Web Content Management Systems (WCMS) provide simple tools to manage web content that enables users with little knowledge of programming languages and web design. WCMSs have become extremely popular in the last decade. WordPress, with more than 18M websites world wide, is the most prominent WCMS. Is because of its popularity that this and other well-known WCMSs have been systematically attacked for the past years by different threat actors seeking disposable infrastructure for their attacks. Brute-force attacks are one of the most common types of attacks against WCMSs. The goal of such an attack is to guess a valid user name and password in order to access the WCMS administration panel. Attackers especially take advantage of users choosing weak credentials. Successfully brute-forced websites are typically used for hosting C\&Cs, scams, and drive-by attacks to spread malware. This paper presents an historical overview and current state of WCMS brute-force attacks with a focus on botnets and techniques used. We present a case of study of Sathurbot, a modular HTTP-based botnet. Finally, we discuss detection methods to identify these type of attacks.
The Journal on Cybercrime & Digital Investigations, Vol 3 No 1 (2017): Botconf 2017