Technical Discussion
  >> Security Related Issues


Register (or login) on our website and you will not see this ad.


  Print Thread
Standard User camieabz
(sensei) Sat 19-Apr-14 11:35:57
Print Post

How would you define this attack?


[link to this post]
 
5,222 attempts to access 'wp-login,php' from the same IP address in 48 minutes (two per second on average, but six connections per second is typical.

The IP addy in question was 403'ed as logins to wp-login.php is accessible only to one IP addy. It's a read only blog. wink

Is this some weird DDoS attempt, and if so, is it testing the response of Apache with regards connections, and might I expect more of the same?

Or is it just a brute force attempt?

Strange that it was all one IP (in the US as it happens), and after a few 403s, it didn't decide to sod off.
Standard User Lethe
(fountain of knowledge) Sat 19-Apr-14 12:50:20
Print Post

Re: How would you define this attack?


[re: camieabz] [link to this post]
 
These are 'bot' scans searching for *known* vulnerabilities in certain PHP code bases - I get a load, and got fed up with them, so now I run a script tailing logs and as soon as it sees a request involving 'php' (I don't have any PHP pages on server) it adds the IP to my 'ipsets' firewall. The good thing here is it drops the scan dead (I dunno what happens the other end), so saves a lot of hits and bandwidth.

Since February the list is now 212 IP's.

Nick

Pertinent details removed.

Text
1
23
45
67
89
1011
1213
1415
1617
1819
2021
2223
2425
26
#!/usr/bin/perl -w
# Nick - 31/01/2014 
my $file;my $line;
 my $log="/PATH/TO/LOG";
   open(LOG,"/usr/bin/tail -F $log |") || die "ERROR: could not open log file.\n";
   while (<LOG>) {
  $line=$_;  if ( ($line =~ /php/) || ($line =~ /xml/)
        || ($line =~ /\/manager\/html/) || ($line =~ /w00tw00t/)        || ($line =~ /x80w/) || ($line =~ /CONNECT/)
        || ($line =~ /\?\-s/) || ($line =~ /fck/)        || ($line =~ /rtpd/) || ($line =~ /roundcube/)
        || ($line =~ /statics/) ) {      $line =~ s/ .*//g;
      chomp($line);        `ipset add bh $line -exist`;
        `ipset save bh -f /PATH/TO/FILE`;  }
}close(LOG);
`ipset destroy bh`;

Edited by Lethe (Sat 19-Apr-14 12:54:00)

  Print Thread

Jump to