The world’s most popular content management system WordPress is also the world’s most popular target for hackers. Creative hackers have established profitable businesses whose costs are paid by others.
Enterprising hackers have created a new online business that costs them next to nothing. The enterpreneurs at Free-socks.in have hacked into 2700 WordPress servers, taking full control over them, and are using the servers to run their internet service business.
The curious thing is that (as I’m writing this) in early July 2019, the service is still live on the net. Security researchers at Netlab discovered the servers infected by Linux.Ngioweb software that is used to take over web servers already in May.
The business scheme works as follows. Hackers penetrate into a WordPress server. Quite likely they have gained admin rights to the WordPress installation, because the server starts running software programs that hackers install on the server. The infected servers join to an automated botnet that takes commands from perpetrators. In this case, hackers use the hijacked servers to provide free and paid proxy services to internet users. The purpose of a proxy service in this context is to hide an internet user’s original IP address.
Almost half of the servers that belong to the botnet of 2700 machines are located in the US according to ZDnet.
The business case for these entrepreneurs is sweet. Owners of hacked server pay all the costs, and hackers reap all the profits.
Netlab recommends WordPress admins to
Back up the website article database (delete backdoor users such as wp.service.controller.*), reinstall the latest version of WordPress program, enhance user password complexity, enhance WebShell detection capabilities, and disable PHP commands to execute related functions.
Read on for information why 90% of the world’s hacked web sites are running on WordPress, and what to do to avoid problems. This article features concrete tips for setting up a WordPress web server in a secure manner.