Global “brute force” attack on WordPress websites

wordpress-logoWe have been made aware of a global distributed attack on webservers around the world which host WordPress websites.

It’s not yet known who is behind the attack, which is currently using more than 90,000 IP addresses to attempt to brute force the default admin user credentials of WordPress powered websites around the world. The attack does seem to be coming from a cluster of “botnet” infected computers.

This attack is not limited to any single webhost (including ourselves), but rather a global event could affect any web host.

As a responsible host, we would like to make you aware of this global issue and how you can help protect your own WordPress website from becoming affected.

What you can do to mitigate the botnet attack

1) Avoid simple or obvious passwords

Choose a long password with a mix of numbers, letters (upper and lowercase) and special symbols (!£$%& etc)

An example of a poor password: mypass

An example of a good password: vg^jhgHG57

A strong password is important as a “brute force” attack attempts to log in using the Admin username and random dictionary “wordlists” (many thousands of words etc). By making the password completely random, it is less likely to be on one of these lists.

2) Change the “admin” username

All WordPress sites have the administrator username as “admin” by default. Knowing a correct username is half the puzzle solved for brute forcing. If you change the username to a different name, the botnet not only has to guess your password, but also the username.

3) Keep plugins up to date

When you log into your WordPress site, look out for any updates available – if they are, update them! Often, the updates will be to fix problems and security issues such as “backdoors”. Many hackers exploit holes that have ben identified in older versions of WordPress and it’s plugins.

4) Install the “Limit Login Attempts” plugin

This plugin (available from your WordPress control panel or here) limits the number of login attempts can be made. If the limit is breached, the IP address is automatically blocked for a few minutes. If the limit continues to be breached, the IP is permanently blocked. This is an extremely effective defence against brute force hacking.

5) ADVANCED: Block the admin login page to everyone but your own fixed IP

If you only access your WordPress admin login from a single network and have a static IP address on your connection, you can add this to the .htaccess file in your WordPress installation:

<FilesMatch "^wp-login.php$">
 Order Allow,Deny
 Allow from
 Deny from all


Google Js/Blacole.BW alert issue

We have been made aware that some people visiting Google at the moment are getting malware alerts warning that the web page is infected with “Js/Blacole.BW”.

We believe this to be a false positive being generated by a Microsoft Forefront and Microsoft Security Essentials update a short while ago and at time of writing don’t think there is any cause for concern.

Microsoft have just stated that they have removed the problem virus definition and a new virus definition update (1.119.1986.0 or greater) will be available shortly to fix the issue.

There is some discussion about it here on the Microsoft Technet forums and we will update this page with any further relevant updates.

UPDATE 08:30 15th Feb 2012:

This has now been resolved by updating your software to the latest virus definitions. The “false positive” was caused by an erroneous virus definition in update 1.119.1972.0. This was fixed in update 1.119.1988.0 which was released at approximately 3am this morning. It seems the cause if the false positive was Microsoft Forefront and Microsoft Security Essentials mistaking Google’s Valentine’s day “Doodle” as a virus.

Trendnet IP webcam security vulnerability found

Feeds from thousands of Trendnet home security cameras have been breached, allowing any web user to access live footage without needing a password.

Internet addresses which link to the video streams have been posted to a variety of popular messageboard sites.

Users have expressed concern after finding they could view children’s bedrooms among other locations.

Trendnet says it is in the process of releasing firmware updates to correct a coding error introduced in April 2010.

It said it had emailed customers who had registered affected devices to alert them to the problem.

However, a spokesman told the BBC that “roughly 5%” of purchasers had registered their cameras and it had not yet issued a formal media release despite being aware of the problem for more than three weeks.

“We first became aware of this on 12 January,” said Zak Wood, Trendnet’s director of global marketing.

“As of this week we have identified 26 [vulnerable] models. Seven of the models – the firmware has been tested and released.

“We anticipate to have all of the revised firmware available this week. We are scrambling to discover how the code was introduced and at this point it seems like a coding oversight.”

Mr Wood added that the California-based firm estimated that “fewer than one thousand units” might be open to this threat in the UK, but could not immediately provide an exact global tally beyond saying that it was “most likely less than 50,000”.

Feed links

An internet blog first publicised the vulnerability on 10 January.

The author discovered that after setting-up one of the cameras with a password its video stream became accessible to anyone who typed in the correct net address.

Trendnet says it is in the process of releasing firmware updates for its devices

In each case this consisted of the user’s IP addresse followed by an identical sequence of 15 characters.

The writer then showed how the Shodan search engine – which specialises in finding online devices – could be used to discover cameras vulnerable to the flaw.

“Last I ran this there was something like 350 vulnerable devices that were available,” the author wrote at the time.

However, it appears that others then took advantage of the technique to expose other links and uploaded them to the net.

Within two days a list of 679 web addresses had been posted to one site, and others followed – in some cases listing the alleged Google Maps locations associated with each camera.

Messages on one forum included: “someone caught a guy in denmark (traced to ip) getting naked in the bathroom.” Another said: “I think this guy is doing situps.”

One user wrote “Baby Spotted,” causing another to comment “I feel like a pedophile watching this”.

Some screenshots have also been uploaded.

Warning users

At the time of writing Trendnet’s home page and its press release section made no mention of the problem.

However, its downloads page does list a number of “critical” updates with a brief release note saying that the code offers “improved security”.

The firm – whose slogan is “networks that people trust” – said that it had halted shipments of affected products to retailers and that any delivery received since the start of this month should be safe. However, it said that items delivered at an earlier date might need a firmware update.

“We are just getting to that point to be able to succinctly convey more information to the public who would be concerned,” added Mr Wood.

“We are planning an official release of information to the public concerning this, but in advance I can tell you that this week we are targeting to have firmware to all affected models.”

Via: BBC News

Beware: Twitter spam viral application on the loose

We are aware of a rogue Twitter application circulating at the moment called “StalkTrack”. It is spreading via DM (direct message) or via @ mentions to your followers and people you follow.

The message will appear to come from someone you know and will be in the form of:

I love this NEW App, it shows me who "stalks" my twitter! [link]

If you click the link, take you to a page which looks like a very convicing twitter sign in page which is pretending you are not signed in and asking for your login details to authorise the app. It is at this point they have full control of your Twitter The best thing to do is to delete the DM or ignore the mention. You  account – including the ability to change yoru password and email address.

They will then use your account to lure your contacts to fall for the same trick.

If you have been tricked, it’s vital you log into your twitter account asap and change your password. If you have already been locked out, follow the steps on the official Twitter website here

Hackers ‘steal entire 2011 census’ (updated)

UPDATE: LulzSec have posted the following tweet:

“Just saw the pastebin of the UK census hack. That wasn’t us – don’t believe fake LulzSec releases unless we put out a tweet first”

So it would seem the Telegraph article below is a hoax.

Originally posted on

The entire 2011 census database has been stolen by hackers and will be published online, it has been claimed.

Ryan Cleary, an alleged member of the hacking group behind the claim, LulzSec, was arrested in Essex this morning by specialist cyber crime officers from Scotland Yard.

The 19-year-old was taken to a central London police station and remains in custody on suspicion of Computer Misuse Act and Fraud Act offences.

A “significant amount of material” was also seized from an address in Wickford, Essex.

The “pre-planned intelligence-led operation” in collaboration with the FBI followed claims online that the 2011 census database had been stolen and would be published in full.

“We have blissfully obtained records of every single citizen who gave their records to the security-illiterate UK government for the 2011 census,” a posting purportedly by LulzSec said.

“We’re keeping them under lock and key though… so don’t worry about your privacy (…until we finish re-formatting them for release),” it added.The posting said the database will be published via The Pirate Bay, a file sharing website.

The Office of National Statistics said it was investigating the claims.

“We are aware of the suggestion that census data has been accessed. We are working with our security advisers and contractors to establish whether there is any substance to this,” it said.

“The 2011 Census places the highest priority on maintaining the security of personal data. At this stage we have no evidence to suggest that any such compromise has occurred.”

The US defence contractor Lockheed Martin, which collected the 2011 census data, was also preparing a statement.

Graham Cluley, of the British computer security firm Sophos, said more evidence of a breach was required.

“I don’t think we should believe someone has hacked UK census purely on basis of a post to PasteBin [the website used by LulzSec for its announcements],” he said.

LulzSec first emerged in May and mounted a series of Distributed Denial of Service and hacking attacks on high profile organisations. Sony, the CIA, the US Senate, the NHS, the Serious Organised Crime Agency and security companies linked to the FBI have all been targeted.

The group claims to be acting purely for amusement.”Lulz” is a derivative of LOL, the abbreviation for “laugh out loud” commonly used online.

[via the Telepgragh]