Happy Valentine’s Day, and someone loves me out there on the Internet, because they used a botnet to try to break into my site. You are very welcome, whomever you are, but I am trying to find out who is my secret admirer.
There are 12 IPs involved. The each try 2 times.
User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.89 Safari/537.36
Yet another brute force attack that I would like to document. The first two, from China and India, are bad dudes.
UA: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:40.0) Gecko/20100101 Firefox/40.0
188.8.131.52 s Forest Eternal Com Cn, Risk 10/10, spam, bots malware (200): Spam Zero-Day, Doc.Dropper.Agent-5664104-0
184.108.40.206 s Wimax Bharat Sanchar Nigam BSNL In, Risk 7.1/10, spam, bots, malware: Spam Zero-Day, Doc.Dropper.Agent-5664104-0
220.127.116.11 s Telenet Operaties Belgium, Risk 8.6/10, spam, bots, scanning IPs
They are banned, never to return with these IPs
Permanent link to this post
(83 words, 0 images, estimated 20 secs reading time)
It is always warming to see the two Chinas, the PRC and Taiwan, getting along. Today they ganged up and tried to break into my site.
18.104.22.168 s China Unicom Shandong, level 10 risk, malware Spam Zero-Day
22.214.171.124 s Hinet Chunghwa Tel Taiwan, known for bots and infected zombie computers
126.96.36.199 s Chinanet Anhui, level 10 risk, malware Spam Zero-Day
188.8.131.52 s Dou shi-BAR Yin chuan Ningxia, level 10 risk, malware Spam Zero-Day
The last one, from Ningxia, looks surprisingly small as compared to the usually huge number of IP addresses for Chinanet or China Unicom, but they are part of Chinanet Ningxia, which is large.
It is always good to see international cooperation amongst different nations in this great world. However, when China, India and Russia cooperate to try to break into my site, forgive me when I get a little upset. While I usually file complaints to internet host providers, in this case the complaint would fall on deaf ears: hosts in China, India and Russia ignore abuse emails. Then most hosts from all over the world ignore abuse emails.
Number of login attempts: 417
All the user agent names are the same: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:40.0) Gecko/20100101 Firefox/40.0
Why is today so special? It looks like two separate groups tried their own brute force login attacks on my site, each using a different technique. There were a total of 510 login attempts today on my site.
The first technique is to use a low number of IPs, but try numerous times. UA: “Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:40.0) Gecko/20100101 Firefox/40.0”
184.108.40.206 VODAFONE-IT: 51 login attempts
220.127.116.11 SIPCOM UA: 116 login attempts
18.104.22.168 CHINANET Jiangsu: 109 login attempts
22.214.171.124 Idea Cellular In: 51 logi attempts
Again, they come, but this time with individual IPs. Huh? Not so funny anymore. 18 individual IP, all timed differently.
UA: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.89 Safari/537.36
Permanent link to this post
(71 words, 0 images, estimated 17 secs reading time)
Strong, WordPress is, otherwise it would have been breached long ago. These three attackers did a brute force login attack on me today. This is not the first and will certainly not be the last. While I can track down the IP and ISP, and ban them, their origins I will never know. This is the murky world of the internet, and it is worldwide.
- 126.96.36.199: 188.8.131.52 – 184.108.40.206 WIFLY GA GABON has tried security hacks on my site before, 6 attempts
- 220.127.116.11 mes.megion.ru 18.104.22.168 – 22.214.171.124 Lider Telecom Ru, 52 attempts
- 126.96.36.199 188.8.131.52 – 184.108.40.206 Wimax New Delhi IN, 8 attempts
Three hackers, one from Africa, one from Russia, one from India. This is the global entity called the Internet.
Brute force attacked, I was, for the xmlrpc.php API in WordPress. Thankfully WordPress was strong enough to ward off this attack. I’ve had random attacks on xmlrpc.php before, but nothing this organized. I thought I’d document a case of 57 xmlrpc.php POST attempts here for all to see. Maybe someone can identify the culprit, as I could not.
I had 57 POSTs to xmlrpc.php on WordPress. They are randomly spaced apart throughout the day, use different IP addresses and hosts, but use the same POST (POST /wp/xmlrpc.php HTTP/1.0), referrer (http://dontai.com/wp/xmlrpc.php) and user agent (Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko)
This is a preview of
Brute Force xmlrpc.php Attack on WordPress: Case Study
. Read the full post (1619 words, 0 images, estimated 6:29 mins reading time)