Botnet Attacks on WordPress


Latest Botnet Attacking WordPress wp-login.php

botnet ddos brute force attack iconA botnet is currently attacking WordPress login (wp-login.php) with user name admin in a dDOS (Distributed Denial of Service) Brute Force attack intended to force the server and WordPress to allow the cyber-criminals access to the site

We’ve seen this botnet hammering some of our WordPress sites the last several days. So far we’ve seen attacks from the IPs listed below. (Note: These are only those used to attack our monitored sites – and the botnet will have more…

Be Pro-active and Defend Your WordPress Site

We strongly recommend all WordPress users take pro-active measures and add the list of IP’s to their .htaccess file. You can copy and paste the code below into your .htaccess file. I’ve included the comments #BOTNET BEGINS  and #BOTNET ENDS so you can easily remove this block range when the threat from this botnet is over.

So far, all the attacks have a few things in common – the user agents (browser IDs). We’ve so far discovered these user agent agents;

  • Mozilla/5.0 (Windows NT 6.1; rv:19.0) Gecko/20100101 Firefox/19.0
  • Windows NT 6.1; rv:19.0) Gecko/20100101 Firefox/19.0

Note the minor difference – Mozilla 5/0  (missing from the second version.

You can use .htaccess rules to ban these user agents – they’re not official Firefox UA or Microsoft browser ids , but be careful – any syntax error and you could lock out all browsers using ‘Mozilla’ in the UA string. For most of us, a safer way is use a WordPress plugin e.g. VSF Simple Block or WP Ban to ban this browser ID.

Some people will argue blocking the user agent simply means the botnet will switch the attack to use another string – which is of correct, and blocking IPs means the cyber criminals will use other IPs to attack the site.
But we’re talking ‘Pro-Active’ prevention. If you have theses blocks in place – you’re slightly ahead of their game.

Our Results with the Recommended Bans:

On Thursday, 20 June, the botnet came back to the site with a dDoS attack from over 650 IP’s, and more than 2000 attempts in 5 minutes.

Nearly 600 of these IPs were stopped by IP deny rules in .htaccess receiving a 403 access denied by server message The remaining IPs were blocked by the user agent deny rules and redirected away from the WordPress site to a static HTML page on another server. Not a single attack reached the login page.

.htaccess Blocklist to Limit Latest Botnet Threat

Add the following to your .htacces file to prevent attack from these IP addresses that are part of this botnet. Follow this post to stay up to date – we will add newly discovered IPs as they are found

#BOTNET BEGINS
deny from 67.159.8.162
deny from 198.50.128.0/17
deny from 37.59.87.32/27
deny from 101.51.155.79
deny from 101.98.131.76
deny from 103.5.61.178
deny from 106.147.179.89
deny from 106.147.181.14
deny from 106.147.187.241
deny from 106.170.249.190
deny from 108.163.240.25
deny from 109.107.155.193
deny from 110.133.17.193
deny from 110.168.63.213
deny from 110.55.0.88
deny from 110.77.204.242
deny from 112.198.64.17
deny from 112.198.77.179
deny from 112.204.212.206
deny from 112.204.40.181
deny from 112.208.184.233
deny from 112.208.98.182
deny from 112.211.212.171
deny from 113.161.76.254
deny from 113.165.86.120
deny from 113.170.122.132
deny from 113.173.28.177
deny from 114.129.4.36
deny from 114.144.160.223
deny from 114.149.120.75
deny from 114.149.223.115
deny from 114.160.116.71
deny from 114.169.147.155
deny from 114.187.68.220
deny from 114.38.106.168
deny from 115.30.181.152
deny from 117.198.209.143
deny from 118.172.198.202
deny from 118.174.207.17
deny from 118.69.93.115
deny from 121.111.68.61
deny from 121.113.30.94
deny from 121.54.41.121
deny from 121.54.46.35
deny from 121.54.54.37
deny from 122.21.56.171
deny from 122.220.255.199
deny from 122.26.103.242
deny from 122.52.9.83
deny from 122.60.210.78
deny from 122.61.71.16
deny from 123.220.16.29
deny from 124.105.239.216
deny from 124.6.181.167
deny from 124.6.181.65
deny from 124.84.155.62
deny from 125.15.40.43
deny from 125.196.157.28
deny from 125.212.121.190
deny from 125.28.133.23
deny from 125.60.156.171
deny from 126.107.146.89
deny from 126.12.145.146
deny from 126.50.31.186
deny from 126.60.238.90
deny from 133.37.209.103
deny from 153.120.250.212
deny from 153.188.222.246
deny from 173.244.197.107
deny from 175.143.40.126
deny from 175.144.118.235
deny from 177.143.190.17
deny from 177.226.136.43
deny from 177.98.10.90
deny from 178.148.242.205
deny from 178.158.214.36
deny from 178.165.47.157
deny from 178.212.104.8
deny from 178.223.62.108
deny from 179.215.133.173
deny from 180.191.174.146
deny from 180.34.172.238
deny from 180.51.228.112
deny from 180.53.160.52
deny from 181.112.157.99
deny from 181.130.229.35
deny from 181.198.197.18
deny from 181.64.188.50
deny from 181.64.36.95
deny from 181.67.167.118
deny from 181.95.249.9
deny from 182.170.114.110
deny from 182.181.170.186
deny from 182.52.35.46
deny from 183.176.149.238
deny from 183.87.240.254
deny from 186.116.0.98
deny from 186.120.28.19
deny from 186.122.44.164
deny from 186.223.231.133
deny from 186.236.104.20
deny from 186.29.9.115
deny from 186.30.38.100
deny from 186.31.93.194
deny from 186.42.80.152
deny from 186.46.31.98
deny from 186.46.78.57
deny from 186.46.98.237
deny from 186.47.140.86
deny from 186.47.16.130
deny from 186.47.68.189
deny from 186.68.212.131
deny from 186.89.149.124
deny from 186.95.28.242
deny from 186.95.73.148
deny from 187.131.39.85
deny from 187.138.85.163
deny from 187.143.10.137
deny from 187.152.28.98
deny from 187.155.27.32
deny from 187.156.7.26
deny from 187.162.151.107
deny from 187.167.196.26
deny from 187.172.227.109
deny from 187.204.74.193
deny from 187.205.226.64
deny from 187.206.198.72
deny from 187.208.243.124
deny from 187.209.209.166
deny from 187.213.176.1
deny from 187.234.34.207
deny from 187.252.189.169
deny from 188.159.33.135
deny from 188.246.76.8
deny from 188.51.78.65
deny from 189.133.181.81
deny from 189.134.26.248
deny from 189.134.83.255
deny from 189.138.141.3
deny from 189.139.19.90
deny from 189.142.92.198
deny from 189.146.129.50
deny from 189.151.43.111
deny from 189.156.220.148
deny from 189.159.66.34
deny from 189.163.15.103
deny from 189.173.35.45
deny from 189.179.53.109
deny from 189.182.211.133
deny from 189.191.54.209
deny from 189.197.121.238
deny from 189.198.71.175
deny from 189.204.98.67
deny from 189.215.188.6
deny from 189.218.156.223
deny from 189.224.174.48
deny from 189.225.129.63
deny from 189.226.25.197
deny from 189.228.75.25
deny from 189.241.27.186
deny from 189.245.193.17
deny from 189.25.68.142
deny from 189.251.158.119
deny from 190.1.178.11
deny from 190.102.157.166
deny from 190.117.157.113
deny from 190.118.101.10
deny from 190.118.189.60
deny from 190.12.28.225
deny from 190.12.51.160
deny from 190.12.80.49
deny from 190.130.154.19
deny from 190.140.17.45
deny from 190.148.136.180
deny from 190.148.71.50
deny from 190.152.139.7
deny from 190.152.34.238
deny from 190.181.203.67
deny from 190.182.108.130
deny from 190.183.224.253
deny from 190.203.192.51
deny from 190.204.164.102
deny from 190.207.24.250
deny from 190.214.115.148
deny from 190.214.205.31
deny from 190.222.10.13
deny from 190.228.216.37
deny from 190.230.54.89
deny from 190.232.123.8
deny from 190.232.126.87
deny from 190.232.140.180
deny from 190.232.181.88
deny from 190.232.199.180
deny from 190.233.16.129
deny from 190.233.160.243
deny from 190.233.243.17
deny from 190.233.246.225
deny from 190.233.25.208
deny from 190.233.78.92
deny from 190.234.170.132
deny from 190.234.20.5
deny from 190.234.206.154
deny from 190.236.191.2
deny from 190.236.51.144
deny from 190.236.84.179
deny from 190.237.255.131
deny from 190.238.253.111
deny from 190.242.67.186
deny from 190.251.164.46
deny from 190.253.250.252
deny from 190.36.130.245
deny from 190.38.46.153
deny from 190.42.128.134
deny from 190.42.159.150
deny from 190.43.16.222
deny from 190.73.129.79
deny from 190.78.17.235
deny from 190.80.100.99
deny from 190.95.226.172
deny from 190.96.226.6
deny from 192.100.188.205
deny from 192.188.58.35
deny from 193.248.204.160
deny from 195.189.71.1
deny from 2.181.150.238
deny from 200.102.80.92
deny from 200.104.224.32
deny from 200.121.206.128
deny from 200.149.5.182
deny from 200.35.237.38
deny from 200.37.205.17
deny from 200.58.93.206
deny from 201.1.170.123
deny from 201.130.192.192
deny from 201.139.145.14
deny from 201.141.120.253
deny from 201.141.185.239
deny from 201.141.201.184
deny from 201.141.254.215
deny from 201.155.124.79
deny from 201.157.6.168
deny from 201.161.25.143
deny from 201.240.115.66
deny from 201.242.171.226
deny from 201.243.126.85
deny from 201.244.96.85
deny from 201.246.219.111
deny from 201.51.207.241
deny from 201.58.163.2
deny from 201.96.106.213
deny from 202.150.1.24
deny from 202.177.116.101
deny from 203.192.231.186
deny from 206.188.154.6
deny from 206.248.74.142
deny from 210.48.221.10
deny from 211.177.194.175
deny from 218.110.24.250
deny from 220.215.193.225
deny from 221.70.1.133
deny from 222.252.87.156
deny from 223.134.113.182
deny from 27.110.184.194
deny from 27.133.193.79
deny from 27.142.140.110
deny from 31.147.119.48
deny from 31.192.16.226
deny from 36.245.62.186
deny from 37.34.0.23
deny from 37.98.231.248
deny from 41.108.7.96
deny from 41.203.157.217
deny from 41.230.222.85
deny from 41.47.225.44
deny from 41.97.225.255
deny from 42.113.149.96
deny from 46.103.195.117
deny from 46.180.244.181
deny from 49.135.240.134
deny from 49.144.182.160
deny from 5.42.196.115
deny from 50.57.190.113
deny from 58.90.104.106
deny from 60.50.130.29
deny from 61.19.149.77
deny from 61.19.68.90
deny from 61.208.122.142
deny from 77.67.159.215
deny from 78.100.36.130
deny from 78.163.47.26
deny from 78.183.5.99
deny from 78.185.20.35
deny from 81.232.64.10
deny from 83.230.67.164
deny from 86.216.4.94
deny from 87.4.200.231
deny from 88.226.236.219
deny from 88.236.82.147
deny from 88.240.39.9
deny from 88.244.144.77
deny from 89.156.197.30
deny from 89.188.33.67
deny from 89.218.106.218
deny from 90.229.181.104
deny from 91.140.162.28
deny from 92.47.223.196
deny from 92.47.69.54
deny from 92.99.160.45
deny from 93.174.94.66
deny from 95.135.186.216
deny from 95.58.60.236
deny from 95.6.7.22
deny from 95.66.119.145
deny from 95.67.95.254
deny from 95.69.185.246
deny from 36.229.48.164
deny from 188.113.192.134
deny from 188.50.105.7
deny from 92.242.216.161
deny from 39.45.137.229
deny from 121.246.208.66
deny from 126.10.175.46
deny from 105.229.171.217
deny from 151.246.108.101
deny from 197.255.172.243
deny from 91.99.18.235
deny from 62.150.94.241
deny from 126.6.176.208
deny from 82.200.207.2
deny from 85.102.80.192
deny from 88.240.58.41
deny from 188.66.211.1
deny from 94.59.177.253
deny from 164.8.233.134
deny from 41.227.45.250
deny from 91.103.29.238
deny from 126.115.71.174
deny from 37.122.57.222
deny from 190.235.127.51
deny from 39.48.130.9
deny from 81.89.213.125
deny from 196.205.235.194
deny from 88.231.172.214
deny from 151.244.209.188
deny from 85.102.118.134
deny from 85.105.254.144
deny from 89.209.108.34
deny from 194.51.188.53
deny from 41.74.171.185
deny from 105.226.69.73
deny from 126.114.47.87
deny from 81.95.173.68
deny from 88.227.189.67
deny from 85.98.230.101
deny from 188.115.233.154
deny from 39.45.104.87
deny from 39.47.230.86
deny from 188.237.134.171
deny from 126.70.97.154
deny from 95.235.30.117
deny from 41.141.30.41
deny from 85.133.198.79
deny from 126.25.94.120
deny from 88.241.106.0
deny from 188.237.246.156
deny from 37.150.229.37
deny from 62.150.149.4
deny from 188.253.145.219
deny from 92.45.186.55
deny from 84.95.109.191
deny from 144.36.225.68
deny from 126.49.228.189
deny from 83.30.30.134
deny from 84.47.31.81
deny from 216.10.212.192
deny from 207.204.65.181
deny from 89.28.97.118
deny from 94.240.202.144
deny from 91.225.209.2
deny from 195.200.245.177
deny from 121.1.176.230
deny from 95.70.146.214
deny from 91.193.233.218
deny from 153.183.33.234
deny from 196.41.221.166
deny from 94.120.76.137
deny from 197.207.245.143
#BOTNET ENDS

Details About IPs Used in Botnet wp-login Attack

The table provides information about the IPs used by the botnet to attack WordPress installations. Details incomplete – we don’t want to abuse our domain look-up service with hundreds of requests in a short time.

South American and Arabian/Eastern European Botnet

IP Host ID & Company
103.5.61.178
190.233.243.17 Peru – Lima Tdperx20 Lacnic
91.140.162.28 Kuwait – Al Ahmadi Gulfnet Kuwait
190.236.51.144 Peru Lima Tdp Grs
189.228.75.25 dsl-189-228-75-25-dyn.prod-infinitum.com.mx
Mexico – Mexico City Uninet S.a. De C.v.
190.118.101.10 Peru – Lima America Movil Peru S.a.c.
190.117.157.113 Peru – Lima America Movil Peru S.a.c.
93.174.94.66 ns2.paldesign.net
Netherlands – Amsterdam Ecatel Ltd
95.69.185.246 customer-95-69-185-246.airbites.kh.ua
Ukraine – Kharkiv Llc Ab Ukraine
41.230.222.85 Tunisia – Tunis Agence Tunisienne Internet – Ati
190.42.128.134 Peru Lima Tdperx1 Lacnic
187.205.226.64 dsl-187-205-226-64-dyn.prod-infinitum.com.mx
Mexico – Mexico City Uninet S.a. De C.v.
189.245.193.17 dsl-189-245-193-17-dyn.prod-infinitum.com.mx
189.146.129.50 dsl-189-146-129-50-dyn.prod-infinitum.com.mx
Mexico – Mexico City Gestion De Direccionamiento Uninet
190.95.226.172 ip3-red-parisconcept.uio.telconet.net
Ecuador – Guayaquil Parisconcept S.a.
192.188.58.35 Ecuador – Sangolqui Escuela Politecnica Del Ejercito
201.246.219.111 201-246-219-111.baf.movistar.cl
Chile – Santiago Telefonica Chile S.a.
81.232.64.10 81-232-64-10-no226.tbcn.telia.com
Denmark – Copenhagen Telia Network Services
190.152.34.238
190.181.203.67
201.161.25.143
50.57.190.113
190.234.20.5
190.204.164.102
189.241.27.186
41.47.225.44
153.188.222.246
190.152.139.7
189.138.141.3
190.236.84.179
190.238.253.111
190.234.170.132
206.188.154.6
189.251.158.119
201.157.6.168
37.98.231.248
179.215.133.173
190.214.115.148
189.142.92.198
41.203.157.217
86.216.4.94
206.248.74.142
201.141.185.239
201.141.201.184
201.141.120.253
181.64.188.50
190.242.67.186
190.251.164.46
201.243.126.85
187.213.176.1
190.148.136.180
88.236.82.147
193.248.204.160
187.143.10.137
190.148.71.50
189.197.121.238
153.120.250.212
173.244.197.107
190.232.140.180
95.135.186.216
190.140.17.45
201.155.124.79
190.12.28.225
126.60.238.90
190.118.189.60
37.34.0.23
190.222.10.13
181.198.197.18
187.162.151.107
189.198.71.175
190.233.78.92
126.12.145.146
187.152.28.98
187.138.85.163
126.50.31.186
189.182.211.133
187.234.34.207
187.167.196.26
187.155.27.32
189.191.54.209
190.42.159.150
187.208.243.124
190.96.226.6
189.173.35.45
89.156.197.30
189.134.26.248
192.100.188.205
189.225.129.63
189.218.156.223
190.43.16.222
190.80.100.99
90.229.181.104
201.139.145.14
190.234.206.154
189.215.188.6
88.226.236.219
189.151.43.111
189.163.15.103
95.66.119.145
190.12.80.49
190.214.205.31
88.240.39.9
187.252.189.169
181.130.229.35
201.244.96.85
121.113.30.94
190.183.224.253
189.224.174.48
88.244.144.77
187.172.227.109
187.156.7.26
181.112.157.99
126.107.146.89
189.204.98.67
189.156.220.148
190.182.108.130
201.141.254.215
83.230.67.164
190.36.130.245
181.67.167.118
95.67.95.254
188.51.78.65
188.246.76.8
190.236.191.2
190.233.160.243
201.130.192.192
189.133.181.81
189.134.83.255
201.240.115.66
190.207.24.250
189.139.19.90
190.232.199.180
190.253.250.252
187.131.39.85
89.188.33.67
190.232.123.8
187.209.209.166
87.4.200.231
36.245.62.186
190.130.154.19
190.237.255.131
190.233.16.129
189.179.53.109
190.232.126.87
189.226.25.197
190.38.46.153
189.159.66.34
187.206.198.72
181.95.249.9
190.233.25.208
189.179.53.109
190.78.17.235 Hostname: 190-78-17-235.dyn.dsl.cantv.net
Company: Venezuela, Bolivarian Republic – Of Caracas Cantv Servicios Venezuela
190.102.157.166 Company: Peru – Lima Optical Ip
181.64.36.95 Company: Peru – Lima Tdp Grs
188.159.33.135 Company: Iran, Islamic Republic Of – Arak Neda Gostar Saba Data Transfer Company Private Joint Stock
190.232.181.88 Company: Peru – Lima Tdperx1 Lacnic
92.99.160.45 Company: United Arab Emirates – Dubai Emirates Telecommunications Corporation
190.1.178.11 Hostname: adsl-pool2-11.metrotel.net.co
Company: Colombia – Barranquilla Metrotel Redes S.a.
190.233.246.225 Company: Peru – Lima Tdperx20 Lacnic
92.47.223.196 Hostname: 92.47.223.196.megaline.telecom.kz
Company: Kazakhstan – Almaty Jsc Kazakhtelecom Almaty Affiliate
95.58.60.236 Hostname: 95.58.60.236.megaline.telecom.kz
Company: Kazakhstan – Almaty Jsc Kazakhtelecom Mangystau Affiliate
190.228.216.37 Hostname: host37.190-228-216.telecom.net.ar
Company: Argentina – Buenos Aires Apolo -gold-telecom-per
190.230.54.89 Hostname: host89.190-230-54.telecom.net.ar
Company: Argentina – Buenos Aires Apolo -gold-telecom-per
92.47.69.54 Hostname: 92.47.69.54.megaline.telecom.kz
Company: Kazakhstan – Aktau Jsc Kazakhtelecom Aktau Affiliate
89.218.106.218 Hostname: 92.47.69.54.megaline.telecom.kz
Company: Kazakhstan – Qaraghandy Jsc Kazakhtelecom
190.73.129.79 Hostname: 190.73-129-79.dyn.dsl.cantv.net
Company: Venezuela, Bolivarian Republic Of – Caracas Cantv Servicios Venezuela
41.108.7.96 Company: Algeria – Algiers Telecom Algeria
201.242.171.226 Hostname: 201-242-171-226.genericrev.cantv.net
Company: Venezuela, Bolivarian Republic Of – Caracas Cantv Servicios Venezuela
190.203.192.51 Company: Venezuela, Bolivarian Republic Of -Caracas Cantv Servicios Venezuela
201.96.106.213 Hostname: customer-201-96-106-213.uninet-ide.com.mx
Company: Mexico – Mexico City Gestion De Direccionamiento Uninet
195.189.71.1 Company: Kazakhstan – Astana Ctc Astana Ltd
187.204.74.193 Hostname: dsl-187-204-74-193-dyn.prod-infinitum.com.mx
Company: Mexico – Mexico City Uninet S.a. De C.v.

Will Your Site Stand Up to Botnet Attack

What happens when a botnet hits your WordPress blog or website with a dDOS attack on wp-login. Will your site and server stand up to the attack, or will you be left standing out in the cold with a crashed server or hacked site.

Will your server and WordPress CMS stand up to over 3000 attacks from 300 plus IPs in 5 minutes? Or will the hacker/cyber crime operation beat the system and add your site to distribute their malware?

me on google plus+Mike Otgaar

Advertisements

About Mike

Web Developer and Techno-geek Saltwater fishing nut Blogger

Posted on June 19, 2013, in WordPress and tagged , , , , , , , , , . Bookmark the permalink. 3 Comments.

  1. Thanks for this article. I have seen the following user agents in the attacks on my site.

    Mozilla/3.0 (compatible; Indy Library)
    Mozilla/5.0 (Windows NT 6.1; rv:19.0) Gecko/20100101 Firefox/19.0
    GoogleBot/1.0

    I installed VSF Simple Block but will need to read more to understand how to configure it. I already use the cPanel IP address blocker to block by the CIDR. The spider trap is a good feature.

  1. Pingback: WordPress Security Alert | Botnet Active Again

  2. Pingback: Too many Mothereffing hack attempts on this mothereffing website - DesignersTalk

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: