Atari-Frosch

Well … now the old values have been deleted, but the new ones are not better. In my main blog which gets attacked all the time I see only two of the several user names WordFence tells me about, and both are counted only once:

{login} 1
blog 1

It seems the problem is not yet really solved.

Greets, Frosch

Same here. And not only in the report sent by mail, but also in the Dashboard. I just came here to report this, too. Applies to 4 blogs I’m administrating.

I just found the same issue on one of my WordPress blogs (3.8.1), using WordFence 4.0.3. The WordFence messages look like this (x’ing by me, it is not necessary to publish the hosts IP and name):

A user with IP address 89.xxx.xxx.xxx has been locked out from the signing in or using the password recovery form for the following reason: Used an invalid username ” to try to sign in.
User IP: 89.xxx.xxx.xxx
User hostname: xxxx.xxxxx-xxxxxxxx.com

Yes, right, the username field is empty!

The according log entries in the access.log look like this:

89.xxx.xxx.xxx – – [29/Mar/2014:00:20:48 +0100] “POST /xmlrpc.php HTTP/1.1” 200 1466 “-” “Mozilla/5.0 (Window
s NT 6.2; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0″

(Nothing in the error_log!)

So this was not exactly a login attempt as WordFence tells me, but an attempt to replace the xmlrcp.php file. It seems that WordFence is not prepared for an attack like this. It sends out the e-mail about a blocking, but does not actually block the attempts (this host made about 2,000 attempts within 30 minutes, then the attacks stopped).

@esmi: No, it is in fact the same problem. Just with the difference that my password has not been guessed right, so that the attackers weren’t able to enter the dashboard and to change any files. From that I came to the weak passwords, because if it were a vulnerability in WP, my site would have been hacked by now, too.

They tried it on my blog, too:

109.120.159.169 – – [12/Nov/2012:01:28:10 +0100] “POST /wp-login.php HTTP/1.0” 200 3753 “https://blog.atari-frosch.de/wp-login.php” “Mozilla/5.0 (X11; U; Linux i686; en-GB; rv:1.7.6) Gecko/20050405 Epiphany/1.6.1 (Ubuntu) (Ubuntu package 1.0.2)”

109.120.159.169 – – [12/Nov/2012:08:35:20 +0100] “POST /wp-login.php HTTP/1.0” 200 3753 “https://blog.atari-frosch.de/wp-login.php” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.452) Gecko/20041027 Mnenhy/0.6.0.104”

109.120.142.20 – – [12/Nov/2012:13:14:33 +0100] “POST /wp-login.php HTTP/1.0” 200 3753 “https://blog.atari-frosch.de/wp-login.php” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; MathPlayer2.0)”

109.120.159.91 – – [12/Nov/2012:13:14:34 +0100] “POST /wp-login.php HTTP/1.0” 200 3753 “https://blog.atari-frosch.de/wp-login.php” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.19 (KHTML, like Gecko) Chrome/0.2.153.1 Safari/525.19”

WordPress (3.4.2) files have not been changed as far as I can see. Is it possible that they entered the website with admin account and a weak password?