Extreme amount of {login} attempts?

  • Good afternoon –

    Seeing something on one of our recent sites that is concerning me a little bit, just would like to know what exactly is going on, if I need to be worried, etc.

    So recently one of my sites got smacked by a huge influx of attacks/injections/login attempts, which Wordfence handled well. After everything died down, a full scan shows no problems, no malware, etc. But now I’m getting hit almost every 15-20 seconds with a {login} user login attempt. I’ve added that string to the blacklist, but I’m still seeing a ton of traffic attempting to log in here.

    Similar to another site a few months back that got hit (got through WordFence that time around), the bots are all doing one specific thing. In the other sense, they had modified the site completely in less than five mins – a couple minutes after that I jumped into the server, removed everything, database, clean sweep, etc, and restored from a backup. But I still get tons of bot traffic to nonexistent directories on the website, specifically was /krobl/ and /aloir/.

    Is it just a botnet that learns directories after an attack, or learns a certain process/etc? I’m just concerned because in the several years I’ve played with wordpress I’ve never seen anything spam {login} as a user so I’m wondering if it’s a new exploit or something. Any insight or advice would be greatly appreciated just for my peace of mind.

    Thanks!

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Support wfphil

    (@wfphil)

    Hello,

    Below is an image from our February 2017 Attack Report blog entry, detailing brute force attacks. As you can see there was a significant increase in brute force attacks towards the end of February. Your experience may be a sign that this trend is continuing.

    Blocked Brute Force Attacks February 2017

    If you haven’t done so already you may find our documentation on Login Security Options helpful:

    Login Security Options

    Solutions? Country blocking has a major effect on reducing login attacks, if you can block China, Ukraine, Russia etc., hiding URL helps as well since the bots will just get an error. Also, be sure to enter a few hundred attack URLs in the “Immediately Block” space under Wordfence Options, this acts as a honey pot. You can harvest those URLs from your server error logs. I made a hobby of it for a few months and get very good results, though I still don’t understand why Wordfence is not blocking many of those, as they’re very obvious. In my case, I set all my blocking to 48 hours, which really helps. Some defense in the .htaccess file is good as well (see Google for tons of suggestions), and be sure you have a server firewall that blocks FTP and SSH failed login attempt IP numbers for significant time, as those same IPs are also frequently used for Worpdress login attacks. MTN

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Extreme amount of {login} attempts?’ is closed to new replies.