[wp-hackers] Detecting the present botnet attacks
Jeff Morris
wp-hackers at zipsbazaar.co.uk
Thu Jul 11 13:32:00 UTC 2013
On 10/07/2013 13:14, David Anderson wrote:
> But, it looks like we could get a quicker result by blocking based on
> 1) instead. Question: Does anyone know if that's reliable? i.e. are
> there scenarios in which a likely user POST to /wp-login.php does not
> include that field?
I've yet to see a regular bona-fide login or registration that doesn't
carry the aforementioned field in the $_REQUEST. But now that it's been
pointed out here, maybe we should expect to start seeing it in the
payload ;)
I capture a lot of these admin brute-forces, and boy are they dull. One
day last month I watched one feeding on 'Service Unavailable' for over
five hours before I pulled its plug. Such was its sophistication it just
kept on coming and chewing 403s for a futher 90 minutes.
In the case of a botnet, look for cookie-cutter traits, such as
commonality in the HTTP protocol version, referrer and user agent
fields, inter alia. A conclusion based on a combination of ticked boxes
is bound to be more reliable.
More information about the wp-hackers
mailing list