To avoid being locked out after too many password attempts, the attackers use a different IP address each time. If they are successful, the attackers open a backdoor that lets them control the site, even if the user changes the password.
Web-hosting company HostGator said symptoms that a site has been compromised are a very slow backend or an inability to log in. "In some instances your site could even intermittently go down for short periods," the company said in a blog post.
Sign up for CIO Asia eNewsletters.