Malware

Hakaied with love from Telecom Egypt

In the last two weeks I’ve seen a steady increase of bots trying to exploit a remote command execution flaw on D-Link routers. The majority of the attacks are originating from IP blocks belonging to Telecom Egypt Data.

Another significant WordPress brute-force attack in the works

So today I’ve experienced a more significant than usual attack against WordPress installations hosted on one of our company servers. So far I’ve blocked more than 17000 21000 unique IP addresses, but the attackers seem to have an endless supply and they’re not slowing down. Note: This article was updated on January 27, 2018.

Wordfence warns against a massive brute-force attack campaign

On the 18th of December Wordfence posted the following entry describing an ongoing distributed brute force-attack campaign targeting WordPress installations. It was accompanied by a dramatic chart highlighting the number of attacks per hour. According to Wordfence, it was the most aggressive campaign they’ve seen so far. However, as a WordPress hosting provider I’ve found no data to support these claims.

I’ve not experienced any increase in dictionary attacks or other malicious traffic against WordPress installations on our web hosting platform. Curiously enough, this would mark the first time that we have completely dodged such a large scale attack.

Malicious bots sending siteru as the HTTP referer

I’ve received a few hundred requests originating from bots setting site.ru as their referrer. These attacks are scanning for compromised WordPress installations and PHP based shells and backdoors. The attacking IP’s belong to compromised hosts and websites from service providers around the world.