(New?) Botnet To BruteForce WP?

  • Resolved crashnet

    (@crashnet)


    10 years, 11 months ago

    A couple days ago, alerted by NewRelic and examining the logs via Loggly, I noticed that 100 different IPs requested /wp-login using the same UserAgent (“Mozilla/5.0 (Windows NT 6.1; rv:19.0) Gecko/20100101 Firefox/19.0”).

    Over the course of 1 hour, the attacker tried to bruteforce WP 533 times while managing to be evaded by intrusion protection (in my case, a Web Application Firewall running commercial ModSec rules).

    The attack lasted 60 minutes and came from 100 IPs. This is not a coincidence. Someone has come up with an elaborate WP Bruteforce tool.

    Does anyone have any more information about this type of attack? Is it new only to me?

    For the sake of registration, below are the IPs used in the attack.

    190.114.248.42
116.71.164.186
112.198.64.37
111.91.86.134
88.236.177.206
80.99.255.47
217.118.79.24
118.172.4.45
89.146.157.123
80.94.246.148
201.234.181.230
176.43.255.6
201.240.153.181
80.29.19.44
171.101.153.44
58.8.238.25
122.169.148.202
188.247.132.4
202.126.89.177
31.214.50.135
189.225.200.119
101.51.198.195
213.74.52.53
210.187.173.60
189.253.79.35
201.141.120.20
141.136.238.242
200.87.109.34
103.5.5.210
178.89.179.124
201.173.85.250
175.142.130.188
190.90.83.6
121.52.153.181
124.121.203.96
46.255.86.106
182.52.192.86
41.105.15.148
81.213.240.206
118.172.43.216
139.228.125.44
183.87.225.21
213.139.60.67
178.89.30.117
31.176.166.129
92.99.106.154
109.127.170.254
176.197.114.105
178.89.70.8
91.209.131.193
121.58.224.37
121.1.54.217
14.97.192.201
112.198.79.66
190.26.162.150
190.233.130.193
94.242.237.73
118.173.180.100
180.183.207.18
182.6.69.92
88.235.251.164
181.54.128.114
190.216.199.90
190.234.161.68
80.99.194.66
190.158.221.179
88.245.226.40
92.44.109.240
189.245.124.37
49.248.14.34
85.97.37.191
94.137.200.228
190.131.131.75
121.54.29.9
112.203.3.182
112.203.207.123
121.54.32.131
111.93.58.110
120.28.126.25
118.100.148.57
120.28.190.129
117.212.154.237
116.75.17.72
112.200.96.111
121.54.54.45
112.208.135.70
117.222.54.208
115.240.100.242
112.204.142.161
121.54.40.36
112.203.199.36
120.28.240.187
112.205.0.21
103.16.33.86
112.205.120.138
112.206.188.184
110.44.101.46
112.205.38.76
121.54.54.147
121.1.47.62
Viewing 3 replies - 1 through 3 (of 3 total)
  • WPyogi

    (@wpyogi)

    10 years, 11 months ago

    This kind of attack has been widespread over the past several weeks – see this post and the new Codex section (linked in the thread):

    http://wordpress.org/support/topic/brute-force-attacks-and-wordpress?replies=2

    Thread Starter crashnet

    (@crashnet)

    10 years, 11 months ago

    Namasté, WPyogi!

    carbeck

    (@carbeck)

    10 years, 5 months ago

    For what it’s worth, this still seems to be going on; it was just briefly pausing on my server in October:

    65.172.27.25 - - [01/Nov/2013:18:55:04 +0000] "GET /admin.php HTTP/1.0" 403 901 "-" "Mozilla/5.0 (Windows NT 6.1; rv:19.0) Gecko/20100101 Firefox/19.0"
190.238.225.235 - - [02/Nov/2013:19:45:10 +0000] "GET /admin.php HTTP/1.0" 403 901 "-" "Mozilla/5.0 (Windows NT 6.1; rv:19.0) Gecko/20100101 Firefox/19.0"
84.111.56.35 - - [02/Nov/2013:20:39:07 +0000] "GET /admin.php HTTP/1.0" 403 901 "-" "Mozilla/5.0 (Windows NT 6.1; rv:19.0) Gecko/20100101 Firefox/19.0"
78.247.239.86 - - [02/Nov/2013:20:39:20 +0000] "GET /admin.php HTTP/1.0" 403 901 "-" "Mozilla/5.0 (Windows NT 6.1; rv:19.0) Gecko/20100101 Firefox/19.0"
89.42.253.49 - - [03/Nov/2013:13:19:30 +0000] "GET /admin.php HTTP/1.0" 403 901 "-" "Mozilla/5.0 (Windows NT 6.1; rv:19.0) Gecko/20100101 Firefox/19.0"

    I don’t know why my logs only show hits on /admin.php (which doesn’t exist), but it’s been trying to bruteforce its way into my WordPress site since August with anything between 2 and 12 hits a day (that’s a very small rate compared to brute-force attacks I’ve had earlier, but still). I’ve been banning access based on “*admin.php” and the UA, since that invariably seems to be “Mozilla/5.0 (Windows NT 6.1; rv:19.0) Gecko/20100101 Firefox/19.0”.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘(New?) Botnet To BruteForce WP?’ is closed to new replies.