The California-based security firm Sucuri reports that approximately “162,000 legitimate WordPress sites” have been hijacked by hackers and connected to “a criminal botnet” which forces each to launch “distributed denial-of-service (DDoS) attacks“, according to an article published by the V3.CO.UK website. The firm confirms that the hackers were successful at mounting this attack by exploiting “a well-known flaw in WordPress code“, according to the article.
The article indicates that Sucuri “uncovered the botnet when analysing an attack targeting one of its customers” and successfully traced “the source of the attack to legitimate WordPress sites.” Daniel Cid, Sucuri CTO, was quoted in the article to say,”The most interesting part is that all the requests were coming from valid and legitimate WordPress sites. Yes, other WordPress sites were sending random requests at a very large scale and bringing the site down. Just in the course of a few hours, over 162,000 different and legitimate WordPress sites tried to attack his site. We would likely have detected a lot more sites, but we decided we had seen enough and blocked the requests at the edge firewall, mostly to avoid filling the logs with junk.”
Arbor Networks’ solutions architect Gary Sockrider was also quoted in the article to say,“It’s not uncommon that cyber criminals use PHP web application servers as bots in the attacks. Many WordPress sites, often using the out-of-date TimThumb plugin, were compromised in the past – the same happened to Joomla and other PHP-based applications. Attackers usually target unmaintained servers to which the attackers upload PHP web shells and then use those shells to further deploy attack tools. Attackers connect to the tools either directly or through intermediate servers, proxies or scripts.”