The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

wp-login.php attack

Discussion in 'General Discussion' started by sahostking, Jun 17, 2015.

  1. sahostking

    sahostking Well-Known Member

    Joined:
    May 15, 2012
    Messages:
    300
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Cape Town, South Africa
    cPanel Access Level:
    Root Administrator
    Hi guys,

    As a shared host we have mod security installed with atomic rules which pick all this up. However this constant hit by these rules does seem to slow down the server if it occurs on more than one site at a time. It looks like it happens every 2 to 3 seconds.

    Code:
    194.226.8.168 - - [17/Jun/2015:12:21:00 +0200] "POST /wp-login.php HTTP/1.0" 200 1637 "http://sitename/wp-login.php" "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:21.0) Gecko/20140815 Firefox/32.0"
    37.218.187.41 - - [17/Jun/2015:12:20:59 +0200] "POST /wp-login.php HTTP/1.0" 200 1637 "http://sitename/wp-login.php" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_4_6; en-US) AppleWebKit/587.16 (KHTML, like Gecko) Chrome/10.0.468.226 Safari/586.16"
    92.62.78.160 - - [17/Jun/2015:12:21:11 +0200] "POST /wp-login.php HTTP/1.0" 200 1637 "http://sitename/wp-login.php" "Opera/9.80 (Windows NT 6.1; U; ru) Presto/2.9.93 Version/10.4"
    178.126.39.170 - - [17/Jun/2015:12:21:12 +0200] "POST /wp-login.php HTTP/1.0" 200 1637 "http://sitename/wp-login.php" "Opera/9.80 (Windows NT 6.1; U; ru) Presto/2.5.47 Version/12.7"
    164.127.202.17 - - [17/Jun/2015:12:21:14 +0200] "POST /wp-login.php HTTP/1.0" 200 1637 "http://sitename/wp-login.php" "Mozilla/5.0 (Windows NT 6.1; rv:20.0) Gecko/20110101 Firefox/10.0"
    77.120.149.232 - - [17/Jun/2015:12:21:02 +0200] "POST /wp-login.php HTTP/1.0" 200 1637 "http://sitename/wp-login.php" "Opera/9.80 (Windows NT 6.1; U; ru) Presto/2.2.223 Version/11.3"
    178.120.99.159 - - [17/Jun/2015:12:21:01 +0200] "POST /wp-login.php HTTP/1.0" 200 1637 "http://sitename/wp-login.php" "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:22.0) Gecko/20130815 Firefox/14.0"
    77.120.149.232 - - [17/Jun/2015:12:21:02 +0200] "POST /wp-login.php HTTP/1.0" 200 1637 "http://sitename/wp-login.php" "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:9.0) Gecko/20110815 Firefox/31.0"
    77.120.149.232 - - [17/Jun/2015:12:21:02 +0200] "POST /wp-login.php HTTP/1.0" 200 1637 "http://sitename/wp-login.php" "Opera/9.80 (Windows NT 6.1; U; ru) Presto/2.5.176 Version/10.8"
    178.124.23.225 - - [17/Jun/2015:12:21:08 +0200] "POST /wp-login.php HTTP/1.0" 200 1637 "http://sitename/wp-login.php" "Mozilla/5.0 (X11; U; Linux i686; cs-CZ; rv:1.5.13) Gecko/20100929"
    109.228.209.210 - - [17/Jun/2015:12:21:08 +0200] "POST /wp-login.php HTTP/1.0" 200 1637 "http://sitename/wp-login.php" "Mozilla/5.0 (Windows NT 6.1; rv:10.0) Gecko/20100101 Firefox/22.0"
    77.120.149.232 - - [17/Jun/2015:12:21:03 +0200] "POST /wp-login.php HTTP/1.0" 200 1637 "http://sitename/wp-login.php" "Mozilla/5.0 (Windows NT 6.1; rv:18.0) Gecko/20120101 Firefox/6.0"
    145.255.173.22 - - [17/Jun/2015:12:21:10 +0200] "POST /wp-login.php HTTP/1.0" 200 1637 "http://sitename/wp-login.php" "Mozilla/5.0 (Windows NT 6.1; rv:3.0) Gecko/20130101 Firefox/5.0"
    95.58.184.28 - - [17/Jun/2015:12:21:16 +0200] "POST /wp-login.php HTTP/1.0" 200 1637 "http://sitename/wp-login.php" "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:7.0) Gecko/20130815 Firefox/6.0"
    186.213.75.109 - - [17/Jun/2015:12:21:19 +0200] "POST /wp-login.php HTTP/1.0" 200 1637 "http://sitename/wp-login.php" "Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20140101 Firefox/4.0"
    95.58.184.28 - - [17/Jun/2015:12:21:16 +0200] "POST /wp-login.php HTTP/1.0" 200 1637 "http://sitename/wp-login.php" "Opera/9.80 (Windows NT 6.1; U; ru) Presto/2.5.226 Version/11.4"
    14.168.179.230 - - [17/Jun/2015:12:21:19 +0200] "POST /wp-login.php HTTP/1.0" 200 1637 "http://sitename/wp-login.php" "Opera/9.80 (Windows NT 6.1; U; ru) Presto/2.1.249 Version/10.7"
    
    
     
    #1 sahostking, Jun 17, 2015
    Last edited by a moderator: Jun 17, 2015
  2. Tom Risager

    Tom Risager Well-Known Member

    Joined:
    Jul 10, 2012
    Messages:
    107
    Likes Received:
    3
    Trophy Points:
    18
    Location:
    Copenhagen, Denmark, Denmark
    cPanel Access Level:
    Root Administrator
    That looks like a distributed attack, originating from many different IP addresses. As far as I know there is no reasonable way to deal with those via Modsecurity.
     
  3. LostNerd

    LostNerd Well-Known Member

    Joined:
    Mar 12, 2014
    Messages:
    258
    Likes Received:
    11
    Trophy Points:
    18
    Location:
    Hastings, East Sussex, UK
    cPanel Access Level:
    Root Administrator
    Twitter:
    I recommend a free wordpress plugin called WordFence in addition to your server-side rules. It'll keep an eye for attacks like this and take the predetermined actions dependent on your settings.
     
  4. postcd

    postcd Well-Known Member

    Joined:
    Oct 22, 2010
    Messages:
    623
    Likes Received:
    6
    Trophy Points:
    18
    You may also consider allowing only certain IP on wp-login.php page and 403 to rest IPs:
    add following to your .htaccess file in your WP site root directory (public_html usually)
    add your IP instead of xxx.xxx*****

    Im also using config server firewall, it is capable of blocking many bulk IP tries and also IPs that getting too many 403 or 401 errors.., even "Network class C 1*.*.*.0/24 has been blocked", CSF can block also /24 subnet maybe (not your case probably)

    Im also using this mod security rule to deny 401 accesses without referer:
    PS: Doesnt mean code "200" in your access log you shown, that this visit is not denied (by mod security or by htaccess rule) ?
     
    #4 postcd, Jun 17, 2015
    Last edited: Jun 17, 2015
  5. sahostking

    sahostking Well-Known Member

    Joined:
    May 15, 2012
    Messages:
    300
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Cape Town, South Africa
    cPanel Access Level:
    Root Administrator
    Did all that already. Got CSF and already have a rule like that. But still because it's constantly different IPs I guess there is nothing can be done unless it hits the file with the same IP in a certain number of times.

    Thanks though.
     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    675
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    You may also want to consult with your provider to see if there are any steps they can take to help prevent this type of attack from the network level.

    Thank you.
     
Loading...

Share This Page