Large Botnets Attack WordPress And Joomla

Two large botnets are using or targeting various content management systems, including the massively popular WordPress and Joomla.

The most recent campaign has been labelled Fort Disco, which began in late May 2013, according to Arbor Networks. Arbor has found six command and control servers, running over 25,000 infected Windows machines that have been used to attack CMS systems using brute force (running through large lists of possible passwords).

To date, 6,000 installations of WordPress, Joomla and Datalife Engine have been compromised.

Botnets target CMSs

Arbor got an insight into the campaign, because those behind the Fort Disco campaign left there log files publicly accessible. Despite that slip up, the botnet master had used some semi-smart malware to avoid detection.

At least four kinds of malware have been used, with a command telling them to focus on a variable list of target sites, consisting of between 5,000 to 10,000 sites at a time.

Another command tells them what password to use, sometimes offering a  URL to a password list. Successful hacks are reported back to the botnet master.

In 788 cases, a PHP backdoor was installed on the targeted sites, allowing the attackers to browse the filesystem, upload or download files and execute commands on the affected server. “By uploading a PHP shell to compromised sites, an attacker can easily issue commands to thousands of compromised sites in seconds,” said Arbor’s Matthew Bing.

On several sites, a redirector was sending users to the Styx exploit kit. Arbor also believes the attackers were recruiting CMSs and blogs to be part of the botnet for future attacks.

Arbor believes the perpetrator is based in a post-Soviet state. Most of the targeted sites were based in Russia or the Ukraine, and all of the command and control sites are based in the two countries.

What remains a mystery is how malware is finding its way onto machines in the first place. “We were able to find reference to the malware’s original filename (maykl_lyuis_bolshaya_igra_na_ponizhenie.exe) that referred to Michael Lewis’ book ‘The Big Short: Inside The Doomsday Machine’ in Russian with an executable attachment,”

“Another filename, proxycap_crack.exe, refers to a crack for the ProxyCap program. It’s unclear if victims were enticed to run these files, and if so, if that is the only means of infection. The C&C sites did not offer additional clues as to the infection mechanism.”

Trend Micro has also warned thousands of compromised sites based on WordPress, Drupal and Joomla are being used as part of a spamming botnet. The compromised sites contain a payload link and a spamming script, which are sent to users in a bid to spread malware.

Trend believes 195,000 domains and IPs have been infected as part of the StealRat spambot campaign. “The common denominator among these compromised sites is that they are running vulnerable CMS software,” it said in a blog post this week.

What do you know about Internet security? Find out with our quiz!

Thomas Brewster

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

View Comments

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago