The WordPress Brute Force Attack Timeline
We have been blogging about the massive brute force attacks against WordPress websites over the past few days, today we want to provide better context of the scale by sharing some more data on what we saw and continue to see.
In our previous report, we said that the number of scans detected almost tripled from the old averages, increasing from around 30,000 scans per day to around 100,000 per day in April.
However, the numbers are a lot larger than that. We compiled the averages per day again and on Thursday (April 11), the number of scans increased to more than 1,000,000 scans, which is more 30x the averages. This is the compilation per day:
To put into perspective how this relates to previous months, here’s a breakdown of daily averages going back to January:
So yes, what started as a blip turned into a large-scale attack in a short 24 hour period. To undermine the scale of the attack would be a mistake, but to over speculate on intention is just as a grave a mistake. Fortunately, we do have more data on the IP ranges, usernames and passwords being used. For the most part it’s remained pretty consistent, that’s good to know as it makes some of the preventive techniques being discussed in various forums fairly effective.
By far, the most effective strategy to defend against such an attack is through the implementation of some form of multi-factor or two-factor authentication. This is a more effective long-term strategy, whether through the implementation of a plugin like Google Authenticator or Duo Security. There are also a series of other techniques that could prove very beneficial, specifically employing a whitelist approach to those allowed access to your wp-admin panels.
A white-list approach will allow you to dictate which IP’s are allowed, while explicitly denying all other IPs. This can be done via your .htaccess files and/or via your web application firewall (WAF). Another effective strategy would be through a second layer of authentication using some of the basics like Basic Access Authentication. This would provide an effective defensive layer against automated attacks targeting default wp-admin panels.
Lastly, we often try to focus on things like proper use of the “administrator” role in the place of focusing on users “admin” or “administrator” (fundamentally different). In this case, where a botnet is leveraging wordlists and using those specific users and password combinations, it does make sense to avoid those users all together. I would probably recommend avoiding the list of users below in general. That being said, don’t be fooled, the use of the name itself is only half the battle. In this case it makes sense, but enumerating the users and their roles is fairly straightforward, and this would only protect you against these types of automated attacks.
So yes, what started as an above average brute force attack, went on to become a very large scale attack. As for the top usernames, passwords and IP addresses being attempted, there hasn’t been much change, fortunately.
Here are the top data points for each category:
IP Attack Distribution
Top Password Combinations
Based on what we’re seeing, we believe that the attacks are making use of a number of username/password lists. One that appears to have a lot of similarities to the combinations includes: http://pastebin.com/raw.php?i=UTUsmPm6. The top combinations however are these:
21144 [pwd] => admin
14377 [pwd] => 123456
14087 [pwd] => password
11366 [pwd] => 12345678
10409 [pwd] => 666666
9700 [pwd] => 111111
9336 [pwd] => 1234567
8902 [pwd] => qwerty
8269 [pwd] => 123321
8193 [pwd] => 12345
7752 [pwd] => 123123
7692 [pwd] => 159753
7364 [pwd] => 1234567890
6901 [pwd] => 0
6609 [pwd] => 123qwe
6179 [pwd] => 123654
6160 [pwd] => #@F#GBH$R^JNEBSRVWRVW
6067 [pwd] => 112233
5964 [pwd] => 159357
5392 [pwd] => $#GBERBSTGBR%GSERHBSR
5326 [pwd] => 12345qwe
5281 [pwd] => 1234
5141 [pwd] => 654321
5060 [pwd] => 147852
5058 [pwd] => %G#GBAEGBW%HBFGBFXGB
5024 [pwd] => RGA%BT%HBSERGAEEAHAEH
4963 [pwd] => 222222
4928 [pwd] => 7777777
4900 [pwd] => 147258
4898 [pwd] => 123
4861 [pwd] => aethAEHBAEGBAEGEE%
4838 [pwd] => 121212
It’s unfortunate, but over the past few days there has been a lot of speculation around the intent of these attacks. We’re a detection and remediation company by trade and we still can’t clearly outline the true intentions of the attacks. We did however shared our thoughts on possible intentions a few days ago, but again they are highly speculative. What we do know is that the attack was real and it appears to be dying down.