Botnet Attacks WordPress Website
Apparent Botnet Attacked My WordPress Website
What appeared to be a botnet attacked one of my sites (tech.graphicline.co.za) this morning in a brute-force wp-login attempt from multiple IP addresses. This was the most coordinated attack against any of my sites I’ve experienced. Usually the hacker bots I see use up to 6 IP’s in these attacks – 146 IPs is serious stuff…
146 IP’s Used in Simultaneous Attack
The IP’s listed below are the guilty parties to this brute-force login attack on the site. The main attack started at 05h09 GMT this morning (November 25, 2012) and continued until 05h15 GMT. A second but less intense attacked followed; starting from 05h16 GMT tailing off until ending at 05h43 GMT
| 95.140.196.34 |
| 94.23.238.135 |
| 94.23.238.135 |
| 94.153.243.234 |
| 93.91.49.18 |
| 89.28.120.189 |
| 89.237.134.10 |
| 89.218.65.38 |
| 89.144.131.106 |
| 88.210.42.254 |
| 86.96.226.20 |
| 85.234.22.126 |
| 85.10.202.142 |
| 84.47.12.167 |
| 83.220.79.68 |
| 83.212.99.19 |
| 82.114.95.238 |
| 81.202.251.62 |
| 8.21.6.226 |
| 78.38.12.9 |
| 78.31.78.12 |
| 78.131.55.82 |
| 78.111.247.253 |
| 77.122.65.195 |
| 66.249.73.47 |
| 62.64.4.57 |
| 62.33.168.214 |
| 62.165.42.170 |
| 62.162.6.11 |
| 61.94.204.242 |
| 61.30.127.2 |
| 61.19.252.92 |
| 5.9.225.130 |
| 49.0.96.48 |
| 46.29.10.94 |
| 46.225.241.134 |
| 46.166.139.174 |
| 46.137.178.203 |
| 46.108.10.182 |
| 41.93.45.5 |
| 41.75.201.146 |
| 37.59.236.42 |
| 222.124.178.9 |
| 220.255.2.144 |
| 220.135.253.234 |
| 219.76.104.2 |
| 217.219.73.14 |
| 217.219.123.59 |
| 213.140.115.173 |
| 212.93.195.229 |
| 212.48.35.55 |
| 212.33.192.226 |
| 212.126.123.17 |
| 211.115.185.58 |
| 210.57.215.0/24 |
| 210.101.131.231 |
| 208.91.198.23 |
| 202.70.136.158 |
| 202.70.136.158 |
| 202.69.102.243 |
| 202.51.233.206 |
| 202.166.205.91 |
| 202.159.8.148 |
| 202.146.236.4 |
| 202.138.232.114 |
| 201.59.167.202 |
| 201.244.71.62 |
| 201.238.227.202 |
| 201.219.3.5 |
| 201.140.102.173 |
| 201.116.168.167 |
| 200.96.185.228 |
| 200.85.39.10 |
| 200.73.17.70 |
| 200.71.86.50 |
| 200.31.75.14 |
| 200.31.107.98 |
| 200.27.183.100 |
| 200.217.64.211 |
| 200.195.178.42 |
| 200.146.46.254 |
| 200.146.104.121 |
| 200.111.115.172 |
| 200.110.33.170 |
| 200.106.160.19 |
| 200.105.237.94 |
| 196.1.178.254 |
| 194.125.255.126 |
| 193.22.6.62 |
| 193.13.64.156 |
| 190.95.206.254 |
| 190.85.133.162 |
| 190.248.67.146 |
| 190.223.53.70 |
| 190.211.243.50 |
| 190.15.192.174 |
| 190.145.26.2 |
| 190.14.255.234 |
| 190.14.232.126 |
| 190.108.83.30 |
| 189.200.157.74 |
| 189.108.118.194 |
| 187.93.77.235 |
| 187.87.32.166 |
| 187.75.227.16 |
| 187.63.160.3 |
| 187.63.15.61 |
| 187.60.96.7 |
| 187.6.57.118 |
| 187.6.254.19 |
| 187.44.14.72 |
| 187.32.127.163 |
| 187.28.202.22 |
| 187.0.222.167 |
| 186.219.25.228 |
| 186.215.231.211 |
| 186.215.207.141 |
| 186.200.58.162 |
| 186.190.210.130 |
| 186.148.128.86 |
| 182.253.17.130 |
| 180.241.223.29 |
| 178.33.234.17 |
| 178.33.181.120 |
| 178.212.102.67 |
| 178.208.255.123 |
| 178.208.255.123 |
| 177.70.68.155 |
| 177.69.223.100 |
| 177.69.210.130 |
| 177.43.72.250 |
| 177.36.216.76 |
| 175.184.35.129 |
| 175.136.224.188 |
| 159.255.166.131 |
| 146.255.64.138 |
| 146.174.195.200 |
| 124.124.68.58 |
| 118.97.8.84 |
| 118.97.37.123 |
| 118.70.129.101 |
| 117.211.123.62 |
| 112.217.228.212 |
| 109.185.118.156 |
| 106.3.98.82 |
| 103.7.248.22 |
Several Public Proxies Used
I find it significant a good percentage of the IP’s are free public proxy servers. Many of these public proxies were not on the banned list before, so I am gratified to add these now. Free public proxies are another group of IP’s I deny access to my sites.
Many Listed as Bad IP’s Already
Project Honeypot and other bad host lists include most of the IP’s used already – Most of these are classed Comment Spammers, Dictionary Attackers and Mail Servers or Scripting Attackers/Hackers.
Numerous IP’s Used in Attack Already Banned
Roughly half the IP’s used by this botnet attack are already in the banned list. Significantly, those coming from Russia and Brazil – both these regions are banned outright, and new IP ranges are blocked on discovery. Other previously banned ranges included France Ovh – but some new ranges were found from this attack. Ukraine is another region banned on-sight so most of these were already blocked.
Regions and Hosts
The most common regions hosting the IPs used in the attack were: Russia and Brazil; no surprises there. The rest were spread around: China of course, France (regular bad host – Ovh), Germany (notorious bad host – Hetzner Online AG), Macedonia, Thailand, Indonesia, United Arab Emirates, Poland, Ukraine (no surprise there either – nothing except rubbish coming from that region), Mexico, Peru, Ecuador and even Taiwan contributed to the attack.
Responding to the Threat.
The first priority was banning the IP’s used in today’s hacking attempt. Next I will take a closer look at the hosts – and block their full range if I don’t like what I’m seeing. For now I have another 70 (or close to 70) Bad IP’s Banned from accessing my sites. My customers websites and my own sites are safer as a result.
Related articles
- Banned IPs (graphiclineweb.wordpress.com)
- Botnets and cyber warfare, a dangerous combination (Credit for “Botnet” image)
Posted on November 25, 2012, in Internet Security, Websites and tagged Botnet, Brute-force attack, Hacker, Hacking, Hosting, Internet, Internet Security, IP Address, Security Alert, Security Risks, Spambot. Bookmark the permalink. 2 Comments.
Any update on how you dealt with this? One of my WP sites is suffering from a huge botnet attack. About 10 login names are being used and 9 of them are invalid and the ip’s are auto locked out from login. Still, at least 1 per second attempts to log in. This has been going on for 12 hours! So far thousands of IP’s have been blocked, but there are thousands more still trying. Since I’m using Wordfence and adding the ones using invalid names to the banned list, it requires virtual memory which has been maxed for hours effectively crashing the site. In response I’ve moved all the files for the site out pf public_html for the time being hoping the bots will quit….
@KalanStar
Considering the seriousness of the attack, I think you need to stop requests from those IPs at firewall level – before they get to your site. If you don’t have your own dedicated server, then you need to discuss this with the hosting company’s technicians.
IPs blocked at the firewall won’t use your sites resources. They other thing they could do is add a filter to slow down repeat requests. IOW – set a time limit on requests from the same IP – but this can cause a whole lot of other performance issues – e.g. visitors (and admins) switching quickly between pages get server errors
I’m not to familiar with WordFence – looking at the literature it appears WordFence IP blocking is an active system – in other words it uses WordPress and checks IP’s against the database (I may be wrong).
I prefer to use .htaccess for IP blocking. It’s lighter on server resources, although a long block list can add a few milliseconds to page loads as the server reads the file every time. (My standard .htaccess file has around 1400 “deny from” entries, and my Drupal business site pages still load under 1 second)
The correct syntax for blocking an IP e.g. 95.140.196.34 is
deny from 95.140.196.34
The deny section starts (using the above example)
order allow,deny
allow from all
deny from 95.140.196.34
deny from 85.0.0.0-85.255.255.255 (denies the entire block)
deny from (next IP)
It’s not too critical where the section is placed – nearer the top after other rules is OK, but for convenience I usually add the blocks after the WordPress (# END WordPress) or other CMS stuff – at the end of the file
Best to do this from CPanel or whichever file manager you have – PC text editors can code the file incorrectly. Make a backup of the original file first in case you get something wrong and it breaks your site. CPanel has an IP deny tool, which is easy to use.
Hope this helps