Multiple attempts to hack into wp-login from same IP

florin
Junior Member
Posts: 4
Joined: 16 Jan 2013, 13:12

Re: Multiple attempts to hack into wp-login from same IP

Post by florin »

Hello,

So... it is happening on our servers too ... targeting only WP-login. Just hit about 10 of our servers.

Multiple HTTP requests on wp-login.php. We managed to block the IP's and we also put a "die" in wp-login.php temporarily.

How can we block this ?
peterelsner
Junior Member
Posts: 73
Joined: 16 Nov 2010, 22:49

Re: Multiple attempts to hack into wp-login from same IP

Post by peterelsner »

Here are my settings.

# [*]Enable failure detection of repeated Apache mod_security rule triggers
LF_MODSEC = "5"
LF_MODSEC_PERM = "1"

These IP's do NOT show up in any MOD SEC logs.

Mod Security is NOT catching these since they are only calling a direct link to wordpress login URL's. IE: hXXp://www.domainname.tld/wp-login.php

So Mod Security is not going to help here.
This is an attack that I'm pretty sure csf does not yet detect. That's why I asked if it was possible.
kdean
Junior Member
Posts: 12
Joined: 09 Apr 2013, 23:14

Re: Multiple attempts to hack into wp-login from same IP

Post by kdean »

Just adding my voice to those with this issue today. Had major load problems today with this attack. Blocked a bunch of IPs and lowered my FastCGID idle timeout to 120 seconds which seemed to have helped with the load or it's just less right now coincidentally.
ljweb
Junior Member
Posts: 4
Joined: 26 Sep 2010, 21:46

Re: Multiple attempts to hack into wp-login from same IP

Post by ljweb »

Yes happening here too, high load due to wp-login.php attempts.. Is there anyway to create a custom rule, to look through the domain logs for multiple wp-login.php attempts and block after 10 or so access attempts from the same IP within 1 min?
ahsteve
Junior Member
Posts: 2
Joined: 10 Apr 2013, 16:29

Re: Multiple attempts to hack into wp-login from same IP

Post by ahsteve »

Almost 50 servers were under attack in the same way. The numbers are common 2136 hits for a domain from an ip.

93.142.203.126 - - [09/Apr/2013:13:50:26 -0400] "POST /wp-login.php HTTP/1.1" 200 3840 "-" "Mozilla/5.0 (Windows NT 6.2; Win64; x64; rv:16.0.1) Gecko/20121011 Firefox/16.0.1"

93.142.203.126 - - [09/Apr/2013:13:50:26 -0400] "POST /wp-login.php HTTP/1.1" 200 3840 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_2) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1309.0 Safari/537.17"

IP are from different locations.
sawbuck
Junior Member
Posts: 366
Joined: 10 Dec 2006, 16:20

Re: Multiple attempts to hack into wp-login from same IP

Post by sawbuck »

Although loathe to post WHT links this discussion is offering some mod_sec information that may work.

http://www.webhostingtalk.com/showthread.php?t=1255387

http://www.webhostingtalk.com/showpost. ... stcount=42
peterelsner
Junior Member
Posts: 73
Joined: 16 Nov 2010, 22:49

Re: Multiple attempts to hack into wp-login from same IP

Post by peterelsner »

The links provided by dvk01 to the mod sec rules didn't work :(
The attacks started at exactly 1:00 PM central time.
Before then, all was fine and quiet. They will continue from now until about 5:30 PM central time (which is when they stopped yesterday).

I'm about to try the links that sawbuck just supplied.
orditeck
Junior Member
Posts: 2
Joined: 09 Apr 2013, 21:10

Re: Multiple attempts to hack into wp-login from same IP

Post by orditeck »

Thanks sawbuck for the WHT link, I found a solution with ModSec there :-) (solution by Patrick)
Sergio
Junior Member
Posts: 1685
Joined: 12 Dec 2006, 14:56

Re: Multiple attempts to hack into wp-login from same IP

Post by Sergio »

orditeck wrote:Thanks sawbuck for the WHT link, I found a solution with ModSec there :-) (solution by Patrick)
Patrick did the trick, I confirm that this rule is working +1
Post Reply