We are seeing in the media some noise about a large distributed brute force attacks against all hosts targeting WordPress sites. According to reports, they are seeing a large botnet with more than 90,000 servers attempting to log in by cycling different usernames and passwords against the WordPress access points: /wp-login.php and /wp-admin.
This got us thinking, well we block a lot of attacks why not look at the logs to see what they tell us. So we did.
The Data
Looking back, we can see in our historical database the following:
2012/Dec: 678,519 login attempts blocked
2013/Jan: 1,252,308 login attempts blocked (40k per day)
2013/Feb: 1,034,323 login attempts blocked (36k per day)
2013/Mar: 950,389 login attempts blocked (31k per day)
2013/Apr: 774,104 for the first 10 days – 77,410 per day
As you can see from our numbers, we were seeing 30 to 40 thousand attacks per day the last few months. In April 2013, it increased to 77,000 per day on average, reaching more than 100,000 attempts per day in the last few days.
That means that the number of brute force attempts more than tripled. This sharp increase would lead us to believe that there is some reality to these reports.
Diving deeper into our data we find a few interesting data points. For instance, we can see the top user names being attempted:
652,911 [log] => admin
10173 [log] => test
8992 [log] => administrator
8921 [log] => Admin
2495 [log] => root
In these cases, by the shear fact of having a non- admin / administrator / root usernames you are automatically out of the running. Which is kind of nice actually.
FYI, the number value next to the [log] is the number of scan completed. So the first line item, admin, was used against some 652,911 sites.
As far passwords, this is what we’re seeing:
16,798 [pwd] => admin
10,880 [pwd] => 123456
9,727 [pwd] => 666666
9,106 [pwd] => 111111
7,882 [pwd] => 12345678
7,717 [pwd] => qwerty
7,295 [pwd] => 1234567
6,160 [pwd] => #@F#GBH$R^JNEBSRVWRVW
5,640 [pwd] => password
5,446 [pwd] => 12345
5,392 [pwd] => $#GBERBSTGBR%GSERHBSR
5,058 [pwd] => %G#GBAEGBW%HBFGBFXGB
5,024 [pwd] => RGA%BT%HBSERGAEEAHAEH
4,861 [pwd] => aethAEHBAEGBAEGEE%
4,317 [pwd] => 123
4,281 [pwd] => 123qwe
4,133 [pwd] => 123admin
4,092 [pwd] => 12345qwe
4,086 [pwd] => 12369874
3,880 [pwd] => 123123
3,831 [pwd] => 1234qwer
3,814 [pwd] => 1234abcd
3,787 [pwd] => 123654
3,751 [pwd] => 123qwe123qwe
3,744 [pwd] => 123abc
3,623 [pwd] => 123qweasd
3,606 [pwd] => 123abc123
3,422 [pwd] => 12345qwert
Most of these should be expected actually, it’s only what we’ve been reporting for a while.
What does stand out are these:
6160 [pwd] => #@F#GBH$R^JNEBSRVWRVW
5392 [pwd] => $#GBERBSTGBR%GSERHBSR
5058 [pwd] => %G#GBAEGBW%HBFGBFXGB
5024 [pwd] => RGA%BT%HBSERGAEEAHAEH
4861 [pwd] => aethAEHBAEGBAEGEE%
Looking at some of our resources we have found these across a few wordlists which sounds very odd. The most obvious argument is, well crud, they are just randomly generated, right? But then you look at the number of sites it was tried against, that’s where it doesn’t make sense.
Almost feels like we’re missing something that they know.. hummmm.. then again it could be over thinking and we should just be glad they are blocked.
Top Scanner IP
Here is a bit more information for those managing their own servers and hosts. Here are the top 30 malicious IP addresses being used in the various attacks:
#number of attempts – IP Address
41315 31.184.238.38
10004 178.151.216.53
9817 91.224.160.143
8773 195.128.126.6
6838 85.114.133.118
6624 177.125.184.8
5896 89.233.216.203
5534 89.233.216.209
5469 109.230.246.37
5364 188.175.122.21
5110 46.119.127.1
4485 176.57.216.198
4205 173.38.155.22
4114 67.229.59.202
3956 94.242.237.101
3460 209.73.151.64
3443 212.175.14.114
3294 78.154.105.23
3162 50.116.27.19
3054 195.128.126.114
2740 78.153.216.56
2732 31.202.217.135
2661 204.93.60.182
2520 173.38.155.8
2371 204.93.60.75
2303 50.117.59.3
2301 209.73.151.229
2287 216.172.147.251
2234 204.93.60.57
2227 94.199.51.7
2215 204.93.60.185
Should you be concerned?
Depends, what have you implemented to protect yourself against these attacks? The thing to understand about these attacks is that they play on the biggest WordPress vulnerability, you, the end-user. You have to be doing your part, specifically when leveraging good passwords.
If you aren’t, then yes, we’d say it’s worth being a bit concerned about. Especially if any of the data above looks familiar. Some things to consider looking at include solutions like a web application firewall (WAF) similar to our CloudProxy product or ModSecurity to block these attacks before they reach your site / server resources.