Botnet of Infected WordPress Sites Attacking WordPress Sites

The Defiant Threat Intelligence team recently began tracking the behavior of an organized brute force attack campaign against WordPress sites. This campaign has created a botnet of infected WordPress websites to perform its attacks, which attempt XML-RPC authentication to other WordPress sites in order to access privileged accounts.

Between Wordfence’s brute force protection and the premium real-time IP blacklist, we have blocked more than five million malicious authentication attempts associated with this attack campaign in the last thirty days alone.

The threat actors (hackers) use a group of four command and control (C2) servers to send requests to over 14,000 proxy servers provided by a Russian proxy provider called best-proxies[.]ru. They use these proxies to anonymize the C2 traffic. The requests pass through the proxy servers and are sent to over 20,000 infected WordPress sites. Those sites are running an attack script which attacks targeted WordPress sites. The diagram below illustrates the attack chain.

In the post below, we describe this attack chain in detail for the benefit of researchers, vendors and security operations teams. We have omitted or redacted data in some cases because the C2 servers and infected WordPress sites are still online and may be exploited by others. Our team is sharing data with law enforcement related to this investigation. We are also providing data to affected hosts to help them remediate infected machines on their networks.

Brute Force Attack Scripts Identified

In our research of this campaign we determined that the IPs performing the brute force attacks were nearly all associated with popular web hosting providers, and that the attacks were all targeting WordPress’s XML-RPC interface at /xmlrpc.php. We also noted that the User-Agent strings associated with these requests matched those used by applications commonly seen interacting with the XML-RPC interface, like wp-iphone and wp-android. Since these applications typically store credentials locally, it was unusual to see a significant amount of failed logins from them, which drew our attention. We identified over 20,000 WordPress slave sites that were attacking other WordPress sites.

WordPress Attacking WordPress

With this data in hand, we went on to identify brute force attack scripts present on infected WordPress sites matching the attacks we were tracking. The scripts target the XML-RPC interface of WordPress sites to test username/password pairs, and randomly spoof the User-Agent string of each request:

foreach ($request as $i => $id) {
    $xmlualist  = array("Poster", "WordPress", "Windows Live Writer", "wp-iphone", "wp-android", "wp-windowsphone");
    $xmlual = $xmlualist[array_rand($xmlualist)];

The brute force script takes command and control (C2) input via POST in order to define some execution settings, such as a JSON array of targeted domains and a local wordlist to be used:

if ($_POST['secret']=='111'){
    $timer = time();
    ini_set('memory_limit', '-1');
    ini_set('max_execution_time', 500000000000);
    $request = array();
    if(checkWordsList($_POST['wordsList'], $_POST['path'], $_POST['hash'])){
        $domainsData = json_decode($_POST['domainsData'], true);
        foreach($domainsData as $item){
            $brutePass = createBrutePass($_POST['wordsList'], $item['domain'], $item['login'], $_POST['startPass'], $_POST['endPass']);
            $request[] = array('id'=>$item['id'], 'user'=>$item['login'], 'request'=>createFullRequest($item['login'], $brutePass),'domain'=>'http://' . trim(strtolower($item['domain'])).'/xmlrpc.php', 'brutePass'=>$brutePass);


Dynamic Wordlist Generation

The wordlists associated with this campaign contain small sets of very common passwords. However, the script includes functionality to dynamically generate appropriate passwords based on common patterns. A few examples of these patterns are:

  • %domainPattern%
  • %userName%
  • %userName%1
  • %userName%123
  • %userName%2018
  • %userName%2017
  • %userName%2016

In other words, if the brute force script was attempting to log on to as the user alice, it will generate passwords like example, alice1, alice2018, and so on. While this tactic is unlikely to succeed on any one given site, it can be very effective when used at scale across a large number of targets.

Multicall Functionality

WordPress’s XML-RPC interface saw an upswing in brute force attacks in 2015, when attacks leveraging multicall functionality became popular. In short, using this interface an attacker could send a large number of user/password pairs in a single request. WordPress would test each pair, and return a list of successes and failures. This technique made the brute force attack process much easier to launch at scale, since an attacking device would only need to send a single batch of credentials and wait for a reply.

The brute force script in this campaign is built to perform this type of multicall attack by default. The code snippet below shows the function that, when given a username and array of passwords, will assemble a single XML object containing all of the passwords to be attempted.

function createFullRequest($login, $passwords){
    $xml = createRequestXML();
    for($i = 0; $i saveXML();
    return $request;

The C2 systems issuing instructions to the brute force script can optionally define $startPass and $endPass variables, which tell the script to only attempt a subset of passwords on a given list instead of running the entire set.

Multicall Attacks No Longer Effective (Mostly)

Many WordPress users may not be aware that this XML multicall attack is no longer effective. A patch to wp-includes/class-wp-xmlrpc-server.php was introduced in WordPress 4.4. With this patch, if one login attempt in an XML-RPC request fails on a targeted website, that website will immediately fail all subsequent attempts in the same request, even if the credentials are valid.

The XML-RPC patch to WordPress 4.4 was released quietly, and isn’t disclosed in the release notes. It also hasn’t been backported to earlier WordPress branches like the majority of security fixes, despite being a relatively uninvasive patch. To clarify, even if a site is on the latest security release of a WordPress branch from 4.3 and older, it can be vulnerable to this attack method.

The attackers in this campaign seem to be aware of this improvement. A number of requests from C2 systems to (formerly) infected sites have been intercepted by the Wordfence firewall, and these requests all define the same value for the $startPass and $endPass parameters described above. This means that the attack scripts end up attempting authentication with one user/password combination at a time, effectively deprecating the script’s own multicall functionality.

Attacker Infrastructure Revealed

As mentioned above, we’ve been able to capture requests sent from C2 systems to the network of infected WordPress sites, and have been successful in acquiring a great deal of intelligence from this data.

Central C2 Servers Identified

The attack chain in this campaign made use of multiple layers of abstraction between the attacker and target sites. Brute force attacks are executed by a network of infected WordPress sites, which receive instructions via a network of proxy servers, so it would typically be very difficult to track the central C2 servers behind it all. We were fortunate, though, that the attacker made some mistakes in their implementation of the brute force scripts.

Since the scripts each make use of wordlists stored on the same infected WordPress site, they include functionality to regenerate these wordlists if necessary:

function checkWordsList($filename, $path, $hash){
    if(file_exists($_SERVER["DOCUMENT_ROOT"].'/'.$filename) and md5_file($_SERVER["DOCUMENT_ROOT"].'/'.$filename) == $hash){
        return true;
        downloadCurlTarg($path, $_SERVER["DOCUMENT_ROOT"].'/'.$filename);
        if(file_exists($_SERVER["DOCUMENT_ROOT"] . '/' . $filename) and md5_file($_SERVER["DOCUMENT_ROOT"] . '/' . $filename) == $hash){
            return true;
            return false;

The checkWordsList() function is passed a $path argument which defines a remote address containing the wordlist to be used. If the local wordlist is missing, the script will download the list from the given address. This path is provided alongside the rest of the POST data sent from the proxy servers to the brute force script. Requests intercepted by our firewall included this path, which contained an IP address.

This IP pointed to a server which contained a login page, which suggested we found something big.

Simple login screen found on the C2 servers.

We went on to identify a total of four active command and control servers involved in the brute force campaign.

C2 Interface Access

Brief analysis of the C2 sites revealed that, despite the login page, authentication to these systems wasn’t actually enforced. Attempting to access pages on the C2 interface would trigger a 302 redirect to the login page, but the application still sent the page data alongside the redirect.

cURL request to the homepage of a C2 server. Note the 302 redirect to /login.php, as well as the HTML response that follows it.

Using BurpSuite, we created a proxy rule that ignores this login redirect, which gave us the ability to browse the interface of the C2 application freely. Contained within the interface was a number of features, including the ability to access a list of “slaves”, which referred to the infected WordPress sites containing brute force scripts.

One view available in the C2 interface showing a list of logs exported by the attacker.

Identified Connection To

With access to the interfaces of these C2 servers, we were able to identify the relationship between these servers and the proxy servers issuing commands to the “slave” sites. Each server contained a file in its webroot named proxy.txt. This file contains a list of nearly ten thousand SOCKS proxy addresses, with IP addresses and ports. These IP addresses coincided with the proxy servers we had previously identified, suggesting the C2 uses this file to randomly select a proxy when issuing each attack. We identified 14,807 proxy servers.

Interestingly, the proxy.txtfile on one of the C2 servers didn’t contain a list of proxy addresses, but instead contained an HTML document. The document was a copy of a 503 Service Unavailable error, including a link to Also in this document was Russian text which translates to “Authorization error: The validity period of this key is over, you can buy a new key.”

It turns out, even hackers forget to pay their bills.

Screenshot of the error document stored on a C2 server, suggesting the attacker failed to renew the API key used to access proxy lists.

Given the circumstances, it’s probable that the C2 server sources its list of SOCKS proxies from by directly storing the API response in proxy.txt. When the API returns an error, this error overwrites the proxy list.

C2 Servers and “Bulletproof” Hosts in Romania, Netherlands and Russia

The C2 servers we identified are hosted with providers known in the security community as “bulletproof” hosts. “Bulletproof” refers to hosts that are known for lax (if any) enforcement of abuse policies and legal action, making them a de facto safe haven for malicious activity.

According to MaxMind’s GeoLite2 ASN database, three of the identified C2 servers are associated with a company called HostSailor. HostSailor has been in the news for infamously threatening KrebsOnSecurity after the security publication drew attention to the company’s questionable practices.

Two of the C2 servers hosted at HostSailor are located in the Netherlands and one is in Romania. The remaining C2 server is hosted with SELECTEL, a Russian hosting provider which is referred to as bulletproof in discussions on forums like BlackHatWorld.

Cooperation With Authorities

A great deal of valuable data was gathered as a part of this investigation. Due to the nature of our work, our team maintains contact with a number of law enforcement agencies around the globe. While we typically share a great deal of data on these blog posts, like IP addresses and other indicators of compromise, in this case we have elected to retain some of this information in order to prevent interfering with possible future investigations.

In addition to law enforcement, we will be contacting some hosting providers we’ve identified with large numbers of infected “slave” sites. It is our hope that providing this information can help limit the effectiveness of this campaign by reducing the number of active sites launching attacks.

What Should Site Owners Do?

In order to prevent your site from falling victim to brute force attacks, it is valuable to implement restrictions and lockouts for failed logins. The Wordfence plugin features robust brute force protection, and the IPs launching the attacks are automatically blocked for Premium Wordfence users with access to the real-time IP blacklist.

The Wordfence scanner is effective at detecting the malware this attack campaign is dropping on affected websites. That detection capability is already in production for Premium customers and will be available for our community users in a few days.

If you believe your site is infected and launching attacks as part of this campaign, please consider making use of our site cleaning services. Our team is familiar with these cases and can ensure your issue is properly handled. You should also consider having our team perform a site security audit.


The Defiant Threat Intelligence Team identified a widespread campaign of brute force attacks against WordPress websites. These attacks were launched by malicious scripts planted on other WordPress sites, which received instructions from a botnet with a sophisticated attack chain, using a Russian based proxy provider. We are actively collaborating with law enforcement and hosting providers to mitigate the effects of this attack campaign and the threat actor involved.

Credits: Author Mikey Veenstra. Research by Brad Haas and Mikey Veenstra. Additional contributions from James Yokobosky, Paolo Tresso and Gregory Bloom. Edited by Mark Maunder and Dan Moen. Artwork by Syndel Klett.


The post Botnet of Infected WordPress Sites Attacking WordPress Sites appeared first on Wordfence.


Thousands of Hacked Home Routers are Attacking WordPress Sites

Last week, while creating the Wordfence monthly attack report, we noticed that Algeria had moved from position 60 in our “Top Attacking Countries” list to position 24. That was a big jump and we were curious why Algeria had climbed the attack rankings so rapidly.

What we discovered on closer examination is that over 10,000 IP addresses in Algeria were attacking WordPress websites in March. Most IPs were only launching between 50 and 1000 attacks during the entire month.

The following chart is a histogram. It groups IP addresses by the number of times they attacked. As you can see by the spike on the left, the most common number of attacks was around 100 to 200 for an IP address. Few of the attacking IPs generated more than 2,000 attacks during the entire month of March, 2017.

We wanted to learn more about these attacking IPs, so we dug a little deeper.

A Botnet Using Burst Attacks

We extracted the list of Algerian attack IPs and we included the time of first attack logged and the time of last attack logged. The majority of the IPs spent just a few hours attacking and then stopped for the rest of the month. The histogram below shows how many IPs spent less than a day (shown as 0) attacking compared to those that spent 1 or more days. As you can see over 7,000 IPs spent just a few hours attacking during March before they stopped.

These IPs switch on, perform a few attacks and then switch off and aren’t heard from again for a month. What we have found is a botnet that is distributed across thousands of IPs. Each IP is only performing a few attacks, those attacks are spread across many websites and the attacks only last a few minutes or hours.

The attacker controlling this botnet is using several evasive techniques. They are spreading their attacks across a very large number of IP addresses. They are using low frequency attacks to avoid being blocked. They are also spreading their attacks across a large number of WordPress sites.

These evasive techniques indicate a higher level of sophistication than we see from, for example, “PP Sks-Lugan” which we’ve written about in the past where we see a single IP generating millions of attacks.

Hacked Home Routers Hacking WordPress

When we looked at who owns each of the attacking IPs in Algeria, we found, over 97% of them are owned by Telecom Algeria. There are approximately 30 different ISPs in Algeria. We do see some attacks from other networks, but nothing compared to the volume that originates from Telecom Algeria.

The attacks we saw in March originated from the following networks:

  • which ranges from to had 4671 attacking IPs in March.
  • which ranges from to had 4591 attacking IPs in March.
  • which ranges from to had 715 attacking IPs in March.
  • which ranges from to had 401 attacking IPs in March.

Telecom Algeria is the state owned telecommunications provider in Algeria. It is therefore the largest telecommunications provider in the country.

We performed a network survey on a sample of 8,962 IPs on Telecom Algeria’s network. We received responses from 3,855 IP addresses.

Out of those IPs we discovered that  1501 are Zyxel routers that are listening on port 7547 and are running “Allegro RomPager 4.07 UPnP|1.0 (ZyXEL ZyWALL 2)”.

Allegro RomPager 4.07 is an embedded web server that has a severe vulnerability, dubbed the Misfortune Cookie by Checkpoint, who discovered it in 2014. The identifier is CVE-2014-9222.

It appears that attackers have exploited home routers on Algeria’s state owned telecommunications network and are using the exploited routers to attack WordPress websites globally.

Other ISPs With Vulnerable Routers

Algeria drew our attention because its country ranking jumped from 60 to 24 in our top attacking countries for March. Once we took a closer look at the attacking IPs, we were able to identify a specific pattern of behavior for these attack IPs:

  • They generally attack for less than 48 hours and then stop.
  • Most of them generate less than 1000 attacks.
  • There is usually a large number of attacking IPs on a single ISP.

By searching for similar patterns, we found that there are several other ISPs that seem to have the same problem that Telecom Algeria has.

BSNL – India

BSNL is a state owned telecommunications provider in India. During March we saw attacks from 11,495 IPs on their network.

In a survey of BSNLs network, we found that:

  • 11,495 IPs on BSNLs network attacked WordPress sites in March.
  • Out of those attacking IPs, 4857 IPs also have port 7547 open.
  • We found that 1635 of the IPs that attacked WordPress sites are also running “Allegro RomPager 4.07 UPnP|1.0 (ZyXEL ZyWALL 2)” which is vulnerable.

PLDT aka. Philippine Long Distance Telephone

PLDT is the largest telecommunications provider and digital services company in the Philippines.

In a survey of PLDT’s network we found that:

  • 3697 IPs on their network attacked WordPress sites in March.
  • 1612 of those attacking IPs on PLDTs network have port 7547 open.
  • 137 of those IPs are running “Allegro RomPager 4.07 UPnP|1.0 (ZyXEL ZyWALL 2)” which is vulnerable to remote exploitation.

28 ISPs with Suspicious Attack Patterns Indicating Compromised Routers

Once we could identify the attack pattern of compromised routers, we searched for other ISPs where the attack patterns fit the same criteria. That is, low frequency of attacks, each IP attacks for less than 48 hours and a large number of IPs are attacking WordPress sites from a specific ISP.

This is the full list of ISPs we found globally where attacks that match this criteria are originating from. Notice the low “average attacks per IP column” on the right of the table (scroll right) and the large number of attacking IPs per ISP.

What is port 7547 and TR-069 and why is it a problem?

Port 7547 is a management port on home routers. It allows ISPs to manage the routers that their customers use on their home networks. It uses a protocol called TR-069 to provide a management interface. The TR-069 protocol can be used to provision devices, provide tech support and remote management, monitor routers for faults, for diagnostics, to replace a faulty configuration and to deploy upgraded firmware.

This protocol and port has had at least two serious security vulnerabilities associated with it in the past 4 years.

We have already mentioned the misfortune cookie vulnerability which targets management port 7547 and which some of the ISPs above are suffering from. RomPager version 4.07 suffers from the misfortune cookie vulnerability. In the ISPs that we are seeing attacks originating from, 14 out of 28 ISPs have remotely accessible routers that have a vulnerable version of RomPager version 4.07 on port 7547

Another vulnerability emerged in November last year which allows an attacker to use port 7547 and the management interface to gain administrative access to a router.

6.7% of Attacks on WordPress Sites are from Home Routers with Port 7547 Open

In addition to the network surveys we did on ISPs from which attacks are originating, we also surveyed 865,467 additional IP addresses which have engaged in brute force or complex attacks during the past 3 days. Out of those, 57,971 have port 7547 open indicating that they are home routers from which attacks are originating.

That means that 6.7% of all attacks on WordPress sites that we protect, during the past 3 days, came from home routers that have port 7547 open.

Shodan, an internet survey search engine, currently shows that over 41 million devices on the Internet are listening on port 7547. The TR-069 protocol is widely used among ISPs world-wide.


The Security Risk to Home Users

If a home router is successfully exploited, an attacker can access your internal home network. They have penetrated any firewall function that the router provides and can also bypass router network address translation. This enables them to exploit internal targets like workstations, mobile devices using WiFi and IoT devices like home climate control systems and home cameras.

We are already seeing bulk exploitation of TR-069 which has turned home routers into a botnet attacking WordPress sites. It is quite feasible that home network exploitation is already underway as well.

Security Risk to the Internet at Large

OVH was hit by a 1 Terabyte DDoS attack in September last year, one of the largest in history. Approximately 152,000 IOT (Internet of Things) devices that had been compromised generated the traffic in that attack.

In just the past month we have seen over 90,000 unique IP addresses at 28 ISPs that fit our compromised-router attack pattern. We monitor these attacks across our customer websites which is an attack surface of over 2 million websites. We only see a sample of the attacks that all websites globally experience. If you extrapolate the numbers, it indicates that there is a very large number of compromised ISP routers out there performing attacks and acting in concert.

At this point it would not be a stretch to say that vulnerabilities in TR-069 may have created a very large botnet which could soon generate the largest DDoS attack the Internet has ever seen.

How ISPs can help

Exposing port 7547 to the public Internet gives attackers the opportunity to exploit vulnerabilities in the TR-069 protocol. ISPs should filter out traffic on their network coming from the public internet that is targeting port 7547. The only traffic that should be allowed is traffic from their own Auto Configuration Servers or ACS servers to and from customer equipment.

There are already a large number of compromised routers out there. ISPs should immediately start monitoring traffic patterns on their own networks for malicious activity to identify compromised routers. They should also force-update their customers to firmware that fixes any vulnerabilities and removes malware.

What we are doing

At Wordfence we run a real-time IP blacklist for our premium customers. We are adjusting our blacklist algorithms to identify and include IP addresses that engage in these kinds of attacks. We are also working to create awareness among ISPs and security professionals about the risk that TR-069 presents and how they can help to mitigate that risk.

The post Thousands of Hacked Home Routers are Attacking WordPress Sites appeared first on Wordfence.


Analysis: Methods and Monetization of a Botnet Attacking WordPress

At Wordfence we see a huge range of infection types every day as we help our customers repair hacked websites. We also find new kinds of malware as we analyze the forensic data we gather from a range of sources. Our normal day involves turning that forensic data into firewall rules and scan signatures which we deploy to your Wordfence firewall and malware scan via our Threat Defense Feed.

Those rules and signatures are then used by Wordfence to protect your site against the newest attacks. Our Premium customers receive those rules in real-time and our free customers have a 30 day delay.

Occasionally, as we examine our forensic data and turn it into threat intelligence, we run across interesting behaviors both in human attackers and the bots they control. Recently our analysts took a closer look at a botnet that is using stolen WordPress usernames and passwords to compromise WordPress sites and generate an income from the hacked sites.

In this post we go into some detail about how this botnet works and how its owners make money. We have given this botnet the codename “ChickenKiev” or CK for short.

Botnet Profile: ChickenKiev

About the botnet: Vital Statistics

Number of attack bots 83
Location: 35 bots in Ukraine, 10 in USA, 8 in UK, includes several other countries.
Networks Most bots are on:, and
Time Active: At least 2 months starting 24 November until present
Responsible for: A large number of hack attempts and compromised websites.

How the CK Botnet Works

The owner of the CK botnet is feeding CK stolen WordPress administrator credentials which the botnet uses to sign into WordPress websites and perform its malicious activity. The credentials are probably acquired through brute force attacks. The attacker may have performed the attacks themselves or has managed to acquire a database of compromised credentials from someone else.

At the start of its attack, CK logs into WordPress websites and uses the WordPress theme or plugin upload tools to install fake themes or plugins containing malicious code. Once it has the base malicious payload installed, CK installs additional backdoors and code that uses the website for malicious purposes.

The access log below shows a typical series of requests where CK is doing its initial infection of the website. This is a real access log from a website that was infected by CK which we repaired. We have redacted sensitive information to protect our site cleaning customer’s privacy.

As you can see, this bot which is part of the CK botnet visits wp-login.php and signs in as an ordinary user would. It then visits the plugin installation page in the WordPress administrative console. It installs a plugin that is made to look like the popular BB Press forum software.

At this point, infection by CK is complete. The bb_press.php code contains a backdoor that allows the attacker that is controlling CK full and continuous access to the hacked website.

What CK Installs on Hacked WordPress Sites

In addition to the fake BB Press plugin shown in the log above, we have seen CK also install the following fake plugins or themes:

  • /wp-content/plugins/wp-db-ajax-made
  • /wp-content/plugins/Akismet3
  • /wp-content/themes/sketch

CK uses a well known shell as a backdoor which is known as the WSO shell. It stores the backdoor in a file called wp-ajax.php which is made to look like a legitimate WordPress core file.

The backdoor is installed in fake theme and plugin directories and is also inserted by CK into real plugin and theme directories. Here are some of the locations we have found CK’s backdoor. Most of these locations use the filename wp-ajax.php. In some cases a different filename is used.

  • /wp-content/plugins/wp-db-ajax-made1/wp-ajax.php
  • /wp-content/plugins/wp-db-ajax-made/wp-ajax.php
  • /wp-content/plugins/ml-slider/wp-ajax.php
  • /wp-content/plugins/siteorigin-panels/wp-ajax.php
  • /wp-content/plugins/wp-db-ajax-made/wp-ajax.php
  • /wp-content/plugins/Akismet3/wp-ajax.php
  • /wp-content/plugins/accesspress-twitter-auto-post/wp-ajax.php
  • /wp-content/plugins/advanced-custom-fields/wp-ajax.php
  • /wp-content/plugins/ajax-thumbnail-rebuild/wp-ajax.php
  • /wp-content/plugins/bb_press/wp-ajax.php
  • /wp-content/plugins/bb_press1/wp-ajax.php
  • /wp-content/plugins/bb_press2/wp-ajax.php
  • /wp-content/plugins/oa-social-login/wp-ajax.php
  • /wp-content/plugins/wp-db-ajax-made-1/wp-ajax.php
  • /wp-content/plugins/wp-db-ajax-made-2/wp-ajax.php
  • /wp-content/plugins/wp-db-ajax-made/wp-ajax.php
  • /wp-content/themes/sketch/404.php
  • /wp-content/themes/twentyeleven/wp-ajax.php
  • /wp-content/themes/twentyfourteen/author.php
  • /wp-content/themes/twentyfourteen/wp-ajax.php
  • /wp-content/themes/twentyten/wp-ajax.php
  • /wp-content/themes/twentythirteen/wp-ajax.php
  • /wp-content/themes/twentytwelve/author.php

How CKs Operators Profit from Hacking Your Site

Once CK has infected your site, we have a seen the operators engage in a range of malicious activity. One of the ways these operators profit is by injecting their own Google ad banners into your site header files.

This causes your website to serve Google ads associated with the CK operator’s Google account. They profit from your website serving Google ads.

The CK operators inject their own Google ad code into your site header by using the WSO shell they installed. They can use the shell to execute any PHP code on your website. To install their ads, they execute the following code via their shell: (We have redacted sensitive content)

The code above searches for files called header.php or header-homepage.php. It looks for the closing tag in those files. It adds the Google ad banner code just before your site’s closing tag.

This causes your site to serve their own Google ads, allowing them to profit from the traffic that is visiting your website.

We have seen CKs operators engage in other malicious activity like installing additional administrative code to help them control hacked sites and installing code that redirects a hacked website’s traffic to other websites that they control.

How to Protect Yourself from CK

CKs owners need to get WordPress administrator logins to be able to install their malicious code. To do this they need to engage in brute force attacks or find another way to steal an administrator username and password.

Here are a few things you can do to keep your admin account safe:

  • Enable Wordfence on your website. It provides excellent brute force protection in the free and paid version.
  • If you are a Premium Wordfence user, enable two factor authentication, also called cellphone sign-in.
  • Ensure you use a long and complex password. 12 characters or more with a random combination of letters, numbers and symbols. Include upper and lower-case letters.
  • Make sure the Wordfence Firewall is enabled to block exploits that can compromise your admin account.
  • Don’t use the same password on other WordPress websites or accounts. If one of your sites is hacked this can result in the others getting hacked too.

The Wordfence malware scan detects all of the indicators of compromise that CK leaves behind. If you are worried that you may have been hacked, simply run a Wordfence scan to check your site status. Wordfence also does an excellent job of preventing any compromise from happening in the first place.

What to do if you have been hacked

At Wordfence we have an excellent team of security analysts who respond to incidents many times every day. If you have been hacked, our team can determine why, close any security holes, clean the hack and get you back up and running within a very short time.

Our site cleaning service includes blacklist removal, a 1 year Wordfence Premium license and we provide an in-depth report to help you understand what happened and how to prevent a hack in future.

Wordfence site cleaning is also very reasonably priced at $149 with no surprise fees and we provide excellent customer service.

Stay Safe

I’d like to encourage you to share this post with the community to create awareness and help other site administrators avoid a hack. If you have any questions or comments, please post them below and as always I’ll be around to reply when needed. Have a great week and stay safe!

Mark Maunder – Wordfence Founder/CEO.

Credits: Thanks to Senior Wordfence Security Analyst Brad Haas for doing the forensic analysis in this post. Additional thanks to members of our site cleaning team for their help. Thanks to Dan Moen for editing. 

The post Analysis: Methods and Monetization of a Botnet Attacking WordPress appeared first on Wordfence.


Hacking a WordPress Botnet

While analyzing some of the attacks we see on the Wordfence Web Application Firewall, we discovered code that an attacker was trying to upload that was part of a botnet. In case you’re not in the information security space, a botnet is a network of ‘bot’ or ‘zombie’ machines that is controlled from a central command and control or C&C server.

In the case of this botnet, it was controlled via a chat service called IRC or Internet Relay Chat. IRC is a popular way of controlling botnets because you can have all the ‘bot’ or zombie machines connect to the chat server and join a channel to receive broadcasts. This allows the botnet owner to simply sign into the chat server and broadcast commands to all the zombies which they run at the same time.

The code below shows a typical hack attempt where the attacker is trying to inject their botnet code into a targeted WordPress site. Wordfence blocks this attack and any attack that includes this botnet code.

Once a WordPress site is compromised with this attack, the infected server connects to an IRC chat server, ready to receive commands and do the botnet owner’s bidding.

The owner might use those zombie WordPress sites to attack more sites. Or he might use them to launch a distributed denial of service or DDoS attack on someone, overwhelming them with traffic. He could also simply deface all the sites in his botnet with SEO spam.

The hashed password is shown next to LND-Bloodman’s username above. We’ve blurred the encoded command and control server IP address. The content length is over 25K so this is a reasonably long script.

The Wordfence team decided to analyze the botnet code and try to identify who was running the botnet.

Going After the Command and Control Servers

During our analysis of the malicious code, we found five IP addresses of IRC command and control servers (C&C servers) for this botnet. Two of them were down. Three were still up.

We created modified zombie code to connect to the C&C servers and do further analysis. Our code was designed to save all files it was commanded to download. It would also log all commands sent to it and not actually do anything malicious.

The botnet owner’s nickname/handle appears to be Bloodman.

One of the things we were hoping to get by doing this is Bloodman’s password that he uses to control his botnet. He had built his botnet zombie code so that whenever he sent a command to the zombies via the C&C server, it included a password.

The zombies would hash that password, compare the hash to what is stored in the code and if it matches, would know it’s Bloodman sending the command and would run the command.

The hash we found in the code, as you can see in the above image, is:


Googling this hash shows that the malware with this password has been seen before. A blogger saw an attack containing this hash in September last year.

The oldest Google result mentioning this hash is from December 2012 and is a request to crack the hash and turn it into the password which is still unsuccessful. This indicates with a high degree of certainty that Bloodman has been active and using this password since December 2012.

If one can reverse this hash, you can simply sign into any IRC server that Bloodman is using and have immediate control of his botnet.

We connected to all three of his C&C servers and after watching and waiting for about 48 hours we hit the jackpot. He signed in and sent a command to the botnet. We captured his password. The first part of it is:



We’ve intentionally starred out the rest of the password (which is long) to prevent anyone else from taking control of these botnets.

This allowed us to take control of his botnet if we wanted to. It turns out Bloodman also refers to himself as 1x33x7.

At this point we connected to one of the botnet servers:

We’ve blurred out any IP addresses or identifying information. The server is named to look like some kind of FBI honeypot. Considering it’s actively hacking WordPress sites, we’re guessing it’s a joke on the hacker’s part.

Joining the channel #1x33x7 where all the bots hang out shows us the following when we ask for a list of users:

There are 31 infected machines shown excluding the three users. And there is also LND-Bloodman hanging out in the channel.

The format of the nicknames shows some information about the compromised system including what web server software it’s running.

Running IRC’s ‘whois’ command on a few of the zombies shows that some of them are FreeBSD unix boxes. Others are running Windows Server 2012 or Windows 8 – both identify as “Windows NT 6.2 Build 9200.”

Running ‘whois’ on the two Bloodman accounts gave us two IP addresses and a possible email address with a first name.

At this point we have enough information to go ‘active’ and take control of the botnet and shut it down. The botnet has enough functionality for us to first delete any infected code and then kill the processes running on remote machines, thereby destroying the part of the botnet that is connected to this command and control server.

We chose not to shut down the botnet for two reasons:

Firstly the Computer Fraud and Abuse Act does not allow us to hack the hackers. So even though we had passively connected to this hacker’s command and control system, going active and changing the system could land us in some hot water with the FBI. We would rather observe and report because that is all the law allows unless you work for the military or a military agency in the United States.

Secondly, we were concerned that we may not have all the information and we may actually do harm by trying to disinfect remote machines.

We don’t think that shutting down a single C&C server or even all three C&C servers and their respective bots would do much good. Bloodman would simply regroup and reinfect new sites with new C&C servers.

Attribution – Who is doing this? 

To try to determine who controls this botnet, we started with both usernames that appear in the source code: Bloodman and 1x33x7.  One of those usernames pointed us to a Twitter account.  The Twitter account contains a german slogan “I am root” and various images of what is probably the botnet owner’s face.

The Twitter account links to a YouNow profile which is a live video broadcasting service – it uses the same username.

The YouNow profile linked to a YouTube account that uses the second username, which contains plenty of identifying information and a video of the botnet controller bragging about his botnet. He speaks German, likes to play with fireworks and we know what car he drives and have images of various German roads.

In addition to the open source intelligence above, we mined public data leaks and found a user profile on a hacker website that includes one of the usernames and the IP address the user last signed in from. That IP address is in Germany and belongs to Deutsche Telekom. Providing this to the authorities would probably reveal his full identity from ISP logs.


This is a small botnet with under 100 infected machines when you combine all the C&C servers together. This individual is launching under 2000 attacks per week. While they are inconvenient and consume resources, they are all blocked by the Wordfence Firewall.

We are working with net block owners to let them know about machines, particularly C&C servers that are on their network and are likely compromised.

We think that discussing the tactics, techniques and procedures of attackers, both small and large helps us all better understand what we are protecting our WordPress sites against and how to do a better job.

The post Hacking a WordPress Botnet appeared first on Wordfence.