dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
1245

Woody79_00
I run Linux am I still a PC?
Premium Member
join:2004-07-08
united state

1 edit

Woody79_00

Premium Member

Massive Wordpress Brute Force Going on Right now

Click for full size
So, I came in this morning to find over 18,000 failed login attempts to my workplace Wordpress site this morning. (See the attached screenshot)

Thankfully, none of these login attempts were able to work because:

1. the Login Requires filling a Captcha

2. Failing to enter the correct login credentials or put in the correct Captcha 4 times locks the account.

3. I use Bad Behavior in Conjunction with Project Honeypot BL look ups, so these offending IP's end up in the BL list due to their spamming.

4. I have a hidden form on the login screen that only bots would fill out, anyone who fills out this hidden form is blocked.

I just wanted others out there who may be using Wordpress or other simlair site to be aware of this going on at the moment...these 18,000 login attempts happened in the matter of a few hours early this morning.

So double check those login records, and do what you can to prevent these people from getting in...I have contacted the abuse department on some of these IP's, but im not sure it will do me any good.

Have a great morning people!

Nightfall
My Goal Is To Deny Yours
MVM
join:2001-08-03
Grand Rapids, MI

Nightfall

MVM

Re: Massive Wordpress Hack Going on Right now

I wouldn't say this is a hack. More like just someone trying to guess the password. If this was a hack, then you would have someone using a plugin or a known hole in Wordpress to get access to your site. That isn't happening from the looks of things.

Woody79_00
I run Linux am I still a PC?
Premium Member
join:2004-07-08
united state

Woody79_00

Premium Member

said by Nightfall:

I wouldn't say this is a hack. More like just someone trying to guess the password. If this was a hack, then you would have someone using a plugin or a known hole in Wordpress to get access to your site. That isn't happening from the looks of things.

Well yes your technically correct, I think "Brute Force" may be a more appropriate title.

However these brute force attempts are coming from multiple IP's. I just screen shotted part of the page,

Nightfall
My Goal Is To Deny Yours
MVM
join:2001-08-03
Grand Rapids, MI

Nightfall

MVM

Yea, I hear ya. Just pointing out that the title of your post is a bit misleading. I just checked my three wordpress sites and none of them are having issues with this.

Woody79_00
I run Linux am I still a PC?
Premium Member
join:2004-07-08
united state

Woody79_00

Premium Member

Glad your lucky and not having any issues Nightfall.

I have contacted 1 of the abuse departments for the most offending IP, and forwarded logs to them, and they say they are going to investigate the issues and hopefully shut that IP down. Lets hope for the best.

Nightfall
My Goal Is To Deny Yours
MVM
join:2001-08-03
Grand Rapids, MI

Nightfall to Woody79_00

MVM

to Woody79_00

Re: Massive Wordpress Brute Force Going on Right now

This may just be a brute force attack on your site in specific. Nothing personal (no pun intended).

Chubbzie
join:2014-02-11
Greenville, NC
Hitron CDA3
(Software) OpenBSD + pf

Chubbzie to Woody79_00

Member

to Woody79_00
XMLRPC wp.getUsersBlogs method perhaps?

Brute Force Exploiting Xmlrpc

Hmmm, according to your screenshot they are using the old wp-login.php BF attack. Skiddies running wild?

Woody79_00
I run Linux am I still a PC?
Premium Member
join:2004-07-08
united state

Woody79_00

Premium Member

said by Chubbzie:

XMLRPC wp.getUsersBlogs method perhaps?

Brute Force Exploiting Xmlrpc

Hmmm, according to your screenshot they are using the old wp-login.php BF attack. Skiddies running wild

Thats what i was thinking Cubbzie. I remembered something like this happening a few months ago.

I do have XML-RPC disabled anyways because we don't use it here, so no sense leaving it on.

I must be pretty popular for these people to wasting so much time on such a small site. Its kinda funny really, considering the measure in place, and they won't even fill out a captcha! :P

Chubbzie
join:2014-02-11
Greenville, NC
Hitron CDA3
(Software) OpenBSD + pf

Chubbzie

Member

said by Woody79_00:

I must be pretty popular for these people to wasting so much time on such a small site.

Lucky you, getting the special treatment. Good to hear you had the forethought to disable XMLRPC.