Page 1 of 4

Multiple attempts to hack into wp-login from same IP

Posted: 13 Feb 2013, 19:12
by peterelsner
Found several attempts from an IP address in Russia that is attempting a brute force attack
on a sites wp-login.php script. I see every few seconds an attempt in the users domlogs file.

This causes the servers load to increase, and as soon as I block the IP, the load comes down.

Code: Select all

/usr/local/apache/domlogs/USERNAME/domainname.tld
Can lfd monitor these logs as well, and block IP's that hit this same link more than 200 times in 5 minutes, or will that be too much strain on the server?

Re: Multiple attempts to hack into wp-login from same IP

Posted: 13 Mar 2013, 09:38
by dvk01
use this wordpress plugin to sort it
http://wordpress.org/extend/plugins/lim ... -attempts/

Re: Multiple attempts to hack into wp-login from same IP

Posted: 14 Mar 2013, 16:13
by peterelsner
Err.. That would mean I would need to install that plugin for any of my wordpress customers.
Not really an option since we have hundreds of wordpress customers per server. Most of our customers are
not even aware that this is happening to their site.

But thanks for sharing the link, I will definitely send it to some of the customers that have this happen more often then the rest.

Re: Multiple attempts to hack into wp-login from same IP

Posted: 08 Apr 2013, 12:25
by Ked
mod_security would help you with this.

- Recompile Apache with mod_security
- Download and install the free GotRoot mod_security ruleset (take note of the specific addendum on cpanel installs on that page):
http://atomicorp.com/wiki/index.php/Ato ... stallation
- Configure CSF to block IPs that break these rules
- Optional: Install CSF Modsec Controll - This allows you to switch the rule sets on and off on a per account basis.

I run a number of Wordpress sites and the combination of CSF + Mod_sec + GotRoot rules is a life saver.

Re: Multiple attempts to hack into wp-login from same IP

Posted: 08 Apr 2013, 15:51
by peterelsner
Ked,

Agreed. I already have Mod Sec and the GotRoot rules installed. While this does help, it does not prevent a brute force attack on a customers wordpress site (specifically wp-admin.php) So the same IP address is constatnly hitting hXXp://www.somesite.tld/wp-admin over and over again trying to brute force it's way in. (it's a script do doubt from a compromised computer).

Was just wondering if the logs can be monitored so that if the same IP hits that site/url 100 times or more in 5 minutes that it is blocked.

Re: Multiple attempts to hack into wp-login from same IP

Posted: 09 Apr 2013, 00:37
by Sergio
peterelsner wrote:Ked,

Agreed. I already have Mod Sec and the GotRoot rules installed. While this does help, it does not prevent a brute force attack on a customers wordpress site (specifically wp-admin.php) So the same IP address is constatnly hitting hXXp://www.somesite.tld/wp-admin over and over again trying to brute force it's way in. (it's a script do doubt from a compromised computer).

Was just wondering if the logs can be monitored so that if the same IP hits that site/url 100 times or more in 5 minutes that it is blocked.
In CSF look for
LF_MODSEC = 3
LF_MODSEC_PERM = 1

That will block the IP after 3 mod sec fails.

Sergio

Re: Multiple attempts to hack into wp-login from same IP

Posted: 09 Apr 2013, 15:17
by realtech
I have:
LF_MODSEC = 5
LF_MODSEC_PERM = 1

But it did not stop someone from taking the server load way up with massive hits to wp-login.php

Re: Multiple attempts to hack into wp-login from same IP

Posted: 09 Apr 2013, 20:01
by peterelsner
Exactly. Mine is also set to 5. Here's an example as this has happened today now for all of our servers... multiple times yet.

In /home/username/access-logs/domainname.tld are over 1300 of these...

189.18.139.42 - - [09/Apr/2013:13:57:31 -0500] "POST /wp-login.php HTTP/1.1" 500 358 "-" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)"
189.18.139.42 - - [09/Apr/2013:13:57:30 -0500] "POST /wp-login.php HTTP/1.1" 200 4171 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.14 (KHTML, like Gecko) Chrome/24.0.1292.0 Safari/537.14"
189.18.139.42 - - [09/Apr/2013:13:57:30 -0500] "POST /wp-login.php HTTP/1.1" 200 4171 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.14 (KHTML, like Gecko) Chrome/24.0.1292.0 Safari/537.14"
189.18.139.42 - - [09/Apr/2013:13:57:30 -0500] "POST /wp-login.php HTTP/1.1" 200 4171 "-" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)"
189.18.139.42 - - [09/Apr/2013:13:57:31 -0500] "POST /wp-login.php HTTP/1.1" 500 358 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; Media Center PC 6.0; InfoPath.3; MS-RTC LM 8; Zune 4.7)"
189.18.139.42 - - [09/Apr/2013:13:57:31 -0500] "POST /wp-login.php HTTP/1.1" 500 358 "-" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)"
189.18.139.42 - - [09/Apr/2013:13:57:31 -0500] "POST /wp-login.php HTTP/1.1" 500 358 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_2) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1309.0 Safari/537.17"
189.18.139.42 - - [09/Apr/2013:13:57:31 -0500] "POST /wp-login.php HTTP/1.1" 500 358 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_2) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1309.0 Safari/537.17"
189.18.139.42 - - [09/Apr/2013:13:57:31 -0500] "POST /wp-login.php HTTP/1.1" 200 4171 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.14 (KHTML, like Gecko) Chrome/24.0.1292.0 Safari/537.14"
189.18.139.42 - - [09/Apr/2013:13:57:31 -0500] "POST /wp-login.php HTTP/1.1" 500 358 "-" "Mozilla/5.0 (Windows NT 6.2; Win64; x64; rv:16.0.1) Gecko/20121011 Firefox/16.0.1"
189.18.139.42 - - [09/Apr/2013:13:57:31 -0500] "POST /wp-login.php HTTP/1.1" 500 358 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_2) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1309.0 Safari/537.17"
189.18.139.42 - - [09/Apr/2013:13:57:31 -0500] "POST /wp-login.php HTTP/1.1" 500 358 "-" "Mozilla/5.0 (Windows NT 6.2; Win64; x64; rv:16.0.1) Gecko/20121011 Firefox/16.0.1"
189.18.139.42 - - [09/Apr/2013:13:57:31 -0500] "POST /wp-login.php HTTP/1.1" 500 358 "-" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)"
189.18.139.42 - - [09/Apr/2013:13:57:31 -0500] "POST /wp-login.php HTTP/1.1" 500 358 "-" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)"
189.18.139.42 - - [09/Apr/2013:13:57:31 -0500] "POST /wp-login.php HTTP/1.1" 500 358 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.14 (KHTML, like Gecko) Chrome/24.0.1292.0 Safari/537.14"
189.18.139.42 - - [09/Apr/2013:13:57:31 -0500] "POST /wp-login.php HTTP/1.1" 200 4171 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_2) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1309.0 Safari/537.17"
189.18.139.42 - - [09/Apr/2013:13:57:31 -0500] "POST /wp-login.php HTTP/1.1" 200 4171 "-" "Mozilla/5.0 (Windows NT 6.2; Win64; x64; rv:16.0.1) Gecko/20121011 Firefox/16.0.1"
189.18.139.42 - - [09/Apr/2013:13:57:31 -0500] "POST /wp-login.php HTTP/1.1" 200 4171 "-" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)"
189.18.139.42 - - [09/Apr/2013:13:57:31 -0500] "POST /wp-login.php HTTP/1.1" 200 4171 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.14 (KHTML, like Gecko) Chrome/24.0.1292.0 Safari/537.14"
189.18.139.42 - - [09/Apr/2013:13:57:32 -0500] "POST /wp-login.php HTTP/1.1" 500 358 "-" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)"
189.18.139.42 - - [09/Apr/2013:13:57:31 -0500] "POST /wp-login.php HTTP/1.1" 500 358 "-" "Mozilla/5.0 (Windows NT 6.2; Win64; x64; rv:16.0.1) Gecko/20121011 Firefox/16.0.1"
189.18.139.42 - - [09/Apr/2013:13:57:32 -0500] "POST /wp-login.php HTTP/1.1" 500 358 "-" "Mozilla/5.0 (Windows NT 6.2; Win64; x64; rv:16.0.1) Gecko/20121011 Firefox/16.0.1"
189.18.139.42 - - [09/Apr/2013:13:57:32 -0500] "POST /wp-login.php HTTP/1.1" 500 358 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_2) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1309.0 Safari/537.17"
189.18.139.42 - - [09/Apr/2013:13:57:32 -0500] "POST /wp-login.php HTTP/1.1" 500 358 "-" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)"
189.18.139.42 - - [09/Apr/2013:13:57:31 -0500] "POST /wp-login.php HTTP/1.1" 200 4171 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; Media Center PC 6.0; InfoPath.3; MS-RTC LM 8; Zune 4.7)"
189.18.139.42 - - [09/Apr/2013:13:57:32 -0500] "POST /wp-login.php HTTP/1.1" 500 358 "-" "Mozilla/5.0 (Windows NT 6.2; Win64; x64; rv:16.0.1) Gecko/20121011 Firefox/16.0.1"
189.18.139.42 - - [09/Apr/2013:13:57:32 -0500] "POST /wp-login.php HTTP/1.1" 500 358 "-" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)"
189.18.139.42 - - [09/Apr/2013:13:57:32 -0500] "POST /wp-login.php HTTP/1.1" 500 358 "-" "Mozilla/5.0 (Windows NT 6.2; Win64; x64; rv:16.0.1) Gecko/20121011 Firefox/16.0.1"
189.18.139.42 - - [09/Apr/2013:13:57:32 -0500] "POST /wp-login.php HTTP/1.1" 500 358 "-" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)"
189.18.139.42 - - [09/Apr/2013:13:57:32 -0500] "POST /wp-login.php HTTP/1.1" 500 358 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.14 (KHTML, like Gecko) Chrome/24.0.1292.0 Safari/537.14"
189.18.139.42 - - [09/Apr/2013:13:57:32 -0500] "POST /wp-login.php HTTP/1.1" 500 358 "-" "Mozilla/6.0 (Windows NT 6.2; WOW64; rv:16.0.1) Gecko/20121011 Firefox/16.0.1"

This IP happens to be from Brazil.

The servers load, goes from 0.97 to 38.16 in a matter of seconds. Until I block this IP and then it comes back down again.

These are all most likely compromised PC's that are hitting several Wordpress sites (wp-login.php) in order to brute force the password on them.

It's really getting out of hand, and mod security is NOT going to stop it.

Re: Multiple attempts to hack into wp-login from same IP

Posted: 09 Apr 2013, 20:20
by Sergio
@Peterelsner,
post the info that mod_security shows about this attack.

Also, what are your LF_MODSEC and LF_MODSEC_PERM settings?

Re: Multiple attempts to hack into wp-login from same IP

Posted: 09 Apr 2013, 21:12
by orditeck
Same problem here, at same date. You're not alone haha!

I'd really appreciate to get a magical setting I could put in CSF to get rid of it -.-
I tried CT_LIMIT at 300 with no luck, it just blocked an actuel customer....