[Ipg-smz] wordpress attack

[Tom Henderson]

Greetings Guilders,

One of my honeypot sites has been under attack for a week. I've written 
this up, but it'll be a while before it sees the light of HTML.

Here's a quick warning for Wordpress users: don't use an administrator 
that has the word admin in its name. Over 400 different IPs have been 
using variations on that name, then a dictionary attack until the site 
times out in failures. Create an administrator user with a tough to 
guess name, peppered with characters. Then delete the admin user that's 
there by default. Once they start, they do not relent, and complaints to 
ISPs in Laos and Albania go unanswered-- two of eleven ISPs infected 
with this botnet.

Crawlers also look for the names of posters, and I suspect that an 
attack of individual $poster_name is next. It's methodical, and fun to 
watch.

Summary: no "admin" string in your administrative logon name; do not let 
that administrative user post anything so that its name is unknown to 
crawlers.

Tom

-- 
Tom Henderson
ExtremeLabs, Inc.
+1 317 250 4646
Twitter: @extremelabs
Skype: extremelabsinc