ChickenKiev Botnet

Joined
Nov 14, 2016
Messages
77
Likes
57
Degree
0
Wordfence have posted a useful article on a recent botnet that is doing the rounds on Wordpress websites.

Full article

Botnet Profile: ChickenKiev
About the botnet: Vital Statistics

Number of attack bots 83
Location: 35 bots in Ukraine, 10 in USA, 8 in UK, includes several other countries.
Networks Most bots are on: 213.231.44.0/22, 91.210.144.0/22 and 109.200.224.0/19
Time Active: At least 2 months starting 24 November until present
Responsible for: A large number of hack attempts and compromised websites.

How the CK Botnet Works

The owner of the CK botnet is feeding CK stolen WordPress administrator credentials which the botnet uses to sign into WordPress websites and perform its malicious activity. The credentials are probably acquired through brute force attacks. The attacker may have performed the attacks themselves or has managed to acquire a database of compromised credentials from someone else.


At the start of its attack, CK logs into WordPress websites and uses the WordPress theme or plugin upload tools to install fake themes or plugins containing malicious code. Once it has the base malicious payload installed, CK installs additional backdoors and code that uses the website for malicious purposes.

The access log below shows a typical series of requests where CK is doing its initial infection of the website. This is a real access log from a website that was infected by CK which we repaired. We have redacted sensitive information to protect our site cleaning customer’s privacy.

How to Protect Yourself from CK

CKs owners need to get WordPress administrator logins to be able to install their malicious code. To do this they need to engage in brute force attacks or find another way to steal an administrator username and password.


Here are a few things you can do to keep your admin account safe:




    • Enable Wordfence on your website. It provides excellent brute force protection in the free and paid version.
    • If you are a Premium Wordfence user, enable two factor authentication, also called cellphone sign-in.
    • Ensure you use a long and complex password. 12 characters or more with a random combination of letters, numbers and symbols. Include upper and lower-case letters.
    • Make sure the Wordfence Firewall is enabled to block exploits that can compromise your admin account.
    • Don’t use the same password on other WordPress websites or accounts. If one of your sites is hacked this can result in the others getting hacked too.
The Wordfence malware scan detects all of the indicators of compromise that CK leaves behind. If you are worried that you may have been hacked, simply run a Wordfence scan to check your site status. Wordfence also does an excellent job of preventing any compromise from happening in the first place.
 
Seems like word fence are riding this one out for their own purpose$. All you need is a strong password and a plugin that will disable login for x mins after x failed attempts (AIO wp security plugin).

Love hearing about these hacks but. People get so crafty it's actually inspirational
 
I agree it does read a little bit like a sales pitch but always good to keep on top of the latest threats.
 
Anyone have anything against Jetpack? I use a few of its modules including the admin security one on my sites.
 
Back