This entry was posted in Research, Vulnerabilities, Wordfence, WordPress Security on August 3, 2016 by Mark Maunder 71 Replies

At Wordfence we track attacks across all our customer sites, both free and paid to learn more about attacker tactics, techniques and procedures (TTP’s). Mining this data helps us improve Wordfence Firewall, Wordfence’s Scan and our other features and to do a better job of keeping you safe.

We use a large distributed cluster to mine the huge amount of attack data we receive. Looking at the data for the past 7 days alone, we have logged 16.6 million attacks for just that period.

Analyzing our data has been incredibly productive and in the coming weeks we will be sharing additional insights. For today’s post we want to share some detail on the IP address that is responsible for the most attacks on our WordPress customer sites during the past 7 days.

The first part of this IP is: 46.161.X.X. We’re not sharing the full IP and in general we will mask the addresses of attacking IP’s in case those servers contain vulnerabilities. We don’t want to create new targets for attack. So for the sake of conversation, lets call this IP address Ivan.

Ivan has been a very bad IP address. In the past 7 days he has launched 2,036,508 attacks on our customer sites which we’ve blocked.

The next highest attacking IP address is responsible for 468,661 attacks, so this IP is head and shoulders the leading attack IP during the past week.

In fact Ivan is responsible for over 12% of all the attacks on all WordPress sites that Wordfence protects. That’s quite an achievement.

During the past 7 days the total number of IP addresses we have blocked attacks from is 77,939 unique IP’s. This gives you an idea of how many attackers there are out there. Ivan has quite a lot of competition and despite that, he managed to come out at number 1.

During the past 7 days Ivan attacked 32,091 unique websites.

97% of attacks from this IP address tried to download the wp-config.php file using a wide range of arbitrary file download vulnerabilities in both plugins and themes.

The themes that were attacked by Ivan are shown in the following table. We also show the total attacks launched on each theme across all sites, along with the number of unique sites that were attacked by trying to exploit a vulnerability in the theme.

All these attacks use known file download vulnerabilities except one which may be a zero day vulnerability, so we are redacting the name of that theme.

Theme name Total attacks Unique sites attacked infocus 83095 20587 acento 43898 20481 XXXXX* 43613 20340 jarida 43451 20292 markant 43307 20259 yakimabait 43291 20300 tess 43015 20110 felis 42854 20030 ypo-theme 42671 19995 persuasion 41527 20316 echelon 41398 20264 modular 41322 20263 awake 41123 20145 fusion 41012 20132 method 40908 20101 myriad 40702 20007 elegance 40677 19976 dejavu 40551 19997 construct 40278 19882 epic 37141 17850 linenity 36656 17619 parallelus-salutation 36586 17623 trinity 36295 17503 antioch 36180 17322 urbancity 36118 17416 parallelus-mingle 35740 17179 authentic 35683 17073 churchope 35532 17040 lote 35445 17027

The following table shows the plugins that are being attacked by Ivan. In all cases the attacker is using an arbitrary file download vulnerability in these plugins to try and download wp-config.php. All plugins have known arbitrary file download vulnerabilities except for one which may be a zero day and which we’ve redacted from this report.

Plugin Name Total attacks Unique Sites Attacked filedownload 46037 21373 ajax-store-locator-wordpress 44123 20558 plugin-newsletter 38227 18351 pica-photo-gallery 37795 18126 simple-download-button-shortcode 37684 18066 wp-filemanager 37457 17236 tinymce-thumbnail-gallery 37270 17888 dukapress 36697 17495 XXXXXX* 36303 17358 db-backup 34966 16627

One of the things we examined when looking at data from this IP address is whether any cloud WAF providers are blocking these attacks. We were surprised to see 58,089 attacks from this IP in the past week bypassed Cloudflare (came in through their servers) and were not blocked. These attacks occurred on 1,183 unique websites. In each case the attack passed through a Cloudflare server and was blocked by Wordfence.

The attacks exploit well known vulnerabilities. These customers may be running Cloudflare’s free package which includes “broad security protection” but does not include a WAF. In each case the request we received contained the HTTP header that verifies the source is the attacker we’re analyzing and it came via Cloudflare.

Cf-Connecting-Ip: 46.161.X.X

The attacking IP we’ve dubbed ‘Ivan’ is based in St. Petersburg, Russia. It is operated by “Petersburg Internet Network ltd.”. The IP runs Debian Linux and runs a range of services including an FTP daemon, web server (with placeholder page), mail services and SSH.

What to do

We are working to contact the net block owner and have this IP shut down. It is already on our internal black lists and it’s attacks are blocked by the Wordfence firewall.

If you’re a theme or plugin developer and your theme or plugin is listed above, we recommend you put some effort into ensuring that all your customers have already upgraded to your newest theme, assuming you’ve fixed your vulnerability. This IP is exploiting these vulnerabilities because they provide results, so it’s likely there are still a few vulnerable sites out there.

If you’re a WordPress user, the free version of Wordfence will protect you against the exploits we’re seeing from this IP. As new attacks emerge, we improve our firewall rules which we release to our premium customers in real-time and to our free customers on a 30 day delayed schedule. That’s why we recommend you upgrade to Wordfence Premium.