Immune Systems for your Cloud - Tel: +1 (310) 402-2153    E-mail: sales@hivewind.com
     

DDoS News, Trends & Tutorials

WordPress Brute-Force Log-In Bots: Firefox/40.1 – Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1

Posted by
infosec
Leave a comment

Many of our clients are reporting the fact that our platform is successfully blocking just about all brute-force log-in attempts by yet another spat of robots with the “Firefox/40.1” User-Agent. Here’s an example request captured on our own deployment via ngrep:

POST /wp-login.php HTTP/1.1.
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1
Content-Length: 54
Host: hivewind.com
Cookie: wordpress_test_cookie=WP+Cookie+check; ash=b7c362b46be942a76c548516a2f860d9

log=hivewind&pwd=7654321&wp-submit=Log+In&testcookie=1

This spat of requests are coming from various IPs using this user-agent:

Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1

From inspecting logs on our own HiveShield installation so-far, we’ve detected well over 5,000 unique perpetrating IPs. Here’s is a list of Unique IPs so-far:

bruteforce-ips.txt (646 downloads)

More interestingly, here’s a listing of timed attacks per IP Address, which shows:

Date @ Time – Perpetrating IP

bruteforce-timed.txt (718 downloads)

Some findings:

  1. Our First Recorded Hits are May 28th 2017, only 2 hits
  2. June 10th 2017, only 2 hits
  3. Starting June 14th, 2017 and on-going: several hits every single day

Our platform is designed to help your applications survive DDoS Attacks, and as such, is “technically” not a Web Application Firewall aka (WAF).

At the core of our platform, lies a very sophisticated detection engine that can accurately distinguish humans from robots and legitimate crawlers. This detection engine was able to detect and block those brute-force attacks.

As many breach attempts are scripted with various levels of sophistication, most of those attempts, even if not part of a DDoS Attack, do get blocked by HiveShield.

With all this said, you should not depend on any third-party solution to enforce strong password policies among your users, and you should ensure that your web applications follow best practices for salting and hashing passwords.

Additionally, you should always look after the security of your Web Applications, stay up-to-date with the OWASP Top 10 Vulnerabilities and run regular audits of your code-base. We also recommend OWASP’s Zed Attack Proxy as a great tool to uncover vulnerabilities in your application. It is a free product that is actively maintained and incredibly effective at uncovering vulnerabilities.

You should also read Janna Pyles’ article on hardening your WordPress installation against Brute-Force Log-In Attacks.

Leave a Reply

Your email address will not be published. Required fields are marked *