Skip to:
Content
Pages
Categories
Search
Top
Bottom

Brute force and Four-oh-four Attacks

  • @modx

    Participant

    Hi,

    I just installed BuddyPress on my site, actually second time as I’ve been experiencing unauthorized posts being posted and so I have to reinstall everything. I installed a plugin called iThemes Security because of this issue.

    I don’t know though if this is because of BuddyPress. According to iThemes Security logs, the /register/, /members/, /activity/ and /group/ page is where this attacks are being made, but I’m just assuming as it is where it is being shown on the log.

    Any assumptions or ideas is greatly appreciated. Thank you.

Viewing 11 replies - 1 through 11 (of 11 total)
  • @modx

    Participant

    Here’s a screenshot. As you can see it is around 1K already

    log_sc

    @djsteveb

    Participant

    @modx – I have had a similar thing, but not sure exactly what you are describing in your situation, and your screen shot did not show up.

    I suggest downloading a copy of your “raw access logs” – first and foremost.

    You may have a situation like I ran into where you need to add a robots.txt to block the baiidu spider (all several of them) – and the sogu spider.. also the majestic spider and the hrefs ones.. you may also want to add a few allow/deny directives in your htaccess to block some ip addy blocks..

    Again I am not sure if your exact situation, but I ran into something like this recently, and it led me to an unanswered support post at the wp forums – and I found the best way to patch the problem was these things, although I still think more could be done with some advanced htaccess blocking rules using regex – which I am not overly proficient with yet.

    @djsteveb

    Participant

    Oh here is my unanswered question with my concerns about how WP handles some of these things – if the info there helps you at all -> https://wordpress.org/support/topic/question-mark-url-return-200-not-404-string-query-noindex-or

    @modx

    Participant

    @djsteveb – Hi thanks for the info! So does this mean this has nothing to do with BuddyPress at all?

    Some posts are being posted with a user ID=0, even though registration is disabled already. Below is from the first 5

    log_id log_type log_function log_priority log_date log_date_gmt log_host log_username log_user log_url log_referrer log_data
    1 brute_force Invalid Login Attempt 5 2015-07-16 10:13:39 2015-07-16 10:13:39 23.250.34.71 rogeliomackie 0 a:0:{}
    2 brute_force Invalid Login Attempt 5 2015-07-16 10:16:56 2015-07-16 10:16:56 172.85.106.118 rogeliomackie 0 a:0:{}
    3 brute_force Invalid Login Attempt 5 2015-07-16 10:19:25 2015-07-16 10:19:25 172.85.103.167 rogeliomackie 0 a:0:{}
    4 brute_force Invalid Login Attempt 5 2015-07-16 10:23:32 2015-07-16 10:23:32 45.59.26.85 rogeliomackie 0 a:0:{}
    5 brute_force Invalid Login Attempt 5 2015-07-16 10:24:18 2015-07-16 10:24:18 50.118.159.10 rogeliomackie 0 a:0:{}

    @modx

    Participant

    @djsteve – I found this with regards to the spiders and href ones

    Blocking parasite

    I hope I’m on the right track though.

    Anyway I hope some other members of the forum can give their insights too.

    @modx

    Participant

    I am trying to add this

    RewriteCond %{REMOTE_ADDR} ^212.100.254.105$
    RewriteCond %{HTTP_USER_AGENT} Yandex
    RewriteCond %{HTTP_USER_AGENT} ^Baiduspider [NC,OR”
    RewriteCond %{HTTP_USER_AGENT} ^Sogou
    RewriteRule ^.*$ – [F”

    on htaccess but not sure where as I get inter error when I do it like this:

    # BEGIN WordPress
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ – [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
    RewriteCond %{REMOTE_ADDR} ^212.100.254.105$
    RewriteCond %{HTTP_USER_AGENT} Yandex
    RewriteCond %{HTTP_USER_AGENT} ^Baiduspider [NC,OR”
    RewriteCond %{HTTP_USER_AGENT} ^Sogou
    RewriteRule ^.*$ – [F”
    </IfModule>

    # END WordPress

    @djsteveb

    Participant

    @modx – for the moment, I would put your htaccess back to the way it was before – from what I am seeing; you are talking about login brute force password cracking being your big issue.

    Although I still suggest blocking those other engine bots – you can probably do that just fine with a robots.txt file at the moment.

    IF you are using a login security plugin already – you should be fine… many like to use “limit login attempts” – I use that on some sites – just change the default settings to be more strict than the 4 / attempts.. might also want to add the “whitelist limit login attempts” to keep yourself from getting locked out.

    I think succuri is an excellent one too – but there are many others… these login attempt blockers will prevent a bunch of the bot attempts to break it.. recently I have found that adding the plugin “ip geo block” ( https://wordpress.org/plugins/ip-geo-block/ ) is very helpful. Again change the default settings so it also blocks access to your plugins folder and others..

    Thing is, every single one of our wordpress (And therefor also buddypress) sites are getting these non-stop password attacks all day, every day. You can try things like add a “captcha” to your login form to make it harder.. but they will keep trying and tieing up your server resources..

    Strange to see from your posts that all of those attacks are coming from USA based proxy servers – usually most the attacks come from Ukraine, makes me think they already got into your site once before and are willing to spend a little extra to try to re-attack.

    Since those companies are us based you could write them with abuse complaints, but I don’t think you will ever stop the hacking attempts so long as you have a CMS that allows an admin login.

    If you are dumping buddypress for the moment and don’t need others to get through a login prompt, I suggest adding this bit of htaccess pwd magic –
    http://support.hostgator.com/articles/specialized-help/technical/wordpress/wordpress-login-brute-force-attack

    Saves me servers a ton of sql requests 😉

    @modx

    Participant

    @djsteveb – I think it’s not only with login attempts, but posts that are being forcefully being posted, BP Members, Groups, and Activity being accessed and I am only seeing one username of rogeliomackie. iThemes Security log shows site URLs that doesn’t even exist yet on my website, and these activities are happening here. Most of these URLs are from BuddyPress generated pages which I removed asap after installing the plugin, so I am wondering.

    I agree that not only WordPress but other CMS and websites gets unwanted visitors daily. One of my concerns too is bandwidth usage, 2 days and it’s already around 800MB and the max is only 48 GB. I know pages are being indexed but it just feels abnormal. What if my site got a lot of users and these unwanted activities happen at the background, I’m thinking that the site will get unimaginably slow.

    As the site aim is for a community that can submit video links and automatically get posted, I am looking into adding Captcha and other security measures specially integrating security to BuddyPress pages like Registration. I haven’t seen a Login page generated though.

    Thanks for the tips and advice I appreciate it.

    @modx

    Participant

    I wonder if I do a clean install again though. If the same thing happens then maybe the backend is infected or something. I’m not really knowledgeable with this stuffs, I just want my site to run as normal as possible.

    @djsteveb

    Participant

    @modx – if you install wP at all thousands of zombie computers that are being used as part of multiple botnets will try to constantly log into your system.

    It never hurts to do a clean install though, go for it.

    Certinaly there is a chance that they have already gotten your database credentials, so remaking your database usernmae / pass and changing your salt is a good thing to do if you are concerned they may have gotten into your stuff in the past.

    I can tell you that in the future if you want a really clean install, first thing you do when you put up a new wp is to add a robots txt that tells all spiders (including google) to not index things like “*p-admin*, *login* *register* – etc – this will help keep it down a bit.. of course ther really evil ones are going to get your login page url.. so starting off a fresh install on a fresh domain with a plugin that moves / renames your login.php would help… but all the evil bots have already indexed your site and put your registration and login urls into their list of things to attack.. so it is what it is.

    You can make the lock stronger in several ways, but I don’t think you will stop them from trying to get in,

    I’ve blocked countries, large blocks of IP allocations, entire ASNs.. I’ve cut down the amount of attacks – but they still find ways to keep on trying with different methods.

    OF course if you can take their password guessing down from 10,000 a day to less than 100 – well the math is in your favor.

    @modx

    Participant

    @djsteveb – Will try to do a clean install again. I’m thinking of setting up everything locally first, then upload all at once on the sites public directory. I don’t know though, if it works by not using Softaculous from cPanel and just manually uploading.

    Anyway again thanks for the helpful tips I appreciate it. I have already took note and it will be really handy.

Viewing 11 replies - 1 through 11 (of 11 total)
  • The topic ‘Brute force and Four-oh-four Attacks’ is closed to new replies.
Skip to toolbar