Botnet Attacks WordPress Website

Apparent Botnet Attacked My WordPress Website

graphic image of botnet attackerWhat appeared to be a botnet attacked one of my sites ( this morning in a brute-force wp-login attempt from multiple IP addresses. This was the most coordinated attack against any of my sites I’ve experienced. Usually the hacker bots I see use up to 6 IP’s in these attacks – 146 IPs is serious stuff…

146 IP’s Used in Simultaneous Attack

The IP’s listed below are the guilty parties to this brute-force login attack on the site. The main attack started at 05h09 GMT this morning (November 25, 2012) and continued until 05h15 GMT. A second but less intense attacked followed; starting from 05h16 GMT tailing off until ending at 05h43 GMT

Several Public Proxies Used

I find it significant a good percentage of the IP’s are free public proxy servers. Many of these public proxies were not on the banned list before, so I am gratified to add these now. Free public proxies are another group of IP’s I deny access to my sites.

Many Listed as Bad IP’s Already

Project Honeypot and other bad host lists include most of the IP’s used already – Most of these are classed Comment Spammers, Dictionary Attackers and Mail Servers or Scripting Attackers/Hackers.

Numerous IP’s Used in Attack Already Banned

Roughly half the IP’s used by this botnet attack are already in the banned list. Significantly, those coming from Russia and Brazil – both these regions are banned outright, and new IP ranges are blocked on discovery. Other previously banned ranges included France Ovh – but some new ranges were found from this attack. Ukraine is another region banned on-sight so most of these were already blocked.

Regions and Hosts

The most common regions hosting the IPs used in the attack were: Russia and Brazil; no surprises there. The rest were spread around: China of course, France (regular bad host – Ovh), Germany (notorious bad host – Hetzner Online AG), Macedonia, Thailand, Indonesia, United Arab Emirates, Poland, Ukraine (no surprise there either – nothing except rubbish coming from that region), Mexico, Peru, Ecuador and even Taiwan contributed to the attack.

Responding to the Threat.

The first priority was banning the IP’s used in today’s hacking attempt. Next I will take a closer look at the hosts – and block their full range if I don’t like what I’m seeing. For now I have another 70 (or close to 70) Bad IP’s Banned from accessing my sites. My customers websites and my own sites are safer as a result.

About Mike

Web Developer and Techno-geek Saltwater fishing nut Blogger

Posted on November 25, 2012, in Internet Security, Websites and tagged , , , , , , , , , , . Bookmark the permalink. 2 Comments.

  1. Any update on how you dealt with this? One of my WP sites is suffering from a huge botnet attack. About 10 login names are being used and 9 of them are invalid and the ip’s are auto locked out from login. Still, at least 1 per second attempts to log in. This has been going on for 12 hours! So far thousands of IP’s have been blocked, but there are thousands more still trying. Since I’m using Wordfence and adding the ones using invalid names to the banned list, it requires virtual memory which has been maxed for hours effectively crashing the site. In response I’ve moved all the files for the site out pf public_html for the time being hoping the bots will quit….

    • @KalanStar
      Considering the seriousness of the attack, I think you need to stop requests from those IPs at firewall level – before they get to your site. If you don’t have your own dedicated server, then you need to discuss this with the hosting company’s technicians.

      IPs blocked at the firewall won’t use your sites resources. They other thing they could do is add a filter to slow down repeat requests. IOW – set a time limit on requests from the same IP – but this can cause a whole lot of other performance issues – e.g. visitors (and admins) switching quickly between pages get server errors

      I’m not to familiar with WordFence – looking at the literature it appears WordFence IP blocking is an active system – in other words it uses WordPress and checks IP’s against the database (I may be wrong).
      I prefer to use .htaccess for IP blocking. It’s lighter on server resources, although a long block list can add a few milliseconds to page loads as the server reads the file every time. (My standard .htaccess file has around 1400 “deny from” entries, and my Drupal business site pages still load under 1 second)

      The correct syntax for blocking an IP e.g. is
      deny from

      The deny section starts (using the above example)

      order allow,deny
      allow from all

      deny from
      deny from (denies the entire block)
      deny from (next IP)

      It’s not too critical where the section is placed – nearer the top after other rules is OK, but for convenience I usually add the blocks after the WordPress (# END WordPress) or other CMS stuff – at the end of the file

      Best to do this from CPanel or whichever file manager you have – PC text editors can code the file incorrectly. Make a backup of the original file first in case you get something wrong and it breaks your site. CPanel has an IP deny tool, which is easy to use.

      Hope this helps

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: