WordPress.org

Ready to get started?Download WordPress

Forums

[resolved] (New?) Botnet To BruteForce WP? (4 posts)

  1. Eddie - Digital Marketing Consultant
    Member
    Posted 1 year ago #

    A couple days ago, alerted by NewRelic and examining the logs via Loggly, I noticed that 100 different IPs requested /wp-login using the same UserAgent ("Mozilla/5.0 (Windows NT 6.1; rv:19.0) Gecko/20100101 Firefox/19.0").

    Over the course of 1 hour, the attacker tried to bruteforce WP 533 times while managing to be evaded by intrusion protection (in my case, a Web Application Firewall running commercial ModSec rules).

    The attack lasted 60 minutes and came from 100 IPs. This is not a coincidence. Someone has come up with an elaborate WP Bruteforce tool.

    Does anyone have any more information about this type of attack? Is it new only to me?

    For the sake of registration, below are the IPs used in the attack.

    190.114.248.42
    116.71.164.186
    112.198.64.37
    111.91.86.134
    88.236.177.206
    80.99.255.47
    217.118.79.24
    118.172.4.45
    89.146.157.123
    80.94.246.148
    201.234.181.230
    176.43.255.6
    201.240.153.181
    80.29.19.44
    171.101.153.44
    58.8.238.25
    122.169.148.202
    188.247.132.4
    202.126.89.177
    31.214.50.135
    189.225.200.119
    101.51.198.195
    213.74.52.53
    210.187.173.60
    189.253.79.35
    201.141.120.20
    141.136.238.242
    200.87.109.34
    103.5.5.210
    178.89.179.124
    201.173.85.250
    175.142.130.188
    190.90.83.6
    121.52.153.181
    124.121.203.96
    46.255.86.106
    182.52.192.86
    41.105.15.148
    81.213.240.206
    118.172.43.216
    139.228.125.44
    183.87.225.21
    213.139.60.67
    178.89.30.117
    31.176.166.129
    92.99.106.154
    109.127.170.254
    176.197.114.105
    178.89.70.8
    91.209.131.193
    121.58.224.37
    121.1.54.217
    14.97.192.201
    112.198.79.66
    190.26.162.150
    190.233.130.193
    94.242.237.73
    118.173.180.100
    180.183.207.18
    182.6.69.92
    88.235.251.164
    181.54.128.114
    190.216.199.90
    190.234.161.68
    80.99.194.66
    190.158.221.179
    88.245.226.40
    92.44.109.240
    189.245.124.37
    49.248.14.34
    85.97.37.191
    94.137.200.228
    190.131.131.75
    121.54.29.9
    112.203.3.182
    112.203.207.123
    121.54.32.131
    111.93.58.110
    120.28.126.25
    118.100.148.57
    120.28.190.129
    117.212.154.237
    116.75.17.72
    112.200.96.111
    121.54.54.45
    112.208.135.70
    117.222.54.208
    115.240.100.242
    112.204.142.161
    121.54.40.36
    112.203.199.36
    120.28.240.187
    112.205.0.21
    103.16.33.86
    112.205.120.138
    112.206.188.184
    110.44.101.46
    112.205.38.76
    121.54.54.147
    121.1.47.62
  2. WPyogi
    Volunteer Moderator
    Posted 1 year ago #

    This kind of attack has been widespread over the past several weeks - see this post and the new Codex section (linked in the thread):

    http://wordpress.org/support/topic/brute-force-attacks-and-wordpress?replies=2

  3. Eddie - Digital Marketing Consultant
    Member
    Posted 1 year ago #

    Namasté, WPyogi!

  4. carbeck
    Member
    Posted 9 months ago #

    For what it's worth, this still seems to be going on; it was just briefly pausing on my server in October:

    65.172.27.25 - - [01/Nov/2013:18:55:04 +0000] "GET /admin.php HTTP/1.0" 403 901 "-" "Mozilla/5.0 (Windows NT 6.1; rv:19.0) Gecko/20100101 Firefox/19.0"
    190.238.225.235 - - [02/Nov/2013:19:45:10 +0000] "GET /admin.php HTTP/1.0" 403 901 "-" "Mozilla/5.0 (Windows NT 6.1; rv:19.0) Gecko/20100101 Firefox/19.0"
    84.111.56.35 - - [02/Nov/2013:20:39:07 +0000] "GET /admin.php HTTP/1.0" 403 901 "-" "Mozilla/5.0 (Windows NT 6.1; rv:19.0) Gecko/20100101 Firefox/19.0"
    78.247.239.86 - - [02/Nov/2013:20:39:20 +0000] "GET /admin.php HTTP/1.0" 403 901 "-" "Mozilla/5.0 (Windows NT 6.1; rv:19.0) Gecko/20100101 Firefox/19.0"
    89.42.253.49 - - [03/Nov/2013:13:19:30 +0000] "GET /admin.php HTTP/1.0" 403 901 "-" "Mozilla/5.0 (Windows NT 6.1; rv:19.0) Gecko/20100101 Firefox/19.0"

    I don't know why my logs only show hits on /admin.php (which doesn't exist), but it's been trying to bruteforce its way into my WordPress site since August with anything between 2 and 12 hits a day (that's a very small rate compared to brute-force attacks I've had earlier, but still). I've been banning access based on "*admin.php" and the UA, since that invariably seems to be "Mozilla/5.0 (Windows NT 6.1; rv:19.0) Gecko/20100101 Firefox/19.0".

Topic Closed

This topic has been closed to new replies.

About this Topic