Updates on CyberSecurity, WordPress and what we're cooking in the lab today.

Analysis: Methods and Monetization of a Botnet Attacking WordPress

This entry was posted in General Security, Research, Wordfence, WordPress Security on January 24, 2017 by Mark Maunder   29 Replies

At Wordfence we see a huge range of infection types every day as we help our customers repair hacked websites. We also find new kinds of malware as we analyze the forensic data we gather from a range of sources. Our normal day involves turning that forensic data into firewall rules and scan signatures which we deploy to your Wordfence firewall and malware scan via our Threat Defense Feed.

Those rules and signatures are then used by Wordfence to protect your site against the newest attacks. Our Premium customers receive those rules in real-time and our free customers have a 30 day delay.

Occasionally, as we examine our forensic data and turn it into threat intelligence, we run across interesting behaviors both in human attackers and the bots they control. Recently our analysts took a closer look at a botnet that is using stolen WordPress usernames and passwords to compromise WordPress sites and generate an income from the hacked sites.

In this post we go into some detail about how this botnet works and how its owners make money. We have given this botnet the codename “ChickenKiev” or CK for short.

Botnet Profile: ChickenKiev

About the botnet: Vital Statistics

Number of attack bots 83
Location: 35 bots in Ukraine, 10 in USA, 8 in UK, includes several other countries.
Networks Most bots are on: 213.231.44.0/22, 91.210.144.0/22 and 109.200.224.0/19
Time Active: At least 2 months starting 24 November until present
Responsible for: A large number of hack attempts and compromised websites.

How the CK Botnet Works

The owner of the CK botnet is feeding CK stolen WordPress administrator credentials which the botnet uses to sign into WordPress websites and perform its malicious activity. The credentials are probably acquired through brute force attacks. The attacker may have performed the attacks themselves or has managed to acquire a database of compromised credentials from someone else.

At the start of its attack, CK logs into WordPress websites and uses the WordPress theme or plugin upload tools to install fake themes or plugins containing malicious code. Once it has the base malicious payload installed, CK installs additional backdoors and code that uses the website for malicious purposes.

The access log below shows a typical series of requests where CK is doing its initial infection of the website. This is a real access log from a website that was infected by CK which we repaired. We have redacted sensitive information to protect our site cleaning customer’s privacy.

As you can see, this bot which is part of the CK botnet visits wp-login.php and signs in as an ordinary user would. It then visits the plugin installation page in the WordPress administrative console. It installs a plugin that is made to look like the popular BB Press forum software.

At this point, infection by CK is complete. The bb_press.php code contains a backdoor that allows the attacker that is controlling CK full and continuous access to the hacked website.

What CK Installs on Hacked WordPress Sites

In addition to the fake BB Press plugin shown in the log above, we have seen CK also install the following fake plugins or themes:

  • /wp-content/plugins/wp-db-ajax-made
  • /wp-content/plugins/Akismet3
  • /wp-content/themes/sketch

CK uses a well known shell as a backdoor which is known as the WSO shell. It stores the backdoor in a file called wp-ajax.php which is made to look like a legitimate WordPress core file.

The backdoor is installed in fake theme and plugin directories and is also inserted by CK into real plugin and theme directories. Here are some of the locations we have found CK’s backdoor. Most of these locations use the filename wp-ajax.php. In some cases a different filename is used.

  • /wp-content/plugins/wp-db-ajax-made1/wp-ajax.php
  • /wp-content/plugins/wp-db-ajax-made/wp-ajax.php
  • /wp-content/plugins/ml-slider/wp-ajax.php
  • /wp-content/plugins/siteorigin-panels/wp-ajax.php
  • /wp-content/plugins/wp-db-ajax-made/wp-ajax.php
  • /wp-content/plugins/Akismet3/wp-ajax.php
  • /wp-content/plugins/accesspress-twitter-auto-post/wp-ajax.php
  • /wp-content/plugins/advanced-custom-fields/wp-ajax.php
  • /wp-content/plugins/ajax-thumbnail-rebuild/wp-ajax.php
  • /wp-content/plugins/bb_press/wp-ajax.php
  • /wp-content/plugins/bb_press1/wp-ajax.php
  • /wp-content/plugins/bb_press2/wp-ajax.php
  • /wp-content/plugins/oa-social-login/wp-ajax.php
  • /wp-content/plugins/wp-db-ajax-made-1/wp-ajax.php
  • /wp-content/plugins/wp-db-ajax-made-2/wp-ajax.php
  • /wp-content/plugins/wp-db-ajax-made/wp-ajax.php
  • /wp-content/themes/sketch/404.php
  • /wp-content/themes/twentyeleven/wp-ajax.php
  • /wp-content/themes/twentyfourteen/author.php
  • /wp-content/themes/twentyfourteen/wp-ajax.php
  • /wp-content/themes/twentyten/wp-ajax.php
  • /wp-content/themes/twentythirteen/wp-ajax.php
  • /wp-content/themes/twentytwelve/author.php

How CKs Operators Profit from Hacking Your Site

Once CK has infected your site, we have a seen the operators engage in a range of malicious activity. One of the ways these operators profit is by injecting their own Google ad banners into your site header files.

This causes your website to serve Google ads associated with the CK operator’s Google account. They profit from your website serving Google ads.

The CK operators inject their own Google ad code into your site header by using the WSO shell they installed. They can use the shell to execute any PHP code on your website. To install their ads, they execute the following code via their shell: (We have redacted sensitive content)

The code above searches for files called header.php or header-homepage.php. It looks for the closing </head> tag in those files. It adds the Google ad banner code just before your site’s closing </head> tag.

This causes your site to serve their own Google ads, allowing them to profit from the traffic that is visiting your website.

We have seen CKs operators engage in other malicious activity like installing additional administrative code to help them control hacked sites and installing code that redirects a hacked website’s traffic to other websites that they control.

How to Protect Yourself from CK

CKs owners need to get WordPress administrator logins to be able to install their malicious code. To do this they need to engage in brute force attacks or find another way to steal an administrator username and password.

Here are a few things you can do to keep your admin account safe:

  • Enable Wordfence on your website. It provides excellent brute force protection in the free and paid version.
  • If you are a Premium Wordfence user, enable two factor authentication, also called cellphone sign-in.
  • Ensure you use a long and complex password. 12 characters or more with a random combination of letters, numbers and symbols. Include upper and lower-case letters.
  • Make sure the Wordfence Firewall is enabled to block exploits that can compromise your admin account.
  • Don’t use the same password on other WordPress websites or accounts. If one of your sites is hacked this can result in the others getting hacked too.

The Wordfence malware scan detects all of the indicators of compromise that CK leaves behind. If you are worried that you may have been hacked, simply run a Wordfence scan to check your site status. Wordfence also does an excellent job of preventing any compromise from happening in the first place.

What to do if you have been hacked

At Wordfence we have an excellent team of security analysts who respond to incidents many times every day. If you have been hacked, our team can determine why, close any security holes, clean the hack and get you back up and running within a very short time.

Our site cleaning service includes blacklist removal, a 1 year Wordfence Premium license and we provide an in-depth report to help you understand what happened and how to prevent a hack in future.

Wordfence site cleaning is also very reasonably priced at $149 with no surprise fees and we provide excellent customer service.

Stay Safe

I’d like to encourage you to share this post with the community to create awareness and help other site administrators avoid a hack. If you have any questions or comments, please post them below and as always I’ll be around to reply when needed. Have a great week and stay safe!

Mark Maunder – Wordfence Founder/CEO.

Credits: Thanks to Senior Wordfence Security Analyst Brad Haas for doing the forensic analysis in this post. Additional thanks to members of our site cleaning team for their help. Thanks to Dan Moen for editing. 

Did you enjoy this post? Share it!


4.41 (44 votes) Your rating:

29 Comments on "Analysis: Methods and Monetization of a Botnet Attacking WordPress"

Brian January 24, 2017 at 9:34 am • Reply

Another brilliant post Mark and Wordfence team.

Thank you guy's as one of the hardest things is explaining to clients the affects of Botnet attacks and the need for Wordfence Premium security.

Great work!

Brian

Bob Roberts January 24, 2017 at 9:39 am • Reply

Google ads? I'd think that would leave an easy to follow money trail...

Safety Guy January 24, 2017 at 9:41 am • Reply

There is a wild story about tracking down DDoS and botnet owners on Brian Kreb's blog. https://krebsonsecurity.com/2017/01/who-is-anna-senpai-the-mirai-worm-author/

Hugo Ravn January 24, 2017 at 10:55 am • Reply

Does the appearence of one of these files:
/httpdocs/wp-content/themes/twentythirteen/author.php
/httpdocs/wp-content/themes/twentyfourteen/author.php
etc.
- mean that our site is infected?

Alfonso January 24, 2017 at 2:31 pm • Reply

Not necessarily, Hugo. Both themes have that file on their root folder, so they may be legitimate. A Wordfence scan should show if they have any difference with the original ones from the WordPress repository.

fastasleep January 24, 2017 at 3:16 pm • Reply

No, author.php is a template for author archives so their presence does not mean anything, but take a look at the contents.

I just took down an old site that was on a server that was participating in a botnet, and a bunch of the WP template files have a chunk of code injected in the first line — in many files within various themes on the site. Possibly elsewhere, dunno — but this site needed to come down anyway. :)

John D January 24, 2017 at 4:45 pm • Reply

@Hugo Ravn: TwentyFourteen actually has an author.php, so I assume TwentyThirteen is the same way. It looks like this file does not exist in TwentyFifteen.

You can turn on a check for changed files in WordFence. I recommend using it and checking from time to time to ensure someone or something hasn't changed files. It often has false positives right after a plugin or theme update, but they are usually easy enough to confirm.

Gwyneth Llewelyn January 24, 2017 at 12:16 pm • Reply

For the past weeks I've been seeing a lot of brute-force attempts to enter the backoffice of pretty much all my WordPress sites, even the very obscure ones which Google hardly lists, which makes me wonder where they get a clue that such sites are actually active — some have subdomains, and they hit both the main site (e.g. domain.tld) which would probably be easy to guess, but also obscurename.domain.tld, which is not linked on the main site, even though it also hosts a WP backend... a mystery to me!

Those brute-force attempts are mostly using the unexisting logins 'admin' or 'test', like so many similar attempts (it's just that the rate of new attempts has been increasing dramatically), but some of them are a bit more clever, using logins that are part of the domain name or even the subdomain name. Even though in my own case such logins don't exist either, it's a much more interesting attack.

Last but not least, some of them have been able to successfully penetrate into a few sites, using a login/password clearly stolen from Yahoo (see your previous article) — I have immediately logged in, did a Wordfence scan, and deleted/corrected whatever your scan found to be incorrect. In some cases I was so quick that I suspect that they hadn't made any manual installation yet — since Wordfence didn't find anything suspect, and, after changing the password, they have not tried further attempts on that particular site.

I'm now going to do a more thorough, manual check on all the WordPress files for the many sites, looking for the files you've listed above, and see if any are not in the right place. Sure, all the sites run WordFence, so I'm pretty much confident that nothing is wrong, but it's better to be safe than sorry!

Thanks for keeping us posted!

Mark Maunder January 25, 2017 at 12:06 am • Reply

Interesting, thanks for sharing Gwyneth.

Scott N January 24, 2017 at 12:41 pm • Reply

Hi Mark. Super article -- thank you for sharing! I realize it would be beyond the scope of cleaning up a site, but do you look for the Google Ad Sense account number and report that to Google? I would think they would immediately suspend the account and not do any further payouts, which might hurt the scumbags just a little.

- Scott

Mark Maunder January 25, 2017 at 12:07 am • Reply

We have not taken that action at this time. However I'll chat to our senior staff and we'll consider doing this. Thanks.

Jason G January 24, 2017 at 1:00 pm • Reply

I would be curious to know if most hacked sites are not creating very strong username / password combinations. It would seem that if you are using strong usernames and passwords, CK Operators would not be getting in often (if at all). Though, I also think it is very smart to use two factor authentication if you can.

StanG January 24, 2017 at 3:09 pm • Reply

Has Google been alerted of the fraudulent Adsense accounts so that they can stop the payment and cancel the account?

Mark Maunder January 25, 2017 at 12:08 am • Reply

Will see what we can do Stan. I replied similarly to another commenter.

Mark.

Lee January 24, 2017 at 6:34 pm • Reply

Recently seen an article regarding passwords - Someone said the use of Numbers Letters etc can be easily brute force hacked - They advised a set of words such as "MonkeyWallpapperPlasticShopping" Would be more effective would you say this was a better method of creating a password, apparently its harder to hack. What does Wordfence.com think?

Mark Maunder January 25, 2017 at 12:11 am • Reply

Hi Lee. Sounds like they don't have a clue. More characters in the character set increases password strength. A longer password increases password strength. And finally the more random the password, the stronger it is. If you combine these, you get a long password with a wide range of characters (lowercase, uppercase, numbers, symbols) that is as random as possible - in other words, no words included.

Mark.

Philip I. February 5, 2017 at 1:12 am • Reply

One method I've heard mentioned is to create a word phrase in your head consisting of things you can remember. For example the password iLmW&K100bp!

Translates in memory to: i Love my Wife & Kids 100 billion parsecs! I capitalize on Love, Wife and Kids, simple to remember but not so easy to hack....just yet.

Philip I. February 5, 2017 at 1:17 am • Reply

I should add that the sentence should be very random, i.e an ode to smelly socks or something impossible to guess, even someone that knows you would be stumped.

Sophisticated software can now scan your publicly accessible social profiles to suggest password phrases based on your likes such as favorite sports teams, family member and pet names. The world is constantly challenging us.

Roland January 24, 2017 at 10:31 pm • Reply

I've installed a separate Google Authenticator plugin on just about all sites I manage. That keeps unwanted 'guests' out.

Wouldn't it help if you could set which IP-addresses are allowed to use the dashboard/admin area and access sensitive files/folders, such as uploading files, adding and changing themes and plugins?

Mark Maunder January 25, 2017 at 12:11 am • Reply

It would, however you'll end up locking yourself out when your dynamic IP changes.

Mark.

Roland January 25, 2017 at 1:55 pm • Reply

Hi Mark, since I'm on static IP addresses both at work and at home, I think I'm going to look into setting up this kind of defense. If it can be done using extra rules in the htaccess file, it'd allow for access if my IP addresses do change by ftp-ing onto the server. Then the server/ftp would be the only 'weak link...

Bruce January 25, 2017 at 3:26 am • Reply

Would it be an effective strategy to block the network addresses that you've listed?

Mark Maunder January 25, 2017 at 6:48 am • Reply

You can, but I would instead rely on the firewall ruleset we have along with other protection mechanisms Wordfence provides that protect you from attacks originating from any IP address.

oka January 25, 2017 at 7:04 am • Reply

thank you

Katherine January 25, 2017 at 7:49 am • Reply

I have had to go to great lengths to stop the bots. I changed the login of wp-admin to something else, turned on two-factor and have a security plugin that logs IP attempts and shuts them down with an "admin" try. The changing of the login address was the ticket.

Robert January 26, 2017 at 3:04 am • Reply

Good post, and thanks.

IMHO, two-factor authentication is the best option for ensuring brute-force attacks fail. There are some murmurings of adding WP's own 2FA system to Core at some point.

However, it's not always practical to enforce 2FA for all users of a site. A good alternative is to use a reCAPTCHA in combination with a Limit Login Attempts plugin. This not only causes bots to fail (using Google's excellent reCAPTCHA technology) but blacklists their IPs automagically after a certain number of failed attempts, conserving server resources. And, on the user side, they typically just have to check a box confirming that they are not a robot to get it. For me, that's a good tradeoff between security and convenience.

Full disclosure: I thought Google's reCAPTCHA was such a good idea, I wrote one of the more popular reCAPTCHA plugins for WP, since I wanted this functionality for myself in a user-friendly (i.e. won't lock you out of your site) kind of way.

John Wallett January 26, 2017 at 4:34 am • Reply

Similar sounding hack put over 6000 temp files into wp-includes/images/cache/ folder, each a set of spammy links to assorted product sites. Seems to have stolen Wordpress admin password and then small inserted backdoor into a plugin (in this case Menubar). A Wordfence scan spotted the numerous temp files but it took ages to find the backdoor. We had to remove the offending .tmp files manually in batches of 500 as FTP tool timed out when we tried to delete the folder they were in. Keep up the great work Wordfence!!

PS We have download copy of the backdoor if that is of any interest?

Neil Stollznow January 29, 2017 at 4:40 pm • Reply

The often overlooked security feature to defeat brute force attacks is not make sure that the login names for Admin are not obvious. One of the great features about WordFence is that you can see the attacks and they use names like admin, site URL or part of it, or names of people who post on the site. Thanks to WordFence I have built up a list of these and automatically block anyone who uses standard admin passwords.

Thanks guys!

Roger Davies March 3, 2017 at 2:52 am • Reply

My immediate thoughts are like others have commented AdSense is notoriously difficult to get accepted into and requires proper verification so therefore, the culprits are easily traceable or the effects of their activities easy to curtail.

Even if 'its not your job' to report them to Google I would have thought Google would be beating a path to your door and even be willing to pay you for that information as it ought to yield a return on investment for them.

To me not doing anything about this is akin to seeing a car hit and run and then not passing on the license plate to anyone(google) or the cops(google) not asking you for the license plate when they know you have a record of it....

Leave a Reply

Get the latest WordPress security updates and news

Sign up for WordPress security alerts, Wordfence product updates and security news via email.