September 27, 2013

If you run a WordPress Blog on your own web hosting account, read this.

September 27, 2013

In my previous article I wrote about an ongoing botnet hacking campaign targeting WordPress Blog installations on web servers around the World. Read this excerpt.


There is an ongoing attack targeting /wp-login.php, /admin.php and /administrator/ for at least a month, if not longer. Most are brute force password crack attempts, but others are exploiting vulnerable code in WordPress itself.

In addition to attacks against the WordPress software (web applications [apps] and CMS programs are in reality, "software"), which was very recently updated, I see regular attempts to exploit popular WordPress plug-ins. Some of these plug-in attacks are over a year old, yet they are ongoing to this day. Why is that?

Hackers continue to probe with old exploits targeting WordPress and its plug-ins - because these attacks work, due to the software not being patched in a timely manner and due to the people administering the blogs not securing them with strong passwords.

According to recently published research by WP White Security, conducted between September 12 - 15, 2013, as many as 73% of the WordPress installation tested were running out-dated, vulnerable versions of the program itself. This research doesn't say anything about out-dated, exploitable plug-ins or weak or default passwords. The WordPress software itself is out-dated on 73% of the web servers tested just after the release of version 3.6.1. Hopefully, in the 12 days that have passed, more people have upgraded to the current version!

The 73% figure was broken down into percentages based upon the version of WordPress being run. Thirty percent were running the previous release: 3.6.0, which has 5 known vulnerabilities (patched in 3.6.1). Even if all of those webmasters upgrade to version 3.6.1, that still leaves almost two thirds running older versions, as far back as version 2.0! I counted 98 known vulnerabilities present in WordPress versions 3.2.1 through 3.6.0, and over 100 CVE vulnerabilities in previous versions 2.0 through 3.1.

If you operate your own WordPress Blog, whether hosted on a shared, or VPS, or Dedicated server, you are totally responsible for keeping the program and its plug-ins secured and updated.

The latest version is always available for download from WordPress.org. I suggest that you sign up for email alerts when new versions are released and that you install them as soon as humanly possible. Hackers routinely test for exploitable vulnerabilities and share them among the hacking community.

There is a very interesting article on Naked Security about these latest WordPress statistics, including the ten most important steps you can take to secure a WordPress installation. If you host your own WordPress Blog, please read it!

Maybe you installed WordPress with a couple of mouse-clicks into your shared hosting account, or inherited a website that somebody else built, but know nothing about updating web scripts and applications. If this updating stuff is too much for you to keep up with, consider having your blog hosted at WordPress.com, for free. They take care of all updates and patching for you. All you have to do is create great content, instead of fending of botnet attacks from WordPress hackers.

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

September 15, 2013

Spam and scam roundup for week ending Sept 15, 2013

September 15, 2013

For the past few weeks, email spam categories have remained fairly constant, with a steady flow of spam promoting weight loss pills, pump and dump scams and several malware threats, in attachments, or via links.

Changes over the past week or two include a shift in the domain names used to promote illicit weight loss drugs. Originally, this type of diet spam had domain names that included the words green coffee in the prefix and .PL (Poland) as the TLD extension. After a while, the domain extensions were changed to other country codes, such as .NL (Netherlands), .EU, and finally, .RU (Russia). The scams are all part of an underground pharmacy program run out of Russia, with unscrupulous affiliates who rent the use of botnets to spam out their affiliate encoded links to unsuspecting recipients around the World. It is no surprise to me that all of the domains now being used in email spam links for weight loss soultions are in fact .RU; Russian domain names.

While the spam templates and wording may change from week to week, to landing pages do not change. All are the exact same affiliate landing page for green coffee bean extract; a potentially harmful substance that causes a lot of people a lot of misery (not to mention that they are out the money to Russian mobsters).

How to spot a typical Russian domain link in a spam message

Here is a sample of the spoofed sender, subject, and links currently being used to promote illicit green coffee beans:

From: "OzMagazine Daily"
Subject: You Can Do It! Start Today!

Try it today! h**p://6c3f.REMOVED.ru/?5EEA2761DC

I deactivated the http part and removed the actual domain name (which changes daily), but left the sub-domain in place. This is the new structure the spammers are employing. They present a link in plain text or html code, with a sub-domain, a domain, then a .RU extension, a forward slash, then their affiliate code as a "query string." This earns them commissions whenever they trick a recipient into purchasing this worthless product.

It is worth noting that .RU domain extensions are only assigned to Russian registrants, who have physical addresses and identities in Russia. I can't buy and register a Russian domain, unless I get someone who lives in Russia to put it in his or her name. The cybercrime and fake pharmacy underground is alive and well in Russia!

WordPress Attacks

While this is not part of the email spam topic above, it is very important to know if you operate a website that has a WordPress Blog. There is an ongoing attack targeting /wp-login.php, /admin.php and /administrator/ for at least a month, if not longer.
Most are brute force password crack attempts, but others are exploiting vulnerable code in WordPress itself. The IP addresses are all over the map and represent personal home and business computers, as well as compromised websites. The purpose of the attacks is to find a website that is running a vulnerable version of WordPress and exploit that vulnerability, or crack the password, to place malicious scripts on the index pages. The scripts may lead to exploit kits that download botnet remote control programs onto victims' PCs. Or, they may load a banking Trojan, or fake anti-virus, or even a fake Police notification that locks the user out of the computer unless they pay a "fine."

Since the attacks are coming from more personal computers than web servers, I urge my readers to scan their computers with an up to date anti-malware program, or legitimate online virus scanner.*

Website owners and webmasters are responsible for updating any software they install into their hosting accounts. Your web host probably isn't going to do this for you! So, you need to know that WordPress has just released a security update: WordPress version 3.6.1, to plug the most recently revealed vulnerability being exploited via the aforementioned web server attacks. Nobody else is going to upgrade your blog software if you installed it yourself, unless you pay them for this extra service.

This means that your shared hosting account, with 400 customers or more on each server, which offers you one-click installation of a WordPress Blog, is NOT going to update it for you. You gotta do it, Bubba!

Webmasters/website owners who install exploitable scripts, but fail to keep them updated when patches are issued for vulnerabilities, are causing a lot of damage to their visitors' computers, by allowing malware scripts to be installed and persist, despite patches being available from the software maker.

Finally, to fend off password crackers, choose an advanced password, with mixed case characters, including symbols. Don't make it easy for malicious scripts to hack your WordPress installation!

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

Blog Links

Sponsored Message

I recommend Malwarebytes to protect your computers and Android devices from malicious code attacks. Malwarebytes detects and blocks spyware, viruses and ransomware, as well as rootkits. It removes malware from an already infected device. Get an 18 month subscription to Malwarebytes here.

If you're a fan of Robert Jordan's novels, you can buy boxed sets of The Wheel Of Time, here.

As an Amazon and Google Associate, I earn commissions from qualifying purchases.


CIDR to IPv4 Address Range Utility Tool | IPAddressGuide
CIDR to IPv4 Conversion



About the author
Wiz FeinbergWiz's Blog is written by Bob "Wiz" Feinberg, an experienced freelance computer consultant, troubleshooter and webmaster. Wiz's specialty is in computer and website security. Wizcrafts Computer Services was established in 1996.

I produce this blog and website at my own expense. If you find this information valuable please consider making a donation via PayPal.

Follow @Wizcrafts on Twitter, where I post short updates on security issues, spam trends and things that just eat at my craw.

Follow Wizcrafts on Twitter


Malwarebytes' Anti-Malware is the most frequently recommended malware removal tool in malware removal forums, like Bleeping Computers. It is extremely effective for removing fake/rogue security alerts, Bots, Spyware and the most prevalent and current malware threats in the wild. Learn about Malwarebytes Anti-Malware.


MailWasher Pro is an effective spam filter that protects your desktop email client. Using a combination of blacklists and built-in and user configurable filters, MailWasher Pro recognizes and deletes spam before you download it. MailWasher Pro reveals the actual URL of any links in a message, which protects you from most Phishing scams. Try it free for 30 days.





Creative Commons License This weblog is licensed under a Creative Commons License.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.
Powered by Movable Type

back to top ^