[wp-hackers] Detecting the present botnet attacks

Jeff Morris wp-hackers at zipsbazaar.co.uk
Thu Jul 11 13:32:00 UTC 2013

On 10/07/2013 13:14, David Anderson wrote:
> But, it looks like we could get a quicker result by blocking based on 
> 1) instead. Question: Does anyone know if that's reliable? i.e. are 
> there scenarios in which a likely user POST to /wp-login.php does not 
> include that field?

I've yet to see a regular bona-fide login or registration that doesn't 
carry the aforementioned field in the $_REQUEST. But now that it's been 
pointed out here, maybe we should expect to start seeing it in the 
payload ;)

I capture a lot of these admin brute-forces, and boy are they dull. One 
day last month I watched one feeding on 'Service Unavailable' for over 
five hours before I pulled its plug. Such was its sophistication it just 
kept on coming and chewing 403s for a futher 90 minutes.

In the case of a botnet, look for cookie-cutter traits, such as 
commonality in the HTTP protocol version, referrer and user agent 
fields, inter alia. A conclusion based on a combination of ticked boxes 
is bound to be more reliable.

More information about the wp-hackers mailing list