Remote WordPress Brute Force Tools

Just a quick reminder:

• Don’t use common words and easy character combinations as passwords.
• Your compromised site can be used to hack third-party sites.

A real world confirmation of the above two statements sometimes can be found in one script. For example in a so called WordPress Brute Force Tool that we regularly find uploaded to compromised sites.

...if($_POST){	if(!function_exists(curl_init)) die('<font color="red">[-] Not Curl HERE!<br></font>');	$username = trim($_POST['username']);	$thread = trim($_POST['threads']);	$wordlist = array_filter(file($_POST['wordlist']));	if(!is_file($_POST['wordlist'])) die('<font color="red">[-] File '.$_POST['wordlist'].' not found!</font><br>');	$log = trim($_POST['log']);	$urlz = array_filter(explode("rn", $_POST['sites']));	foreach($urlz as $url){		la_brute($url, $username, $wordlist, $thread, $log);	}}

This tool receives lists of WordPress sites and common passwords. Then it tries every login/password combination on every site and reports the combinations that worked. To improve performance, this particular tool sends requests to multiple sites at once using asynchronous Curl functions.

Having uploaded such tools to multiple compromised sites on different servers, hackers can conduct distributed brute-force attacks.

Brute-forcing is just one of the many types of distributed attacks that your compromised site may be used for. DDoS attacks and vulnerability scans also regularly leverage resources of hacked sites.

Make the Internet safer: Use strong passwords and protect your site.