Page 2 of 4
Re: Multiple attempts to hack into wp-login from same IP
Posted: 09 Apr 2013, 21:18
by florin
Hello,
So... it is happening on our servers too ... targeting only WP-login. Just hit about 10 of our servers.
Multiple HTTP requests on wp-login.php. We managed to block the IP's and we also put a "die" in wp-login.php temporarily.
How can we block this ?
Re: Multiple attempts to hack into wp-login from same IP
Posted: 09 Apr 2013, 21:45
by peterelsner
Here are my settings.
# [*]Enable failure detection of repeated Apache mod_security rule triggers
LF_MODSEC = "5"
LF_MODSEC_PERM = "1"
These IP's do NOT show up in any MOD SEC logs.
Mod Security is NOT catching these since they are only calling a direct link to wordpress login URL's. IE: hXXp://
www.domainname.tld/wp-login.php
So Mod Security is not going to help here.
This is an attack that I'm pretty sure csf does not yet detect. That's why I asked if it was possible.
Re: Multiple attempts to hack into wp-login from same IP
Posted: 09 Apr 2013, 23:17
by kdean
Just adding my voice to those with this issue today. Had major load problems today with this attack. Blocked a bunch of IPs and lowered my FastCGID idle timeout to 120 seconds which seemed to have helped with the load or it's just less right now coincidentally.
Re: Multiple attempts to hack into wp-login from same IP
Posted: 09 Apr 2013, 23:46
by dvk01
Re: Multiple attempts to hack into wp-login from same IP
Posted: 10 Apr 2013, 05:11
by ljweb
Yes happening here too, high load due to wp-login.php attempts.. Is there anyway to create a custom rule, to look through the domain logs for multiple wp-login.php attempts and block after 10 or so access attempts from the same IP within 1 min?
Re: Multiple attempts to hack into wp-login from same IP
Posted: 10 Apr 2013, 16:38
by ahsteve
Almost 50 servers were under attack in the same way. The numbers are common 2136 hits for a domain from an ip.
93.142.203.126 - - [09/Apr/2013:13:50:26 -0400] "POST /wp-login.php HTTP/1.1" 200 3840 "-" "Mozilla/5.0 (Windows NT 6.2; Win64; x64; rv:16.0.1) Gecko/20121011 Firefox/16.0.1"
93.142.203.126 - - [09/Apr/2013:13:50:26 -0400] "POST /wp-login.php HTTP/1.1" 200 3840 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_2) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1309.0 Safari/537.17"
IP are from different locations.
Re: Multiple attempts to hack into wp-login from same IP
Posted: 10 Apr 2013, 17:09
by sawbuck
Re: Multiple attempts to hack into wp-login from same IP
Posted: 10 Apr 2013, 19:11
by peterelsner
The links provided by dvk01 to the mod sec rules didn't work
The attacks started at exactly 1:00 PM central time.
Before then, all was fine and quiet. They will continue from now until about 5:30 PM central time (which is when they stopped yesterday).
I'm about to try the links that sawbuck just supplied.
Re: Multiple attempts to hack into wp-login from same IP
Posted: 10 Apr 2013, 19:42
by orditeck
Thanks sawbuck for the WHT link, I found a solution with ModSec there :-) (solution by Patrick)
Re: Multiple attempts to hack into wp-login from same IP
Posted: 10 Apr 2013, 20:21
by Sergio
orditeck wrote:Thanks sawbuck for the WHT link, I found a solution with ModSec there :-) (solution by Patrick)
Patrick did the trick, I confirm that this rule is working +1