Jump to content


Photo

WordPress wp-login Brute Force - Kobold Server Update: Boreas and Jasmine

Resolved

  • Please log in to reply
15 replies to this topic

#1 MikeDVB

MikeDVB

    Forum Administrator

  • Staff Administrator
  • PipPipPipPipPip
  • 2,900 posts
  • Gender:Male
  • Location:Central Indiana, USA

Posted 18 February 2014 - 11:54 PM

Update: The Boreas and Jasmine servers also required some action to keep things stable due to this distributed attack.
 
Update 2: We have made a topic here on our forums giving full directions on how to avoid your site becoming a target of this attack.  You can see it here [ http://forums.mddhos...iew-this-topic/ ].
 
Hello,
 
We found that the Kobold server was running a higher than normal load and had lower than normal Idle CPU available.  Upon investigation we found that there were an extremely large number of "wp-login.php" processes running on the server soaking up a fair bit of CPU.  We've seen this before - a distributed brute force attack against WordPress installations.
 
We have, to ensure server stability and account speed, blocked access to the wp-login.php for any affected accounts.  You can, however, allow yourself in and, if needed, remove the block entirely.
 
We created, if it did not exist, or appended to the /home/your-cpanel-username/.htaccess file the following lines:
# The following lines have been put in place by your hosting provider as your site was under a brute force dictionary attack.
# You can provide yourself access to the wp-admin by adding an "Allow from" line with your IP address before the "Deny from all" line.
# If you need to allow multiple users in you can remove the following lines entirely if you need or you can add multiple "Allow from" lines.
#
# If you have any questions about this at all, do please get with your hosting provider for support.
#
<Files "wp-login.php">
Order Allow,Deny
# Uncomment the following line and change the number to your IP address.  You can find your IP address at http://www.whatismyip.php/
# Allow from 123.456.789.012
Deny from all
</Files>
#
#
# End of brute-force block.  If you do wish to remove the block entirely do not remove beyond this line.
You can remove the "#" from the beginning of the 10th line and change the number "123.456.789.012" to your IP address [ http://www.mddhostin.../whatismyip.php / http://www.whatismyip.php/ ].  This will permit you the ability to log into your WP-Admin while keeping attackers out.
 
You can make these changes via FTP in the "/" folder you will see a file called ".htaccess" or you can do it via the cPanel -> File Manager [also in "/"] but you may need to set it to show hidden files.
 
Do please understand that if your wp-login.php has been blocked with this code it is because your site was under attack by bots trying to guess your passwords.  We hate to make modifications to client accounts, however, in this case we have been forced to do so to ensure server stability.
 
If you have any questions at all about this do not hesitate to ask.  If the question is specific to your account it is likely best if you open a new support ticket and reference this thread.
 
Thank you!
  • 0
Michael Denney - MDDHosting LLC - Providing Hosting since 2007
Scalable shared hosting plans in the cloud! Check them out!
Highly Available Cloud Shared, Reseller, and VPS
http://www.mddhosting.com/

#2 MikeDVB

MikeDVB

    Forum Administrator

  • Staff Administrator
  • PipPipPipPipPip
  • 2,900 posts
  • Gender:Male
  • Location:Central Indiana, USA

Posted 19 February 2014 - 12:11 AM

For those that may be curious the blocks were put in place at 23:40 on this graph:

2014-02-19_00-10-37.png

 

The top graph is Idle CPU and the higher the better.  The bottom graph is server load and the lower the values the better.


  • 0
Michael Denney - MDDHosting LLC - Providing Hosting since 2007
Scalable shared hosting plans in the cloud! Check them out!
Highly Available Cloud Shared, Reseller, and VPS
http://www.mddhosting.com/

#3 JohnUK

JohnUK

    Newbie

  • Members
  • Pip
  • 3 posts

Posted 19 February 2014 - 09:21 AM

Admin Edit:

While Better WP Security is a great plugin if configured properly - this particular issue revolves around "wp-login.php" which is not addressed solely by "Better WP Security".  We have posted a full write-up on stopping this attack/hiding your wp-login and wp-admin in this thread [ http://forums.mddhos...iew-this-topic/ ].

================

 

Hi There,

 

Plus all WP users really should install this plugin for security: https://wordpress.or...er-wp-security/

 

And make sure that they use this setting in order to prevent brute-force attacks.:

 

Screen-Shot-2014-02-19-at-14.15.43.png

 

Plus this plugin adds blacklisted domains email etc to .htaccess ;)

 

 

Best


Edited by MikeDVB, 08 March 2014 - 09:32 AM.

  • 0

#4 MikeDVB

MikeDVB

    Forum Administrator

  • Staff Administrator
  • PipPipPipPipPip
  • 2,900 posts
  • Gender:Male
  • Location:Central Indiana, USA

Posted 19 February 2014 - 12:43 PM

We also had to do some blocking on the Boreas server as well due to this distributed brute-force dictionary attack.


  • 0
Michael Denney - MDDHosting LLC - Providing Hosting since 2007
Scalable shared hosting plans in the cloud! Check them out!
Highly Available Cloud Shared, Reseller, and VPS
http://www.mddhosting.com/

#5 MikeDVB

MikeDVB

    Forum Administrator

  • Staff Administrator
  • PipPipPipPipPip
  • 2,900 posts
  • Gender:Male
  • Location:Central Indiana, USA

Posted 19 February 2014 - 10:30 PM

Jasmine is also now experiencing this issue and some blocks have had to be put in place.

 

2014-02-19_22-49-42.png

 

Again - the top graph going up is good and the bottom graph going down is also good.


  • 0
Michael Denney - MDDHosting LLC - Providing Hosting since 2007
Scalable shared hosting plans in the cloud! Check them out!
Highly Available Cloud Shared, Reseller, and VPS
http://www.mddhosting.com/

#6 MikeDVB

MikeDVB

    Forum Administrator

  • Staff Administrator
  • PipPipPipPipPip
  • 2,900 posts
  • Gender:Male
  • Location:Central Indiana, USA

Posted 19 February 2014 - 10:51 PM

Due to the prevalence of these types of attacks and how distributed they are - it's really not possible to block them using traditional means.  If a site has, for example, 500 log-in attempts to try and brute-force the username and password - it's done via 500 distinct IPs.

 

I'm brainstorming a method to not only automate these IP blocks to keep the server and accounts stable but also a means to notify the users when it happens so that they can take action.  I really hate to even have to think about something like this from the simple standpoint that it's infuriating that the internet is such a hostile place these days.

 

If we do code something up to put these blocks in place it would only put a block in place after X amount of log-in attempts over Y amount of time.  In short - normal usage should not ever cause/trigger a block.

 

Edit: A couple of customers were concerned that somehow sombody had gotten a list of accounts/WordPress installations on our network.  It's extremely easy to get a generic list of WordPress installations by searching Google for things like "wp-login.php" in the URL.  I ran the search myself and came up with 581,000+ results.  The nature of this attack is distributed both in the IPs attacking [trying to log in] as well as the accounts being hit - a few on every server but certainly nowhere near all of them.

 

I just wanted to put your concerns at rest - this is not due to any sort of security breach on our end - it's simply a distributed log-in attack to guess passwords.  We see these sorts of attacks all day every day, just usually not on this scale.


  • 0
Michael Denney - MDDHosting LLC - Providing Hosting since 2007
Scalable shared hosting plans in the cloud! Check them out!
Highly Available Cloud Shared, Reseller, and VPS
http://www.mddhosting.com/

#7 cziv

cziv

    Member

  • Members
  • PipPip
  • 52 posts
  • Gender:Male

Posted 20 February 2014 - 10:30 AM

Thanks for the quick solution.

 

The last weeks i have seen several (less than 50) in my two WP websites, to login in admin pages.

 

But using this:

 

http://devel.kostdok...-login-attempts

 

available also at Wordpress.org plugin site. That locks everything out.

 

I would like to point out that ALL IPs blocked were from Russia (the plugin keeps a database of blocked ips).


  • 0

#8 MikeDVB

MikeDVB

    Forum Administrator

  • Staff Administrator
  • PipPipPipPipPip
  • 2,900 posts
  • Gender:Male
  • Location:Central Indiana, USA

Posted 28 February 2014 - 01:33 PM

When it rains, it pours - this is happening on kobold, echo, and boreas now.

 

We're working on mitigating it.


  • 0
Michael Denney - MDDHosting LLC - Providing Hosting since 2007
Scalable shared hosting plans in the cloud! Check them out!
Highly Available Cloud Shared, Reseller, and VPS
http://www.mddhosting.com/

#9 MikeDVB

MikeDVB

    Forum Administrator

  • Staff Administrator
  • PipPipPipPipPip
  • 2,900 posts
  • Gender:Male
  • Location:Central Indiana, USA

Posted 28 February 2014 - 01:50 PM

We've blocked approximately 400 IPs across all three servers.


  • 0
Michael Denney - MDDHosting LLC - Providing Hosting since 2007
Scalable shared hosting plans in the cloud! Check them out!
Highly Available Cloud Shared, Reseller, and VPS
http://www.mddhosting.com/

#10 MikeDVB

MikeDVB

    Forum Administrator

  • Staff Administrator
  • PipPipPipPipPip
  • 2,900 posts
  • Gender:Male
  • Location:Central Indiana, USA

Posted 28 February 2014 - 02:00 PM

Up to 760 IPs blocked and climbing.


  • 0
Michael Denney - MDDHosting LLC - Providing Hosting since 2007
Scalable shared hosting plans in the cloud! Check them out!
Highly Available Cloud Shared, Reseller, and VPS
http://www.mddhosting.com/

#11 MikeDVB

MikeDVB

    Forum Administrator

  • Staff Administrator
  • PipPipPipPipPip
  • 2,900 posts
  • Gender:Male
  • Location:Central Indiana, USA

Posted 28 February 2014 - 02:06 PM

Crossed 1,200 IPs blocked.


  • 0
Michael Denney - MDDHosting LLC - Providing Hosting since 2007
Scalable shared hosting plans in the cloud! Check them out!
Highly Available Cloud Shared, Reseller, and VPS
http://www.mddhosting.com/

#12 MikeDVB

MikeDVB

    Forum Administrator

  • Staff Administrator
  • PipPipPipPipPip
  • 2,900 posts
  • Gender:Male
  • Location:Central Indiana, USA

Posted 28 February 2014 - 02:09 PM

Attack largely mitigated but we're going to continue blocking IPs that are attacking.

 

2014-02-28_14-09-27.png


  • 0
Michael Denney - MDDHosting LLC - Providing Hosting since 2007
Scalable shared hosting plans in the cloud! Check them out!
Highly Available Cloud Shared, Reseller, and VPS
http://www.mddhosting.com/

#13 MikeDVB

MikeDVB

    Forum Administrator

  • Staff Administrator
  • PipPipPipPipPip
  • 2,900 posts
  • Gender:Male
  • Location:Central Indiana, USA

Posted 28 February 2014 - 02:20 PM

We are blocking IPs by those that have POSTED data to wp-login.php but have *not* requested any CSS files [users accessing the wordpress log-in will have requested and received a CSS file] bots do not request anything - they simply post data to the wp-login.php and look for a success/fail result.

 

It is possible there will be some false positives so if you are unable to reach your account/server simply open a ticket with your IP [ http://www.mddhostin.../whatismyip.php ] and we'll remove the block.


  • 1
Michael Denney - MDDHosting LLC - Providing Hosting since 2007
Scalable shared hosting plans in the cloud! Check them out!
Highly Available Cloud Shared, Reseller, and VPS
http://www.mddhosting.com/

#14 MikeDVB

MikeDVB

    Forum Administrator

  • Staff Administrator
  • PipPipPipPipPip
  • 2,900 posts
  • Gender:Male
  • Location:Central Indiana, USA

Posted 28 February 2014 - 02:38 PM

All blocks flushed - modified the detection method to help eliminate false positives.


  • 1
Michael Denney - MDDHosting LLC - Providing Hosting since 2007
Scalable shared hosting plans in the cloud! Check them out!
Highly Available Cloud Shared, Reseller, and VPS
http://www.mddhosting.com/

#15 MikeDVB

MikeDVB

    Forum Administrator

  • Staff Administrator
  • PipPipPipPipPip
  • 2,900 posts
  • Gender:Male
  • Location:Central Indiana, USA

Posted 08 March 2014 - 08:58 AM

Unfortunately we've been once again forced to take action.

 

2014-03-08_08-55-15.png

 

It's clear when the brute-force started back up and when we were able to start blocking the issue.  If you do end up seing a 403 for your wp-admin/wp-login this means that you were in the top 10 accounts being hit the most and we would suggest following the steps outlined in this thread on our forums: http://forums.mddhos...iew-this-topic/


  • 0
Michael Denney - MDDHosting LLC - Providing Hosting since 2007
Scalable shared hosting plans in the cloud! Check them out!
Highly Available Cloud Shared, Reseller, and VPS
http://www.mddhosting.com/

#16 MikeDVB

MikeDVB

    Forum Administrator

  • Staff Administrator
  • PipPipPipPipPip
  • 2,900 posts
  • Gender:Male
  • Location:Central Indiana, USA

Posted 29 March 2014 - 02:16 PM

We had to put some more blocks in place on the Kobold server:

2014-03-29_15-15-15.png

 

If you see a 'Forbidden' error accessing your wp-admin that means your account was under attack - we do suggest reading the very first post in this thread as well as seeing this thread to prevent this in the future:

http://forums.mddhos...iew-this-topic/


  • 0
Michael Denney - MDDHosting LLC - Providing Hosting since 2007
Scalable shared hosting plans in the cloud! Check them out!
Highly Available Cloud Shared, Reseller, and VPS
http://www.mddhosting.com/





1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users