WordPress Brute Force Scare

wp_bruteforce_opt1.png.scaled1000Hello everyone,

I wanted to spend a few minutes and try to illuminate this “everyone is stealing your passwords” scare over the last few days. Most of you may know about “The Naughty List” I have been keeping tabs on some of the bad things that go on.

First of all, I don’t consider a Brute Force attack an attempt to steal anything. Someone or something takes some wild guesses thousands of times in hopes that it guesses something eventually. It’s like someone coming to my house with a million keys and trying each one to see if any work. This method is far different then a skilled lock-picker with tools attempting to gain entry to my house.

Right now, and almost always, scripts from Asia are constantly bombarding servers and trying to guess the administrator password. This is one of the main reasons why you always want to use a good password, something that is difficult to guess. This is a common occurrence and should be absolutely no reason for panic. Before the last few days, when this “scare” happened, My server was getting bombarded pretty regularly. Check out the naughty list stats! After the scare went so public and CloudFlare claimed to have patched the internet, I started to notice a shift in the amount and frequency of attacks on my servers. Things slowed down… a lot!

Take a look at one of my custom logs my naughtylist generates. This IP address slowed its brute force attempts on my wordpress site, but was still hitting it every once and a while. The log file illuminates the dark-script’s doings

ERROR 401 : [2013-04-07 01:51:59] WordPress Error: 401 UNAUTHORIZED User: admin From: 85.114.133.118
ERROR 401 : [2013-04-07 03:23:55] WordPress Error: 401 UNAUTHORIZED User: admin From: 85.114.133.118
ERROR 401 : [2013-04-07 05:00:37] WordPress Error: 401 UNAUTHORIZED User: admin From: 85.114.133.118
ERROR 401 : [2013-04-07 06:38:56] WordPress Error: 401 UNAUTHORIZED User: admin From: 85.114.133.118
ERROR 401 : [2013-04-07 08:08:22] WordPress Error: 401 UNAUTHORIZED User: admin From: 85.114.133.118
ERROR 401 : [2013-04-07 09:41:15] WordPress Error: 401 UNAUTHORIZED User: admin From: 85.114.133.118
ERROR 401 : [2013-04-07 11:13:38] WordPress Error: 401 UNAUTHORIZED User: admin From: 85.114.133.118
ERROR 401 : [2013-04-07 12:49:17] WordPress Error: 401 UNAUTHORIZED User: admin From: 85.114.133.118
ERROR 401 : [2013-04-07 14:28:10] WordPress Error: 401 UNAUTHORIZED User: admin From: 85.114.133.118
ERROR 401 : [2013-04-07 16:04:26] WordPress Error: 401 UNAUTHORIZED User: admin From: 85.114.133.118
ERROR 401 : [2013-04-07 17:40:51] WordPress Error: 401 UNAUTHORIZED User: admin From: 85.114.133.118
ERROR 401 : [2013-04-07 19:13:16] WordPress Error: 401 UNAUTHORIZED User: admin From: 85.114.133.118
ERROR 401 : [2013-04-07 20:47:40] WordPress Error: 401 UNAUTHORIZED User: admin From: 85.114.133.118
ERROR 401 : [2013-04-07 22:29:23] WordPress Error: 401 UNAUTHORIZED User: admin From: 85.114.133.118
ERROR 401 : [2013-04-08 00:16:29] WordPress Error: 401 UNAUTHORIZED User: admin From: 85.114.133.118
ERROR 401 : [2013-04-08 01:56:41] WordPress Error: 401 UNAUTHORIZED User: admin From: 85.114.133.118
ERROR 401 : [2013-04-08 03:39:12] WordPress Error: 401 UNAUTHORIZED User: admin From: 85.114.133.118
ERROR 401 : [2013-04-08 05:13:57] WordPress Error: 401 UNAUTHORIZED User: admin From: 85.114.133.118
ERROR 401 : [2013-04-08 06:51:16] WordPress Error: 401 UNAUTHORIZED User: admin From: 85.114.133.118
ERROR 401 : [2013-04-08 08:28:36] WordPress Error: 401 UNAUTHORIZED User: admin From: 85.114.133.118
ERROR 401 : [2013-04-08 10:06:06] WordPress Error: 401 UNAUTHORIZED User: admin From: 85.114.133.118
ERROR 401 : [2013-04-08 11:42:01] WordPress Error: 401 UNAUTHORIZED User: admin From: 85.114.133.118
ERROR 401 : [2013-04-08 13:25:23] WordPress Error: 401 UNAUTHORIZED User: admin From: 85.114.133.118
ERROR 401 : [2013-04-08 15:05:13] WordPress Error: 401 UNAUTHORIZED User: admin From: 85.114.133.118
ERROR 401 : [2013-04-08 16:44:49] WordPress Error: 401 UNAUTHORIZED User: admin From: 85.114.133.118
ERROR 401 : [2013-04-08 18:32:42] WordPress Error: 401 UNAUTHORIZED User: admin From: 85.114.133.118
ERROR 401 : [2013-04-08 20:30:25] WordPress Error: 401 UNAUTHORIZED User: admin From: 85.114.133.118
ERROR 401 : [2013-04-08 22:10:13] WordPress Error: 401 UNAUTHORIZED User: admin From: 85.114.133.118
ERROR 401 : [2013-04-08 23:47:32] WordPress Error: 401 UNAUTHORIZED User: admin From: 85.114.133.118
ERROR 401 : [2013-04-09 01:23:03] WordPress Error: 401 UNAUTHORIZED User: admin From: 85.114.133.118
ERROR 401 : [2013-04-09 03:02:45] WordPress Error: 401 UNAUTHORIZED User: admin From: 85.114.133.118
ERROR 401 : [2013-04-09 04:39:14] WordPress Error: 401 UNAUTHORIZED User: admin From: 85.114.133.118
ERROR 401 : [2013-04-09 06:19:53] WordPress Error: 401 UNAUTHORIZED User: admin From: 85.114.133.118
ERROR 401 : [2013-04-09 07:56:14] WordPress Error: 401 UNAUTHORIZED User: admin From: 85.114.133.118
ERROR 401 : [2013-04-09 09:36:10] WordPress Error: 401 UNAUTHORIZED User: admin From: 85.114.133.118
ERROR 401 : [2013-04-10 02:05:46] WordPress Error: 401 UNAUTHORIZED User: admin From: 85.114.133.118
ERROR 401 : [2013-04-10 04:02:13] WordPress Error: 401 UNAUTHORIZED User: admin From: 85.114.133.118
ERROR 401 : [2013-04-10 07:49:15] WordPress Error: 401 UNAUTHORIZED User: admin From: 85.114.133.118
ERROR 401 : [2013-04-11 13:26:53] WordPress Error: 401 UNAUTHORIZED User: admin From: 85.114.133.118
ERROR 401 : [2013-04-11 14:25:16] WordPress Error: 401 UNAUTHORIZED User: admin From: 85.114.133.118
ERROR 401 : [2013-04-11 15:23:30] WordPress Error: 401 UNAUTHORIZED User: admin From: 85.114.133.118
ERROR 401 : [2013-04-11 16:20:59] WordPress Error: 401 UNAUTHORIZED User: admin From: 85.114.133.118
ERROR 401 : [2013-04-11 17:14:58] WordPress Error: 401 UNAUTHORIZED User: admin From: 85.114.133.118
ERROR 401 : [2013-04-11 18:14:03] WordPress Error: 401 UNAUTHORIZED User: admin From: 85.114.133.118
ERROR 401 : [2013-04-11 19:10:16] WordPress Error: 401 UNAUTHORIZED User: admin From: 85.114.133.118
ERROR 401 : [2013-04-11 20:14:16] WordPress Error: 401 UNAUTHORIZED User: admin From: 85.114.133.118
ERROR 401 : [2013-04-11 21:25:33] WordPress Error: 401 UNAUTHORIZED User: admin From: 85.114.133.118
ERROR 401 : [2013-04-11 22:35:45] WordPress Error: 401 UNAUTHORIZED User: admin From: 85.114.133.118
ERROR 401 : [2013-04-11 23:45:16] WordPress Error: 401 UNAUTHORIZED User: admin From: 85.114.133.118
ERROR 401 : [2013-04-12 00:54:50] WordPress Error: 401 UNAUTHORIZED User: admin From: 85.114.133.118
ERROR 401 : [2013-04-12 03:47:49] WordPress Error: 401 UNAUTHORIZED User: admin From: 85.114.133.118
ERROR 401 : [2013-04-12 04:55:33] WordPress Error: 401 UNAUTHORIZED User: admin From: 85.114.133.118
ERROR 401 : [2013-04-12 06:04:14] WordPress Error: 401 UNAUTHORIZED User: admin From: 85.114.133.118
ERROR 401 : [2013-04-12 07:12:43] WordPress Error: 401 UNAUTHORIZED User: admin From: 85.114.133.118
ERROR 401 : [2013-04-12 08:21:25] WordPress Error: 401 UNAUTHORIZED User: admin From: 85.114.133.118
ERROR 401 : [2013-04-12 09:37:22] WordPress Error: 401 UNAUTHORIZED User: admin From: 85.114.133.118
ERROR 401 : [2013-04-12 10:52:44] WordPress Error: 401 UNAUTHORIZED User: admin From: 85.114.133.118
ERROR 401 : [2013-04-12 12:07:46] WordPress Error: 401 UNAUTHORIZED User: admin From: 85.114.133.118
ERROR 401 : [2013-04-12 13:22:22] WordPress Error: 401 UNAUTHORIZED User: admin From: 85.114.133.118
ERROR 401 : [2013-04-12 14:33:57] WordPress Error: 401 UNAUTHORIZED User: admin From: 85.114.133.118
ERROR 401 : [2013-04-12 15:44:28] WordPress Error: 401 UNAUTHORIZED User: admin From: 85.114.133.118
ERROR 401 : [2013-04-12 16:54:28] WordPress Error: 401 UNAUTHORIZED User: admin From: 85.114.133.118
ERROR 401 : [2013-04-12 18:04:18] WordPress Error: 401 UNAUTHORIZED User: admin From: 85.114.133.118
ERROR 401 : [2013-04-12 19:14:01] WordPress Error: 401 UNAUTHORIZED User: admin From: 85.114.133.118
ERROR 401 : [2013-04-12 20:24:06] WordPress Error: 401 UNAUTHORIZED User: admin From: 85.114.133.118
ERROR 401 : [2013-04-12 21:34:35] WordPress Error: 401 UNAUTHORIZED User: admin From: 85.114.133.118
ERROR 401 : [2013-04-12 22:43:30] WordPress Error: 401 UNAUTHORIZED User: admin From: 85.114.133.118
ERROR 401 : [2013-04-12 23:52:14] WordPress Error: 401 UNAUTHORIZED User: admin From: 85.114.133.118
ERROR 401 : [2013-04-13 01:00:32] WordPress Error: 401 UNAUTHORIZED User: admin From: 85.114.133.118
ERROR 401 : [2013-04-13 02:08:44] WordPress Error: 401 UNAUTHORIZED User: admin From: 85.114.133.118
ERROR 401 : [2013-04-13 03:17:16] WordPress Error: 401 UNAUTHORIZED User: admin From: 85.114.133.118
ERROR 401 : [2013-04-13 04:25:53] WordPress Error: 401 UNAUTHORIZED User: admin From: 85.114.133.118
ERROR 401 : [2013-04-13 05:36:24] WordPress Error: 401 UNAUTHORIZED User: admin From: 85.114.133.118
ERROR 401 : [2013-04-13 06:46:55] WordPress Error: 401 UNAUTHORIZED User: admin From: 85.114.133.118
ERROR 401 : [2013-04-13 07:58:08] WordPress Error: 401 UNAUTHORIZED User: admin From: 85.114.133.118
ERROR 401 : [2013-04-13 09:08:37] WordPress Error: 401 UNAUTHORIZED User: admin From: 85.114.133.118
ERROR 401 : [2013-04-13 10:19:30] WordPress Error: 401 UNAUTHORIZED User: admin From: 85.114.133.118
ERROR 401 : [2013-04-13 11:29:46] WordPress Error: 401 UNAUTHORIZED User: admin From: 85.114.133.118
ERROR 401 : [2013-04-13 12:40:52] WordPress Error: 401 UNAUTHORIZED User: admin From: 85.114.133.118
ERROR 401 : [2013-04-13 13:52:30] WordPress Error: 401 UNAUTHORIZED User: admin From: 85.114.133.118
ERROR 401 : [2013-04-13 15:05:11] WordPress Error: 401 UNAUTHORIZED User: admin From: 85.114.133.118
ERROR 401 : [2013-04-13 16:15:28] WordPress Error: 401 UNAUTHORIZED User: admin From: 85.114.133.118
ERROR 401 : [2013-04-13 17:25:41] WordPress Error: 401 UNAUTHORIZED User: admin From: 85.114.133.118
ERROR 401 : [2013-04-13 19:46:30] WordPress Error: 401 UNAUTHORIZED User: admin From: 85.114.133.118
ERROR 401 : [2013-04-13 20:56:52] WordPress Error: 401 UNAUTHORIZED User: admin From: 85.114.133.118
ERROR 401 : [2013-04-13 22:07:52] WordPress Error: 401 UNAUTHORIZED User: admin From: 85.114.133.118
ERROR 401 : [2013-04-13 23:18:24] WordPress Error: 401 UNAUTHORIZED User: admin From: 85.114.133.118
ERROR 401 : [2013-04-14 00:29:05] WordPress Error: 401 UNAUTHORIZED User: admin From: 85.114.133.118
ERROR 401 : [2013-04-14 01:39:39] WordPress Error: 401 UNAUTHORIZED User: admin From: 85.114.133.118
ERROR 401 : [2013-04-14 02:50:16] WordPress Error: 401 UNAUTHORIZED User: admin From: 85.114.133.118
ERROR 401 : [2013-04-14 04:01:05] WordPress Error: 401 UNAUTHORIZED User: admin From: 85.114.133.118
ERROR 401 : [2013-04-14 05:11:58] WordPress Error: 401 UNAUTHORIZED User: admin From: 85.114.133.118
ERROR 401 : [2013-04-14 06:22:58] WordPress Error: 401 UNAUTHORIZED User: admin From: 85.114.133.118
ERROR 401 : [2013-04-14 07:35:39] WordPress Error: 401 UNAUTHORIZED User: admin From: 85.114.133.118
ERROR 401 : [2013-04-14 08:47:03] WordPress Error: 401 UNAUTHORIZED User: admin From: 85.114.133.118
ERROR 401 : [2013-04-14 09:58:49] WordPress Error: 401 UNAUTHORIZED User: admin From: 85.114.133.118
ERROR 401 : [2013-04-14 11:10:38] WordPress Error: 401 UNAUTHORIZED User: admin From: 85.114.133.118
ERROR 401 : [2013-04-14 12:21:50] WordPress Error: 401 UNAUTHORIZED User: admin From: 85.114.133.118
ERROR 401 : [2013-04-14 13:32:51] WordPress Error: 401 UNAUTHORIZED User: admin From: 85.114.133.118
ERROR 401 : [2013-04-14 14:43:34] WordPress Error: 401 UNAUTHORIZED User: admin From: 85.114.133.118
ERROR 401 : [2013-04-14 15:54:30] WordPress Error: 401 UNAUTHORIZED User: admin From: 85.114.133.118
ERROR 401 : [2013-04-14 17:05:32] WordPress Error: 401 UNAUTHORIZED User: admin From: 85.114.133.118
ERROR 401 : [2013-04-14 18:16:32] WordPress Error: 401 UNAUTHORIZED User: admin From: 85.114.133.118
ERROR 401 : [2013-04-14 19:27:31] WordPress Error: 401 UNAUTHORIZED User: admin From: 85.114.133.118
ERROR 401 : [2013-04-14 20:38:08] WordPress Error: 401 UNAUTHORIZED User: admin From: 85.114.133.118
ERROR 401 : [2013-04-14 21:48:56] WordPress Error: 401 UNAUTHORIZED User: admin From: 85.114.133.118
ERROR 401 : [2013-04-14 22:59:26] WordPress Error: 401 UNAUTHORIZED User: admin From: 85.114.133.118
ERROR 401 : [2013-04-15 00:10:58] WordPress Error: 401 UNAUTHORIZED User: admin From: 85.114.133.118
ERROR 401 : [2013-04-15 01:21:11] WordPress Error: 401 UNAUTHORIZED User: admin From: 85.114.133.118
ERROR 401 : [2013-04-15 02:31:49] WordPress Error: 401 UNAUTHORIZED User: admin From: 85.114.133.118

Clearly, we can see that the IP address in question, 85.114.133.118 from Germany, has attempted to brute force my blog by guessing the administrator password. Lucky for me, my site doesn’t have an “admin” account so really its just wasting its time. What IS scary and worth noting is the time stamps of each attempt. Previous to the “scare” IP addresses like the German one previously mentioned would hammer my servers thousands of times in a matter of hours. Looking at the time stamps, we can see that this German IP address is trying one password at at time about every 71 minutes +/- 1 min.

This is an Anti-Forensic trick in an attempt to continue brute forcing without being detected. the attacker believes that if it slows down the number and frequency of attempts it runs a lesser risk of being blocked, detected, or reported. This IP address is amazingly persistent, and the persistence of this threat is one to take seriously.

Now, after reading about how CloudFlare saved us all by “patching the internet”, I got pretty sick over the inaccuracies and “fanciful” declarations about what is going on. I wanted to put in my too cents for those who may have reservations about the article. The truth of it is, these scripts have been around for a long time. Always out looking for what is running on standard ports or URLs. It is simple to write a script that looks for http://domain.com/wp-login.php and attempts to get in as “admin” The trick is to host services on non-standard ports (if you are so permitted) and to not use default usernames.

A Brute Force attack is probably one of the biggest wastes of time in the “hacker” world. They take lots of time, rarely are they fruitful, and they are easily prevented. So long has you have policies in place to prevent exorbitant failed login attempts, a unique username and a password that is not easy to guess, you shouldn’t worry. Fail2Ban is a great program to look into if you need to implement some policies.

If you have an Admin account with password test123, you may want to take this brute force scare seriously. If the attacker does get into your WordPress account, it is entirely possible for him to compromise your site and tie it to a bot net. That part of the CloudFlare article is technically correct. Once remotely controlled, your site could be contributing to and acting as an agent in an attack on another node on the internet. You don’t want your site or IP addresses associated with anything like that!

Leave a comment

Your email address will not be published. Required fields are marked *