A Distributed WordPress Cracking Attack

If you’re running a server connected to the Internet, it’s under constant attack from the crackers wanting to steal personal or business data, or to turn your computer into a source from which to launch attacks on other computers, Windows and Linux alike.

The Attack

I noticed this particular attack as a series of log entries on my web server several months ago after installing WordPress Fail2Ban (wpf2b), which creates log entries for several types of attacks on WordPress sites.

The huge number of these attacks was staggering as journal entries showed several thousand attempts per day. The range of source IP addresses for the attack is world-wide, with a huge number originating from widely dispersed geographical locations in China.

I’ve been using Fail2Ban for years to protect my firewall from many types of attacks, particularly brute force SSH login attempts. I’ve also been using it on my server to detect and block some HTTP and SMTP attacks. But these attacks are specific to WordPress and I needed to block them.

Once the log entries are in the systemd journal and the /var/log/messages file, Fail2Ban itself can find them when it scans the logs. I just needed to set up a jail for this.

During some recent research, I found a number of articles that explore this attack in some detail. One of those articles, “Password-cracking botnet has taken over WordPress sites to attack using the visitor’s browser,” on Tom’s hardware, describes the attack as a distributed brute-force password attack against WordPress sites in order to infect those sites. Infected sites are then used to infect the the browsers of visitors. The infected browsers are then used to find and infect more WordPress sites using brute-force password guessing.

Protection

Protection from these attacks is mostly straightforward for both site admins as well as end users. Both client and server sides should always keep all system updates current. On the server side, ensure that WordPress and all installed plugins are current with all available patches. And be sure to use good passwords as this is a brute force attack to guess passwords.

There are some additional explicit steps to take.

NoScript

On the client side, a tool such as noscript can help by ensuring that only web sites explicitly allowed to execute downloaded programs on the client host are able to do so. The rest are blocked.

Fail2Ban

The server should also have a firewall configured to deal with such attacks. This usually means some form of dynamic firewall rule management such as Fail2Ban. In conjunction with the WordPress Fail2Ban plugin, this can block most attempts to inject malware into the website.

I’ve mentioned Fail2Ban a few times already. What is it?

Fail2Ban is an interesting and important tool in securing Linux systems. It’s adds a dynamic capability to the Linux firewall. By searching system journal and log files, it can find entries that indicate various failed attempts to login or utilize know vulnerabilities. Once located, if a specified trigger number of entries is detected from any given IP address within a specified period of time, Fail2Ban generates rule for the firewall to ban that IP address for a defined period of time. After the defined time period expires, it unbans the IP address.

Here’s a few of the typical log messages created by WPFail2Ban as a result of these attacks.

Feb 15 06:08:39 yorktown.both.org wordpress[4129]: Authentication failure for XXXXXXX from 102.212.246.66
Feb 15 06:10:14 yorktown.both.org wordpress[731734]: Authentication failure for XXXXX from 185.225.22.28
Feb 15 06:14:57 yorktown.both.org wordpress[4129]: Authentication failure for XXXXXXXXX from 57.130.20.252
Feb 15 07:07:01 yorktown.both.org wordpress[2395]: XML-RPC authentication failure for XXXXXXX from 43.229.86.17
Feb 15 07:07:07 yorktown.both.org wordpress[731730]: XML-RPC authentication attempt for unknown user XXXXXXX from 101.0.79.10
Feb 15 07:08:07 yorktown.both.org wordpress[731718]: XML-RPC authentication failure for XXXXXXX from 101.0.79.10
Feb 15 07:09:21 yorktown.both.org wordpress[983660]: XML-RPC authentication attempt for unknown user XXXXXX from 50.6.7.129
Feb 15 07:09:34 yorktown.both.org wordpress[2395]: Authentication failure for XXXX from 103.74.118.202
Feb 15 07:10:17 yorktown.both.org wordpress[1768]: XML-RPC authentication failure for XXXXX from 208.109.39.153
Feb 15 07:11:55 yorktown.both.org wordpress[1709]: XML-RPC authentication failure for XXXXXX from 135.236.141.150
Feb 15 07:12:18 yorktown.both.org wordpress[983674]: XML-RPC authentication failure for XXXXXX from 66.116.196.26

These are only a few of the entries in the systemd journal on my server that are attacks on WordPress. However, using Fail2Ban to dynamically modify my firewall, the number of logged attempts to crack WordPress has dropped to only a few hundred in any given 24-hour period.

Of course the number of logged attacks decreased as IP addresses became blocked. Those sites were probably still initiating the attacks, but they were blocked by the firewall before getting to the point of being logged.

Conclusion

These attacks on WordPress are brutal and unrelenting. Although they can’t be stopped from attacking, appropriate preventative measures will improve the probabilities that the attacks will fail. The easiest way to start is to keep all systems up to date with the latest patches and use good passwords. Additional measures, such as the ones suggested here, can improve your defenses considerably.

So far it seems to be all about building a botnet to be used in the perhaps near future for further malicious behavior. What that might be is impossible to determine but it will certainly be nasty.