I've written extensively about this attack and the apparent link between the WP/Joomla brute-force hacking and the Kuluoz malware downloaders on my blog:
The attack has been tweaked and modified several times--the earliest versions tried to dupe marks with spam emails pretending to be airline flight confirmations, for instance. It has also scaled rapidly as the attacks on weak WP and Joomla passwords has scaled. In some cases, I have seen ISPs remove the malware script, only to see it reappear a few days later--suggesting that either the passwords haven't been changed or the backdoor scripts are still on the compromised servers.