Slashdot Mirror

← Back to Stories (view on slashdot.org)

Pwnd Aethra Routers Used To Brute-Force WordPress Sites (voidsec.com)

Posted by timothy on from the malice-in-multiple dept.

An anonymous reader writes: Security researchers found around 8,000 Aethra routers (with no admin passwords) as part of a botnet that attacked WordPress sites, trying to brute-force admin accounts. Most routers were deployed in enterprise networks in Italy. Each device could have be used to launch DDoS attacks with a capability between 1 to 10 Gbps, based on the company's bandwidth. Things could be worse, though: Additional investigation also revealed that some of the routers were also susceptible to various reflected XSS and CSRF attacks that would also allow attackers to take control of the device, even if using different login credentials. Using Shodan, a search engine for locating Internet-connected devices, researchers found over 12,000 of Aethra routers around the world, 10,866 in Italy alone, and over 8,000 of these devices were of the model detected in the initial brute-force attack (Aethra Telecommunications PBX series). At that time, 70% of these Aethra routers were still using their default login credentials

12 of 27 comments (clear)

  1. Wordpress needs brute forcing? by DCFusor · · Score: 1

    It always worked on the first try for most!

    --
    Why guess when you can know? Measure!
  2. Re:ISPs.... I wanna kill them by ls671 · · Score: 1

    Same old, same old. I have come to adapt to this. Here an interesting link tending to show that people make the same mistakes over and over again without relevance to the the era:

    http://www.tamingdata.com/2010...

    I have to a point where I don't react to such event that much...

    I get more concerned with stuff like Heartbleed or Shellshock and other security updates.

    I run my own Linux router at home and in the data center. I would never use the ones provided by the provider.

    --
    Everything I write is lies, read between the lines.
  3. Protecting WordPress, Basics by Qbertino · · Score: 2

    - 'Rename Login' Plugins - there are various. Use them.
    - Use random character strings for usernames, especially admin users. Rename the nicename and the displayname to the role using a db tool.
    - use a db prefix other than wp_ , I use random strings.

    Do all this upon or directly after the WP installation. This very basic security stuff deters attacks like the one mentioned in TFA and mitigates most of its effects.

    --
    We suffer more in our imagination than in reality. - Seneca
    1. Re:Protecting WordPress, Basics by Anonymous Coward · · Score: 1

      Thanks. I'll post this as AC though I doubt I'll have time to fill up my alloted 50 posts today. I'm actually consider a WP install (I've not done one in years) and will keep those in mind. There are a few security plug-ins as well, some paid and some free. I'll probably do some research but I'll keep those things in mind and make sure I figure out how to do them.

      That post, the one right above mine, is one of the reasons I come to Slashdot. I've said it before, I'll say it again. Some of you are really smart and know some of the damnedest things. I can't think of any bad advice that I've followed from here. Hell, I even (kind of jokingly, sort of not) asked about my g/f before I decided to date her and take her with me on my wanderlust. (We bumped into each other by accident and she kind of stuck.) She's like 40 years my junior and I figured you'd helped me pick my favorite Linux distro so, I might as well ask for more advice. So far so good. *chuckles*

      Anyhow, thanks again. I even copied and pasted it into a text file so that I look into 'em. Someone's gotta say thanks around here.

      KGIII

    2. Re: Protecting WordPress, Basics by Qbertino · · Score: 1

      Language?

      100 Million installs, 8000 succsessful hacks with the method mentioned in TFA - I'd say thats a pretty good security record. Even if WP is a mess - its a mess thats works.

      --
      We suffer more in our imagination than in reality. - Seneca
  4. Yup. by Anonymous Coward · · Score: 1

    You should have renamed Admin when you created the site. You should never have a test ID. And you should have https://wordpress.org/plugins/... to spam you in times like these...

  5. Re:ISPs.... I wanna kill them by KGIII · · Score: 1

    My ISP has been trying to get me to use their provided equipment for years now. I have three separate lines (long story, don't ask) and they send out three new router/modem combinations at least once a year. Last year I got six for some reason. They've called and told me I must. They've emailed me. I just tell them that I'd rather not and thank them for offering. I have a small stack of unopened ISP routers (from Fairpoint) at the house. They're certainly wasting money as they've never once asked for any of them back. I think I got an email once saying that I was supposed to start using theirs in 30 days or something like that. I didn't.

    Down here, I have cable and only turn it on when I am down here. I have some Motorola router/modem thing from NewEgg or Amazon probably. I think I had to call and give them the MAC the first time but I've not needed to do so since. I just call ahead, usually a week ahead, and they turn it on. I call when I leave and they turn it off again. It appears they turned on cable television this time. I don't recall asking for that but I might have.

    Meh... The missus is starting to get used to my watching documentaries so maybe it'll come in handy. We had the news on the other day. One of them there newfangled colored tele-visions. Except I don't actually recall buying that television. I've not been down here in a while so I'm guessing drugs or alcohol were somehow involved in the purchase of said tele-vision. It might have been one of the kids who picked it up while they were here. PCB is home of Spring Break and they've made more use of this place than I have.

    --
    "So long and thanks for all the fish."
  6. "Pwnd"? by NormalVisual · · Score: 1

    Really? Such a professional-sounding headline. "Compromised" might have offered a little more credibility rather than years-old teen l33t speak.

    --
    Please stand clear of the doors, por favor mantenganse alejado de las puertas
    1. Re:"Pwnd"? by Fnord666 · · Score: 1

      Because "Posted by timothy on Saturday ..."

      --
      'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
  7. So how many routers were actually infected ? by Fly+Swatter · · Score: 1

    They mention numbers like 8000, but nowhere do they directly say how many were infected. Only that such number had the default (no) password. Damn fine journalism if you ask me!

  8. Re: ISPs.... I wanna kill them by KGIII · · Score: 1

    You missed last night. I don't normally drink but I had a couple with the kids and g/f. Fortunately, not too many and I didn't go off the rails ranting about something different. I'm kinda tired tonight so you'll have to find a new bedtime story.

    I recommend some awful (so bad it's good) science fiction.
    http://www.baenebooks.com/10.1...

    --
    "So long and thanks for all the fish."
  9. Aethra? WTF!?!?! by Hognoxious · · Score: 1

    It's like a tube. A tube full off piss.

    --
    Confucius say, "Find worm in apple - bad. Find half a worm - worse."