[BlueOnyx:21561] Re: Attack by a botnet.

Ken Hohhof khohhof at kwom.com
Mon Dec 4 17:45:20 -05 2017 

Wp-login.php and xmlrpc.php both look like dictionary attacks trying to guess Wordpress passwords

 

 

From: Blueonyx [mailto:blueonyx-bounces at mail.blueonyx.it] On Behalf Of Fungal Style
Sent: Monday, December 4, 2017 2:52 PM
To: BlueOnyx General Mailing List <blueonyx at mail.blueonyx.it>
Subject: [BlueOnyx:21560] Attack by a botnet.

 

Hi all,

 

Just want to get some ideas on anything I can do as they are quite literally filling up log files with spam entries of hits from an IP then rotating to a new IP.

 

It is a form of brute force attack from what I can tell and it is low bandwidth as they are requesting part of a file (possibly to go undetected as it is 2/10’s of bugger all data).

 

As I am only using the domain for testing currently I placed a 301 on it and renamed the files it is requesting, but they are still going. 

 

Here is some of the apache log:

www.it-malls.com <http://www.it-malls.com>  112.202.163.181 - - [05/Dec/2017:07:38:58 +1100] "GET /wp-login.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"

www.it-malls.com <http://www.it-malls.com>  112.202.163.181 - - [05/Dec/2017:07:39:05 +1100] "POST /wp-login.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"

www.it-malls.com <http://www.it-malls.com>  66.249.79.70 - - [05/Dec/2017:07:39:09 +1100] "GET /ukgb4/trne.php?recipe-for-homemade-window-cleaner HTTP/1.1" 301 265 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"

www.it-malls.com <http://www.it-malls.com>  182.181.141.253 - - [05/Dec/2017:07:39:12 +1100] "POST /xmlrpc.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"

www.it-malls.com <http://www.it-malls.com>  89.64.36.121 - - [05/Dec/2017:07:39:32 +1100] "POST /xmlrpc.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"

www.it-malls.com <http://www.it-malls.com>  89.64.36.121 - - [05/Dec/2017:07:39:33 +1100] "GET /wp-login.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"

www.it-malls.com <http://www.it-malls.com>  89.64.36.121 - - [05/Dec/2017:07:39:33 +1100] "POST /wp-login.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"

www.it-malls.com <http://www.it-malls.com>  66.249.79.72 - - [05/Dec/2017:07:39:34 +1100] "GET /ukgb4/trne.php?famous-sun-valley-id-trout-recipes HTTP/1.1" 301 265 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"

www.it-malls.com <http://www.it-malls.com>  182.181.141.253 - - [05/Dec/2017:07:39:43 +1100] "GET /wp-login.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"

www.it-malls.com <http://www.it-malls.com>  88.230.246.176 - - [05/Dec/2017:07:39:44 +1100] "POST /xmlrpc.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"

www.it-malls.com <http://www.it-malls.com>  176.240.142.162 - - [05/Dec/2017:07:39:45 +1100] "POST /xmlrpc.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"

www.it-malls.com <http://www.it-malls.com>  88.230.246.176 - - [05/Dec/2017:07:39:46 +1100] "GET /wp-login.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"

www.it-malls.com <http://www.it-malls.com>  88.230.246.176 - - [05/Dec/2017:07:39:47 +1100] "POST /wp-login.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"

www.it-malls.com <http://www.it-malls.com>  176.240.142.162 - - [05/Dec/2017:07:39:47 +1100] "GET /wp-login.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"

www.it-malls.com <http://www.it-malls.com>  176.240.142.162 - - [05/Dec/2017:07:39:48 +1100] "POST /wp-login.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"

www.it-malls.com <http://www.it-malls.com>  182.181.141.253 - - [05/Dec/2017:07:39:52 +1100] "POST /wp-login.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"

www.it-malls.com <http://www.it-malls.com>  212.237.119.209 - - [05/Dec/2017:07:39:59 +1100] "POST /xmlrpc.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"

www.it-malls.com <http://www.it-malls.com>  66.249.79.72 - - [05/Dec/2017:07:40:00 +1100] "GET /vvbni5/td.php?bed-and-breakfast-weston-super-mare HTTP/1.1" 301 266 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"

www.it-malls.com <http://www.it-malls.com>  220.245.195.62 - - [05/Dec/2017:07:40:01 +1100] "POST /xmlrpc.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"

www.it-malls.com <http://www.it-malls.com>  220.245.195.62 - - [05/Dec/2017:07:40:03 +1100] "GET /wp-login.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"

www.it-malls.com <http://www.it-malls.com>  220.245.195.62 - - [05/Dec/2017:07:40:04 +1100] "POST /wp-login.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"

www.it-malls.com <http://www.it-malls.com>  212.237.119.209 - - [05/Dec/2017:07:40:05 +1100] "GET /wp-login.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"

www.it-malls.com <http://www.it-malls.com>  212.237.119.209 - - [05/Dec/2017:07:40:06 +1100] "POST /wp-login.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"

www.it-malls.com <http://www.it-malls.com>  66.249.79.70 - - [05/Dec/2017:07:40:26 +1100] "GET /ukgb4/trne.php?diablo-2-lod-horadric-cube-recipes HTTP/1.1" 301 265 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"

www.it-malls.com <http://www.it-malls.com>  189.69.67.47 - - [05/Dec/2017:07:40:26 +1100] "POST /xmlrpc.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"

www.it-malls.com <http://www.it-malls.com>  189.69.67.47 - - [05/Dec/2017:07:40:27 +1100] "GET /wp-login.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"

www.it-malls.com <http://www.it-malls.com>  189.69.67.47 - - [05/Dec/2017:07:40:28 +1100] "POST /wp-login.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"

www.it-malls.com <http://www.it-malls.com>  182.18.238.214 - - [05/Dec/2017:07:40:45 +1100] "POST /xmlrpc.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"

www.it-malls.com <http://www.it-malls.com>  182.18.238.214 - - [05/Dec/2017:07:40:47 +1100] "GET /wp-login.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"

www.it-malls.com <http://www.it-malls.com>  182.18.238.214 - - [05/Dec/2017:07:40:47 +1100] "POST /wp-login.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"

www.it-malls.com <http://www.it-malls.com>  66.249.79.70 - - [05/Dec/2017:07:40:52 +1100] "GET /ukgb4/trne.php?fried-green-bean-recipe-applebee-s HTTP/1.1" 301 265 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"

www.it-malls.com <http://www.it-malls.com>  45.220.247.2 - - [05/Dec/2017:07:41:07 +1100] "POST /xmlrpc.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"

www.it-malls.com <http://www.it-malls.com>  45.220.247.2 - - [05/Dec/2017:07:41:16 +1100] "GET /wp-login.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"

www.it-malls.com <http://www.it-malls.com>  66.249.79.70 - - [05/Dec/2017:07:41:18 +1100] "GET /dpjm6/xsoax.php?quilted-casserole-carrier-patterns HTTP/1.1" 301 265 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"

www.it-malls.com <http://www.it-malls.com>  45.220.247.2 - - [05/Dec/2017:07:41:20 +1100] "POST /wp-login.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"

www.it-malls.com <http://www.it-malls.com>  93.84.30.121 - - [05/Dec/2017:07:41:22 +1100] "POST /xmlrpc.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"

www.it-malls.com <http://www.it-malls.com>  197.228.204.125 - - [05/Dec/2017:07:41:23 +1100] "POST /xmlrpc.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"

www.it-malls.com <http://www.it-malls.com>  93.84.30.121 - - [05/Dec/2017:07:41:23 +1100] "GET /wp-login.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"

www.it-malls.com <http://www.it-malls.com>  93.84.30.121 - - [05/Dec/2017:07:41:24 +1100] "POST /wp-login.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"

www.it-malls.com <http://www.it-malls.com>  197.228.204.125 - - [05/Dec/2017:07:41:25 +1100] "GET /wp-login.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"

www.it-malls.com <http://www.it-malls.com>  197.228.204.125 - - [05/Dec/2017:07:41:26 +1100] "POST /wp-login.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"

www.it-malls.com <http://www.it-malls.com>  66.249.79.70 - - [05/Dec/2017:07:41:44 +1100] "GET /ukgb4/trne.php?do-japanesse-people-eat-raw-chicken HTTP/1.1" 301 266 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"

www.it-malls.com <http://www.it-malls.com>  185.16.25.76 - - [05/Dec/2017:07:41:58 +1100] "POST /xmlrpc.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"

www.it-malls.com <http://www.it-malls.com>  185.16.25.76 - - [05/Dec/2017:07:41:59 +1100] "GET /wp-login.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"

www.it-malls.com <http://www.it-malls.com>  185.16.25.76 - - [05/Dec/2017:07:42:00 +1100] "POST /wp-login.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"

www.it-malls.com <http://www.it-malls.com>  120.43.162.255 - - [05/Dec/2017:07:42:10 +1100] "POST /xmlrpc.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"

www.it-malls.com <http://www.it-malls.com>  66.249.79.74 - - [05/Dec/2017:07:42:10 +1100] "GET /kdka3/bu.php?turkey-soup-in-pressure-cooker-recipe HTTP/1.1" 301 268 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"

www.it-malls.com <http://www.it-malls.com>  201.156.9.61 - - [05/Dec/2017:07:42:17 +1100] "POST /xmlrpc.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"

 

 

Prior to the perminant redirect and renaming of files they were getting 302 206 from memory instead of the current 301 230.

 

Any suggestions would be appreciated if there is anything I can do to get rid of this garbage as it started up just over 24 hours ago and has been constant as fail2ban and other security measures I can’t see as doing anything as it is rotating IPs and does not seem to use the same ones for more than one lot of hits.

 

Regards

Brian

 

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20171204/dc6d23f2/attachment.html>

More information about the Blueonyx mailing list