Botnets doing a brute force attack as of now, Friday 4pm EST



BlogHue said:
It looks good. However, if you're running a few hundred sites - signing up for their API everytime could get tiresome. Also, I don't like my sites making unnecessary outgoing connections all the time.

----

P.S - Got more info on the Hacks... Apparently, a new user is created and administration roles are changed. Followed by probably, from what I can gain, an upload of a Shell Script, which then further modifies the traditional wp-login.php

This is what it looks like once the hack is successful.

H3R5NyD.jpg
Click to expand...



If anyone wants to learn how to upload shells to sites easily

SQL INJECTION T+UPLOADING SHELL [ Part 1 & 2 ] - Pastebin.com
 
Fatbat said:
If you have any kind of decent hosting, then 5 failed attempts to login to anything, not just WP, should cause the IP to be blocked.
Click to expand...

That wouldn't need a decent hosting. As most shared hosts won't bother playing with server side rules.

If you have a VPS or a Dedicated, you can easily implement this via Modsecurity

Code: 
SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},initcol:user=%{REMOTE_ADDR},id:5000134
<Locationmatch "/wp-login.php">
# Setup brute force detection.
# React if block flag has been set.
SecRule user:bf_block "@gt 0" "deny,status:401,log,id:5000135,msg:'ip address blocked for 5 minutes, more than 5 login attempts in 3 minutes.'"
# Setup Tracking. On a successful login, a 302 redirect is performed, a 200 indicates login failed.
SecRule RESPONSE_STATUS "^302" "phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0,id:5000136"
SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180,id:5000137"
SecRule ip:bf_counter "@gt 5" "t:none,setvar:user.bf_block=1,expirevar:user.bf_block=3600,setvar:ip.bf_counter=0"
</locationmatch>

Source - Frameloss.org - Timings Modified by me

--

The above code will block an IP for 1 hour for more than 5 login attempts every 3 minute.
 
Order Allow,Deny
<Files wp-login.php>
Allow from 123.456.789.101
</Files>

Deny from all except your own IP address or whatever IPs should have access.
 
oops can't edit... meant

<Files wp-login.php>
order deny,allow
Deny from all
# whitelist my IP address
allow from 123.456.789.101
</Files>
 
my hostGator (shared) and my liquid (dedi) web both got hit ...two sites passwords were guessed

anyone who has not grepped they're log files to see what is going on in their servers and made modifications to Apache configuration file now is the time to do so

this is really bad, dos is one thing brought a brute force attack on your login page can leave you vulnerable without you ever knowing

just wondering if this is not one big link building scheme hah

i did

grep -R wp-login
/usr/local/apache/domlogs/* | grep POST | wc -l 67226

made sure latest mod_sec ruleset installed

and did auto semaphore cleaning

didnt know about this tho

P.S - Got more info on the Hacks... Apparently, a new user is created and administration roles are changed. Followed by probably, from what I can gain, an upload of a Shell Script, which then further modifies the traditional wp-login.php

This is what it looks like once the hack is successful.
Click to expand...
 
Haven't found any trace of it yet... My passwords are pretty strong though.

Which log should I be looking in for failed password attemps? (Hostagator shared)
 
You must log in or register to reply here.
Top Bottom