- Joined
- Nov 14, 2016
- Messages
- 77
- Likes
- 57
- Degree
- 0
Wordfence have posted a useful article on a recent botnet that is doing the rounds on Wordpress websites.
Full article
Botnet Profile: ChickenKiev
About the botnet: Vital Statistics
Number of attack bots 83
Location: 35 bots in Ukraine, 10 in USA, 8 in UK, includes several other countries.
Networks Most bots are on: 213.231.44.0/22, 91.210.144.0/22 and 109.200.224.0/19
Time Active: At least 2 months starting 24 November until present
Responsible for: A large number of hack attempts and compromised websites.
How the CK Botnet Works
The owner of the CK botnet is feeding CK stolen WordPress administrator credentials which the botnet uses to sign into WordPress websites and perform its malicious activity. The credentials are probably acquired through brute force attacks. The attacker may have performed the attacks themselves or has managed to acquire a database of compromised credentials from someone else.
At the start of its attack, CK logs into WordPress websites and uses the WordPress theme or plugin upload tools to install fake themes or plugins containing malicious code. Once it has the base malicious payload installed, CK installs additional backdoors and code that uses the website for malicious purposes.
The access log below shows a typical series of requests where CK is doing its initial infection of the website. This is a real access log from a website that was infected by CK which we repaired. We have redacted sensitive information to protect our site cleaning customer’s privacy.
How to Protect Yourself from CK
CKs owners need to get WordPress administrator logins to be able to install their malicious code. To do this they need to engage in brute force attacks or find another way to steal an administrator username and password.
Here are a few things you can do to keep your admin account safe:
Full article
Botnet Profile: ChickenKiev
About the botnet: Vital Statistics
Number of attack bots 83
Location: 35 bots in Ukraine, 10 in USA, 8 in UK, includes several other countries.
Networks Most bots are on: 213.231.44.0/22, 91.210.144.0/22 and 109.200.224.0/19
Time Active: At least 2 months starting 24 November until present
Responsible for: A large number of hack attempts and compromised websites.
How the CK Botnet Works
The owner of the CK botnet is feeding CK stolen WordPress administrator credentials which the botnet uses to sign into WordPress websites and perform its malicious activity. The credentials are probably acquired through brute force attacks. The attacker may have performed the attacks themselves or has managed to acquire a database of compromised credentials from someone else.
At the start of its attack, CK logs into WordPress websites and uses the WordPress theme or plugin upload tools to install fake themes or plugins containing malicious code. Once it has the base malicious payload installed, CK installs additional backdoors and code that uses the website for malicious purposes.
The access log below shows a typical series of requests where CK is doing its initial infection of the website. This is a real access log from a website that was infected by CK which we repaired. We have redacted sensitive information to protect our site cleaning customer’s privacy.
How to Protect Yourself from CK
CKs owners need to get WordPress administrator logins to be able to install their malicious code. To do this they need to engage in brute force attacks or find another way to steal an administrator username and password.
Here are a few things you can do to keep your admin account safe:
- Enable Wordfence on your website. It provides excellent brute force protection in the free and paid version.
- If you are a Premium Wordfence user, enable two factor authentication, also called cellphone sign-in.
- Ensure you use a long and complex password. 12 characters or more with a random combination of letters, numbers and symbols. Include upper and lower-case letters.
- Make sure the Wordfence Firewall is enabled to block exploits that can compromise your admin account.
- Don’t use the same password on other WordPress websites or accounts. If one of your sites is hacked this can result in the others getting hacked too.