0 SHARES Facebook Twitter

We are seeing in the media some noise about a large distributed brute force attacks against all hosts targeting WordPress sites. According to reports, they are seeing a large botnet with more than 90,000 servers attempting to log in by cycling different usernames and passwords against the WordPress access points: /wp-login.php and /wp-admin.

This got us thinking, well we block a lot of attacks why not look at the logs to see what they tell us. So we did.

The Data

Looking back, we can see in our historical database the following:

2012/Dec: 678,519 login attempts blocked 2013/Jan: 1,252,308 login attempts blocked (40k per day) 2013/Feb: 1,034,323 login attempts blocked (36k per day) 2013/Mar: 950,389 login attempts blocked (31k per day) 2013/Apr: 774,104 for the first 10 days – 77,410 per day

As you can see from our numbers, we were seeing 30 to 40 thousand attacks per day the last few months. In April 2013, it increased to 77,000 per day on average, reaching more than 100,000 attempts per day in the last few days.

That means that the number of brute force attempts more than tripled. This sharp increase would lead us to believe that there is some reality to these reports.

Diving deeper into our data we find a few interesting data points. For instance, we can see the top user names being attempted:

652,911 [log] => admin

10173 [log] => test

8992 [log] => administrator

8921 [log] => Admin

2495 [log] => root

In these cases, by the shear fact of having a non- admin / administrator / root usernames you are automatically out of the running. Which is kind of nice actually.

FYI, the number value next to the [log] is the number of scan completed. So the first line item, admin, was used against some 652,911 sites.

As far passwords, this is what we’re seeing:

16,798 [pwd] => admin

10,880 [pwd] => 123456

9,727 [pwd] => 666666

9,106 [pwd] => 111111

7,882 [pwd] => 12345678

7,717 [pwd] => qwerty

7,295 [pwd] => 1234567

6,160 [pwd] => #@F#GBH$R^JNEBSRVWRVW

5,640 [pwd] => password

5,446 [pwd] => 12345

5,392 [pwd] => $#GBERBSTGBR%GSERHBSR

5,058 [pwd] => %G#GBAEGBW%HBFGBFXGB

5,024 [pwd] => RGA%BT%HBSERGAEEAHAEH

4,861 [pwd] => aethAEHBAEGBAEGEE%

4,317 [pwd] => 123

4,281 [pwd] => 123qwe

4,133 [pwd] => 123admin

4,092 [pwd] => 12345qwe

4,086 [pwd] => 12369874

3,880 [pwd] => 123123

3,831 [pwd] => 1234qwer

3,814 [pwd] => 1234abcd

3,787 [pwd] => 123654

3,751 [pwd] => 123qwe123qwe

3,744 [pwd] => 123abc

3,623 [pwd] => 123qweasd

3,606 [pwd] => 123abc123

3,422 [pwd] => 12345qwert

Most of these should be expected actually, it’s only what we’ve been reporting for a while.

What does stand out are these:

6160 [pwd] => #@F#GBH$R^JNEBSRVWRVW

5392 [pwd] => $#GBERBSTGBR%GSERHBSR

5058 [pwd] => %G#GBAEGBW%HBFGBFXGB

5024 [pwd] => RGA%BT%HBSERGAEEAHAEH

4861 [pwd] => aethAEHBAEGBAEGEE%

Looking at some of our resources we have found these across a few wordlists which sounds very odd. The most obvious argument is, well crud, they are just randomly generated, right? But then you look at the number of sites it was tried against, that’s where it doesn’t make sense.

Almost feels like we’re missing something that they know.. hummmm.. then again it could be over thinking and we should just be glad they are blocked.

Top Scanner IP

Here is a bit more information for those managing their own servers and hosts. Here are the top 30 malicious IP addresses being used in the various attacks:

#number of attempts – IP Address

41315 31.184.238.38

10004 178.151.216.53

9817 91.224.160.143

8773 195.128.126.6

6838 85.114.133.118

6624 177.125.184.8

5896 89.233.216.203

5534 89.233.216.209

5469 109.230.246.37

5364 188.175.122.21

5110 46.119.127.1

4485 176.57.216.198

4205 173.38.155.22

4114 67.229.59.202

3956 94.242.237.101

3460 209.73.151.64

3443 212.175.14.114

3294 78.154.105.23

3162 50.116.27.19

3054 195.128.126.114

2740 78.153.216.56

2732 31.202.217.135

2661 204.93.60.182

2520 173.38.155.8

2371 204.93.60.75

2303 50.117.59.3

2301 209.73.151.229

2287 216.172.147.251

2234 204.93.60.57

2227 94.199.51.7

2215 204.93.60.185

Should you be concerned?

Depends, what have you implemented to protect yourself against these attacks? The thing to understand about these attacks is that they play on the biggest WordPress vulnerability, you, the end-user. You have to be doing your part, specifically when leveraging good passwords.

If you aren’t, then yes, we’d say it’s worth being a bit concerned about. Especially if any of the data above looks familiar. Some things to consider looking at include solutions like a web application firewall (WAF) similar to our CloudProxy product or ModSecurity to block these attacks before they reach your site / server resources.