Notifying Owners of Infected Wordpress Servers

I sent this letter today to four colleges, including MIT and Stanford:
Hello:

I am Sam Bowne, an instructor in the Computer Networking and Information Technology at City College San Francisco.

I was contacted today by a man whose server experienced a DDoS attack two days ago from many Wordpress servers. He sent me the logs, and your machines are on the list.

Here are the log entries coming from your school (redacted on my Web site):

xyz.xyz.xyz.132 - - [25/Sep/2013:12:38:08 +0200] "GET / HTTP/1.1" 503 913 "-" "WordPress/3.4; http://xyz.edu/blog"
xyz.xyz.xyz.132 - - [25/Sep/2013:12:38:09 +0200] "GET / HTTP/1.1" 503 913 "-" "WordPress/3.4; http://xyz.edu/blog"
xyz.xyz.xyz.132 - - [25/Sep/2013:12:38:39 +0200] "GET / HTTP/1.1" 503 913 "-" "WordPress/3.4; http://xyz.edu/blog"
xyz.xyz.xyz.132 - - [25/Sep/2013:12:38:45 +0200] "GET / HTTP/1.1" 503 913 "-" "WordPress/3.4; http://xyz.edu/blog"
xyz.xyz.xyz.136 - - [25/Sep/2013:12:39:57 +0200] "GET / HTTP/1.1" 503 913 "-" "WordPress/3.4; http://xyz.edu/blog"
xyz.xyz.xyz.132 - - [25/Sep/2013:12:40:05 +0200] "GET / HTTP/1.1" 503 951 "-" "WordPress/3.4; http://xyz.edu/blog"
xyz.xyz.xyz.132 - - [25/Sep/2013:12:40:35 +0200] "GET / HTTP/1.1" 503 913 "-" "WordPress/3.4; http://xyz.edu/blog"
xyz.xyz.xyz.132 - - [25/Sep/2013:12:40:36 +0200] "GET / HTTP/1.1" 503 913 "-" "WordPress/3.4; http://xyz.edu/blog"
xyz.xyz.xyz.136 - - [25/Sep/2013:12:41:25 +0200] "GET / HTTP/1.1" 503 951 "-" "WordPress/3.4; http://xyz.edu/blog"
xyz.xyz.xyz.132 - - [25/Sep/2013:12:42:36 +0200] "GET / HTTP/1.1" 503 913 "-" "WordPress/3.4; http://xyz.edu/blog"
xyz.xyz.xyz.136 - - [25/Sep/2013:12:42:55 +0200] "GET / HTTP/1.1" 503 913 "-" "WordPress/3.4; http://xyz.edu/blog"

I see that you are running an out-of-date version of Wordpress, but I don't think that's the common factor, because many of the servers used in this attack were running 3.6.1, the latest version of Wordpress.

A more likely possibility is that your server's password was weak, and guessed by brute force. There was an article about that in April of this year:

https://krebsonsecurity.com/2013/04/brute-force-attacks-build-wordpress-botnet/

If you would, please examine your Wordpress server and see if you can find evidence of compromise. I'd like to know what you find, because I have a list of many such servers and I'd like to know what to tell them to help them detect and clean the infections.

Feel free to contact me with any questions, or if I can be of any assistance.

Thank you,

Sam Bowne
Phone: REDACTED
Email: sbowne@ccsf.edu
Web: samsclass.info


Last modified 9-25-13 4:56 PM