[wp-hackers] Detecting the present botnet attacks

wp-hackers at on-e.com wp-hackers at on-e.com
Thu Jul 11 14:25:25 UTC 2013


> But regardless of that, the multiple attacks on various websites on the
> same box are causing significant resource usage - perhaps around 25% of
> all resource usage on the server in question. We'd like to kill the
> attacks at an earlier stage - before the full WordPress load completes.
> We're thinking of adding a single line of code using PHP's
> auto_prepend_file feature (in php.ini) that will immediately die if an
> attack pattern is detected. This solution has the beauty of being
> something we can centrally manage fairly easily (our webserver's
> configuration file is written on-the-fly by a shell script, including
> per-site PHP-options). (Adding plugins to every site would be much more
> cumbersome).
>
> This line would detect that the URL being visited is wp-login.php, and
> then apply some other tests. Looking at the logs we've collected from
> the attackers, we see these two patterns:
> 1) The POST payload does not include [wp-submit] => 'Log In', which you
> would have if logging in from the normal wp-login.php page.
> 2) The usernames are all one of:
> * admin
> * administrator
> * the domain name of teh website being attacked
> * {domain} (literally - presumably a bug in an earlier of the attacker's
> code)

auto_prepend_file would be better than letting Wordpress actually boot 
up, but I would suggest thinking something even earlier in the process 
(if you can) - mod_security, which runs very early in the http request 
process.

You could probably adapt your rules into mod_security rules, plus you'd 
get all the other benefits as well.


More information about the wp-hackers mailing list