wp-login.php attack

[sahostking]

Hi guys,

As a shared host we have mod security installed with atomic rules which pick all this up. However this constant hit by these rules does seem to slow down the server if it occurs on more than one site at a time. It looks like it happens every 2 to 3 seconds.

194.226.8.168 - - [17/Jun/2015:12:21:00 +0200] "POST /wp-login.php HTTP/1.0" 200 1637 "http://sitename/wp-login.php" "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:21.0) Gecko/20140815 Firefox/32.0"
37.218.187.41 - - [17/Jun/2015:12:20:59 +0200] "POST /wp-login.php HTTP/1.0" 200 1637 "http://sitename/wp-login.php" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_4_6; en-US) AppleWebKit/587.16 (KHTML, like Gecko) Chrome/10.0.468.226 Safari/586.16"
92.62.78.160 - - [17/Jun/2015:12:21:11 +0200] "POST /wp-login.php HTTP/1.0" 200 1637 "http://sitename/wp-login.php" "Opera/9.80 (Windows NT 6.1; U; ru) Presto/2.9.93 Version/10.4"
178.126.39.170 - - [17/Jun/2015:12:21:12 +0200] "POST /wp-login.php HTTP/1.0" 200 1637 "http://sitename/wp-login.php" "Opera/9.80 (Windows NT 6.1; U; ru) Presto/2.5.47 Version/12.7"
164.127.202.17 - - [17/Jun/2015:12:21:14 +0200] "POST /wp-login.php HTTP/1.0" 200 1637 "http://sitename/wp-login.php" "Mozilla/5.0 (Windows NT 6.1; rv:20.0) Gecko/20110101 Firefox/10.0"
77.120.149.232 - - [17/Jun/2015:12:21:02 +0200] "POST /wp-login.php HTTP/1.0" 200 1637 "http://sitename/wp-login.php" "Opera/9.80 (Windows NT 6.1; U; ru) Presto/2.2.223 Version/11.3"
178.120.99.159 - - [17/Jun/2015:12:21:01 +0200] "POST /wp-login.php HTTP/1.0" 200 1637 "http://sitename/wp-login.php" "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:22.0) Gecko/20130815 Firefox/14.0"
77.120.149.232 - - [17/Jun/2015:12:21:02 +0200] "POST /wp-login.php HTTP/1.0" 200 1637 "http://sitename/wp-login.php" "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:9.0) Gecko/20110815 Firefox/31.0"
77.120.149.232 - - [17/Jun/2015:12:21:02 +0200] "POST /wp-login.php HTTP/1.0" 200 1637 "http://sitename/wp-login.php" "Opera/9.80 (Windows NT 6.1; U; ru) Presto/2.5.176 Version/10.8"
178.124.23.225 - - [17/Jun/2015:12:21:08 +0200] "POST /wp-login.php HTTP/1.0" 200 1637 "http://sitename/wp-login.php" "Mozilla/5.0 (X11; U; Linux i686; cs-CZ; rv:1.5.13) Gecko/20100929"
109.228.209.210 - - [17/Jun/2015:12:21:08 +0200] "POST /wp-login.php HTTP/1.0" 200 1637 "http://sitename/wp-login.php" "Mozilla/5.0 (Windows NT 6.1; rv:10.0) Gecko/20100101 Firefox/22.0"
77.120.149.232 - - [17/Jun/2015:12:21:03 +0200] "POST /wp-login.php HTTP/1.0" 200 1637 "http://sitename/wp-login.php" "Mozilla/5.0 (Windows NT 6.1; rv:18.0) Gecko/20120101 Firefox/6.0"
145.255.173.22 - - [17/Jun/2015:12:21:10 +0200] "POST /wp-login.php HTTP/1.0" 200 1637 "http://sitename/wp-login.php" "Mozilla/5.0 (Windows NT 6.1; rv:3.0) Gecko/20130101 Firefox/5.0"
95.58.184.28 - - [17/Jun/2015:12:21:16 +0200] "POST /wp-login.php HTTP/1.0" 200 1637 "http://sitename/wp-login.php" "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:7.0) Gecko/20130815 Firefox/6.0"
186.213.75.109 - - [17/Jun/2015:12:21:19 +0200] "POST /wp-login.php HTTP/1.0" 200 1637 "http://sitename/wp-login.php" "Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20140101 Firefox/4.0"
95.58.184.28 - - [17/Jun/2015:12:21:16 +0200] "POST /wp-login.php HTTP/1.0" 200 1637 "http://sitename/wp-login.php" "Opera/9.80 (Windows NT 6.1; U; ru) Presto/2.5.226 Version/11.4"
14.168.179.230 - - [17/Jun/2015:12:21:19 +0200] "POST /wp-login.php HTTP/1.0" 200 1637 "http://sitename/wp-login.php" "Opera/9.80 (Windows NT 6.1; U; ru) Presto/2.1.249 Version/10.7"

 

[Tom Risager]

That looks like a distributed attack, originating from many different IP addresses. As far as I know there is no reasonable way to deal with those via Modsecurity.

 

[LostNerd]

I recommend a free wordpress plugin called WordFence in addition to your server-side rules. It'll keep an eye for attacks like this and take the predetermined actions dependent on your settings.

 

[postcd]

You may also consider allowing only certain IP on wp-login.php page and 403 to rest IPs:
add following to your .htaccess file in your WP site root directory (public_html usually)

<Files wp-login.php>
Order deny,allow
Deny from All
Allow from xxx.xxx.xxx.xxx
Allow from yyy.yyy.yyy.yyy
</Files>

add your IP instead of xxx.xxx*****

Im also using config server firewall, it is capable of blocking many bulk IP tries and also IPs that getting too many 403 or 401 errors.., even "Network class C 1*.*.*.0/24 has been blocked", CSF can block also /24 subnet maybe (not your case probably)

Im also using this mod security rule to deny 401 accesses without referer:

SecRule REQUEST_METHOD "POST" "deny,status:401,id:5000130,nolog,chain,msg:'wp-login request blocked, no referer'"
SecRule &HTTP_REFERER "@eq 0" "chain"
SecRule REQUEST_URI "wp-login.php"

PS: Doesnt mean code "200" in your access log you shown, that this visit is not denied (by mod security or by htaccess rule) ?

 

[sahostking]

Did all that already. Got CSF and already have a rule like that. But still because it's constantly different IPs I guess there is nothing can be done unless it hits the file with the same IP in a certain number of times.

Thanks though.

 

[cPanelMichael]

Did all that already. Got CSF and already have a rule like that. But still because it's constantly different IPs I guess there is nothing can be done unless it hits the file with the same IP in a certain number of times.

Hello,

You may also want to consult with your provider to see if there are any steps they can take to help prevent this type of attack from the network level.

Thank you.