Back in September 2014 published a critical vulnerability in the popular plugins for Wordpress Slider Revolution, but to this day we meet a lot of sites exposed the vulnerability. 

The vulnerability allows, with absolutely no rights on your site, download wp-config.php file to your site, which contains your data to access the database. With these approaches, an attacker can easily gain control over your site. Vulnerability affects all versions of the plug-in to version 4.1.4. The situation is complicated by the fact that this plugin is not free, it cost $ 18, and so many people from CIS countries use on their websites older versions downloaded from free resources, subject to this vulnerability because they do not have access to updates.

The company Sektion Eins was found a critical vulnerability, which affects all versions of Drupal 7 branch. It allows you to execute arbitrary SQL-query the database Drupal without any rights in the system. Thus, for example, it is possible with absolutely no rights on your website, create a special request, which will create a new administrator or change the current password. The danger is defined as the highest. October 15 came kernel upgrade to version 7.32, which addresses the vulnerability. Developers are strongly advised to update the kernel immediately.

At the moment, already compromised a lot of sites for this CMS and break-ins continue.

June 24, 2014 was know about another critical vulnerability in the script timthumb.php, which is used in a huge number of themes and plugins popular engine wordpress. We would like to note that this script is used not only in wordpress, but also in many other CMS, as well as their extensions.

Vulnerability affects all versions of absolutely timthumb, including 2.8.13, as well as the original project WordThumb. The vulnerability allows attackers to run malicious code execution without having access to your site.

Just yesterday, was made public a critical vulnerability in OpenSSL.

The vulnerability is related to the lack of adequate bounds checking in one of the procedures expansion Heartbeat (RFC6520) protocol TLS / DTLS. Due to the small mistakes anyone can gain access to the computer's memory, whose communication "protected" vulnerable version of OpenSSL. In particular, the attacker gains access to the private key, user name and password and all content to be transmitted in encrypted form. When this leaves no traces of penetration into the system.

Of such an attack, we have already written, but in recent days they have intensified with incredible force. The essence of the attack is that the bots of passwords to the admin panel of the website. It is dangerous not only because the password sooner or later they still can pick up, but the fact that it was created a pretty decent load on the server.

Since the attacks in recent days have purchased just incredible strength, the server hosts many simply can not withstand such loads exorbitant. Hosters naturally try to cope with this scourge, but it is they do not always work, as the number of bots is huge and firewalls can not cope with so many locks. Therefore, some of them, as a temporary solution to block requests for files wp-login.php to wordpress and administrator / index.php for Joomla.