Understanding Denial of Service and Brute Force Attacks – WordPress, Joomla, Drupal, vBulletin

Many are likely getting emails with the following subject header Large Distributed Brute Force WordPress Attack Underway – 40,000 Attacks Per Minute. Just this week we put out a post titled More Than 162,000 WordPress Sites Used for Distributed Denial of Service Attack.

What’s the Big Deal?

Remember life before social media? How quiet and content we seemed to be? How the only place we got our information was from the local news or cable outlet? Maybe a phone call, or via email? Today however, we seem to be inundated with information, with raw unfiltered data, left to our thoughts and perceptions of what they really mean. Every day there is some new tragedy, a plane goes missing, a child is abducted, a school shooting, the brink of WWW III. Is it that we live in a time where we are all losing our mind? Or maybe, could it be that the only difference between now and then, is the insane amount of information at our finger tips?

With this in mind, yes, it’s true, there are ongoing Distributed Denial of Service (DDoS) and Brute Force attacks against WordPress sites. In fact it extends far beyond that specific platform, it’s affecting many other platforms like vBulletin, Joomla, Drupal. The reality is that these attacks have been ongoing for many months now, so much so, that they’ve become part of our daily life and it’s not when they happen that we’re surprised, quite the contrary, when they don’t.

Read More

Big Increase in Distributed Brute Force Attacks Against Joomla Websites

Update: Brute force protection now available: http://cloudproxy.sucuri.net/brute-force-protection


A few months ago, we discussed and published details about a very large brute force attack targeting WordPress sites.

The attackers (bad guys) had thousands of servers at their disposal, and were attempting all types of passwords on wp-admin (WordPress admin panel) to try to get access to as many WordPress sites as possible. The attacks lasted for a few weeks and then it calmed down. I can’t attest to their successes, but knowing how bad people are at choosing passwords, I guess it worked well for them.

Lately, we started to see the same thing happen to Joomla sites. While most of the sites we monitor would get a few brute force attempts per day in the past, the last couple of days all of them are getting thousands of requests daily.

Against one website, we saw 11,349 requests during the course of a few hours coming from 1,737 different IP addresses. Each IP address was trying to log in once or twice. And after a few hours, it would try again, making this type of attack very hard to detect and block.

Joomla Brute force timeline

We have seen an average of 6,000 brute force attempts against Joomla sites daily across our honeypots and CloudProxy networks. Some days the attacks increased to almost 13k, and dipped as low as 3k attempts. However, for the last 3 days, you can see a big increase, reaching almost 269,976 scans yesterday, September 2nd, 2013. That’s a very big increase out of nowhere.

We also started to see customers complaining about excessive resources utilization, similar to what happened with the WordPress attacks.

Joomla Brute Force Chart

Read More

Dissecting a WordPress Brute Force Attack

Update: Brute force protection now available: http://cloudproxy.sucuri.net/brute-force-protection


Over the past few months there has been a lot of discussion about WordPress Brute Force attacks. With that discussion has come a lot of speculation as well. What are they doing? Is it a giant WordPress botnet? Is it going to destroy the internet? Well, as you would expect of any good geeks we set out to find a way to find out.

This is not to be exhaustive case study or meant to be a representative sample of what all attacks look like, but it does have similar characteristics to the types of attacks and infections we deal with on a daily basis.

In this post, my goal is to highlight a hack that occurred this weekend, July 20th to be exact, against one of our several honeypots. In this specific instance, it was setup and configured approximately 2 months ago. It had been hacked about a month and a half ago and silly me I forgot to configure what I needed to do real forensics, oops. In any event, everything was cleared and pushed out again to see what happened, it was nothing more than a matter of sitting back and waiting.

Sure enough, about 30 days later and it was hacked, this time we were ready to see what happened..

Read More

SSH Brute Force – The 10 Year Old Attack That Still Persists

One of the first server-level compromises I had to deal with in my life was around 12 ago, and it was caused by a SSH brute force attack. A co-worker set up a test server and chose a very weak root password for it. A few days later, the box was owned running IRC bots and trying to compromise the rest of the network.

That was just the first of many server-level compromises caused by SSH brute force attacks that I would end up responding to, and even after more than 10 years, quite a few of the server remediations that we do here at Sucuri are actually caused by the same thing.

Read More