Botnet Attacks WordPress Website


Apparent Botnet Attacked My WordPress Website

graphic image of botnet attackerWhat appeared to be a botnet attacked one of my sites (tech.graphicline.co.za) this morning in a brute-force wp-login attempt from multiple IP addresses. This was the most coordinated attack against any of my sites I’ve experienced. Usually the hacker bots I see use up to 6 IP’s in these attacks – 146 IPs is serious stuff…

146 IP’s Used in Simultaneous Attack

The IP’s listed below are the guilty parties to this brute-force login attack on the site. The main attack started at 05h09 GMT this morning (November 25, 2012) and continued until 05h15 GMT. A second but less intense attacked followed; starting from 05h16 GMT tailing off until ending at 05h43 GMT

95.140.196.34
94.23.238.135
94.23.238.135
94.153.243.234
93.91.49.18
89.28.120.189
89.237.134.10
89.218.65.38
89.144.131.106
88.210.42.254
86.96.226.20
85.234.22.126
85.10.202.142
84.47.12.167
83.220.79.68
83.212.99.19
82.114.95.238
81.202.251.62
8.21.6.226
78.38.12.9
78.31.78.12
78.131.55.82
78.111.247.253
77.122.65.195
66.249.73.47
62.64.4.57
62.33.168.214
62.165.42.170
62.162.6.11
61.94.204.242
61.30.127.2
61.19.252.92
5.9.225.130
49.0.96.48
46.29.10.94
46.225.241.134
46.166.139.174
46.137.178.203
46.108.10.182
41.93.45.5
41.75.201.146
37.59.236.42
222.124.178.9
220.255.2.144
220.135.253.234
219.76.104.2
217.219.73.14
217.219.123.59
213.140.115.173
212.93.195.229
212.48.35.55
212.33.192.226
212.126.123.17
211.115.185.58
210.57.215.0/24
210.101.131.231
208.91.198.23
202.70.136.158
202.70.136.158
202.69.102.243
202.51.233.206
202.166.205.91
202.159.8.148
202.146.236.4
202.138.232.114
201.59.167.202
201.244.71.62
201.238.227.202
201.219.3.5
201.140.102.173
201.116.168.167
200.96.185.228
200.85.39.10
200.73.17.70
200.71.86.50
200.31.75.14
200.31.107.98
200.27.183.100
200.217.64.211
200.195.178.42
200.146.46.254
200.146.104.121
200.111.115.172
200.110.33.170
200.106.160.19
200.105.237.94
196.1.178.254
194.125.255.126
193.22.6.62
193.13.64.156
190.95.206.254
190.85.133.162
190.248.67.146
190.223.53.70
190.211.243.50
190.15.192.174
190.145.26.2
190.14.255.234
190.14.232.126
190.108.83.30
189.200.157.74
189.108.118.194
187.93.77.235
187.87.32.166
187.75.227.16
187.63.160.3
187.63.15.61
187.60.96.7
187.6.57.118
187.6.254.19
187.44.14.72
187.32.127.163
187.28.202.22
187.0.222.167
186.219.25.228
186.215.231.211
186.215.207.141
186.200.58.162
186.190.210.130
186.148.128.86
182.253.17.130
180.241.223.29
178.33.234.17
178.33.181.120
178.212.102.67
178.208.255.123
178.208.255.123
177.70.68.155
177.69.223.100
177.69.210.130
177.43.72.250
177.36.216.76
175.184.35.129
175.136.224.188
159.255.166.131
146.255.64.138
146.174.195.200
124.124.68.58
118.97.8.84
118.97.37.123
118.70.129.101
117.211.123.62
112.217.228.212
109.185.118.156
106.3.98.82
103.7.248.22

Several Public Proxies Used

I find it significant a good percentage of the IP’s are free public proxy servers. Many of these public proxies were not on the banned list before, so I am gratified to add these now. Free public proxies are another group of IP’s I deny access to my sites.

Many Listed as Bad IP’s Already

Project Honeypot and other bad host lists include most of the IP’s used already – Most of these are classed Comment Spammers, Dictionary Attackers and Mail Servers or Scripting Attackers/Hackers.

Numerous IP’s Used in Attack Already Banned

Roughly half the IP’s used by this botnet attack are already in the banned list. Significantly, those coming from Russia and Brazil – both these regions are banned outright, and new IP ranges are blocked on discovery. Other previously banned ranges included France Ovh – but some new ranges were found from this attack. Ukraine is another region banned on-sight so most of these were already blocked.

Regions and Hosts

The most common regions hosting the IPs used in the attack were: Russia and Brazil; no surprises there. The rest were spread around: China of course, France (regular bad host – Ovh), Germany (notorious bad host – Hetzner Online AG), Macedonia, Thailand, Indonesia, United Arab Emirates, Poland, Ukraine (no surprise there either – nothing except rubbish coming from that region), Mexico, Peru, Ecuador and even Taiwan contributed to the attack.

Responding to the Threat.

The first priority was banning the IP’s used in today’s hacking attempt. Next I will take a closer look at the hosts – and block their full range if I don’t like what I’m seeing. For now I have another 70 (or close to 70) Bad IP’s Banned from accessing my sites. My customers websites and my own sites are safer as a result.

Advertisements

About Mike

Web Developer and Techno-geek Saltwater fishing nut Blogger

Posted on November 25, 2012, in Internet Security, Websites and tagged , , , , , , , , , , . Bookmark the permalink. 2 Comments.

  1. Any update on how you dealt with this? One of my WP sites is suffering from a huge botnet attack. About 10 login names are being used and 9 of them are invalid and the ip’s are auto locked out from login. Still, at least 1 per second attempts to log in. This has been going on for 12 hours! So far thousands of IP’s have been blocked, but there are thousands more still trying. Since I’m using Wordfence and adding the ones using invalid names to the banned list, it requires virtual memory which has been maxed for hours effectively crashing the site. In response I’ve moved all the files for the site out pf public_html for the time being hoping the bots will quit….

    • @KalanStar
      Considering the seriousness of the attack, I think you need to stop requests from those IPs at firewall level – before they get to your site. If you don’t have your own dedicated server, then you need to discuss this with the hosting company’s technicians.

      IPs blocked at the firewall won’t use your sites resources. They other thing they could do is add a filter to slow down repeat requests. IOW – set a time limit on requests from the same IP – but this can cause a whole lot of other performance issues – e.g. visitors (and admins) switching quickly between pages get server errors

      I’m not to familiar with WordFence – looking at the literature it appears WordFence IP blocking is an active system – in other words it uses WordPress and checks IP’s against the database (I may be wrong).
      I prefer to use .htaccess for IP blocking. It’s lighter on server resources, although a long block list can add a few milliseconds to page loads as the server reads the file every time. (My standard .htaccess file has around 1400 “deny from” entries, and my Drupal business site pages still load under 1 second)

      The correct syntax for blocking an IP e.g. 95.140.196.34 is
      deny from 95.140.196.34

      The deny section starts (using the above example)

      order allow,deny
      allow from all

      deny from 95.140.196.34
      deny from 85.0.0.0-85.255.255.255 (denies the entire block)
      deny from (next IP)

      It’s not too critical where the section is placed – nearer the top after other rules is OK, but for convenience I usually add the blocks after the WordPress (# END WordPress) or other CMS stuff – at the end of the file

      Best to do this from CPanel or whichever file manager you have – PC text editors can code the file incorrectly. Make a backup of the original file first in case you get something wrong and it breaks your site. CPanel has an IP deny tool, which is easy to use.

      Hope this helps

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: