WordPress/joomla CMS brute force attacks (more than 25k sites)

It came to our notice today a targeted bruteforce attack on worpress/joomla/drupal and other CMS based websites. The list of the attacked hosts contains more than 25000 websites ( and considering that it’s starting from the letter m and below this appears to be just a part of a larger document.

The attack is being initiated through compromised windows systems where the following files are being uploaded:

30/03/2012  08:57 πµ           624.640 ctfmon.exe
25/09/2012  03:13 µµ                 0 good.txt
21/07/2012  12:50 µµ                 5 login.txt
21/07/2012  12:50 µµ            38.541 pass.txt
21/09/2012  07:11 πµ           674.006 sits.txt

The file named ctfmon.exe and bearing the wordpress icon mark, is actually CMS bruteforcer v1.3, good.txt will keep the list of the valid passwords gathered by the bruteforce engine, pass file is a standard dictionary list used in password cracking and finally the list with the websites under the name sits.txt.
Screenshot of the application below,

If your website is listed among the ones in the list, better to start checking in the logs for attacking hosts.


Facebook Twitter Linkedin Digg Stumbleupon Email


  1. osman  April 7, 2013



Απάντηση στον/στην osman