Skip to content
inc0x0
  • Home
  • Networks
    • TCP/IP packets
      • Introduction
      • 1 Recap on network layers and protocols
      • 2 Analysis of a raw TCP/IP packet
      • 3 Manually create and send raw TCP/IP packets
      • 4 Creating a SYN port scanner
    • ICMP/IP packets
      • Ping – Manually create and send ICMP/IP packets
  • Pentesting
    • Budget “USB Rubber Ducky” – Digispark Attiny85
    • Attacking AES CBC non-existent integrity protection
    • How often are my Pastebin pastes read by someone else?
    • Changing your MAC address in Windows
      • Changing your MAC address in Windows (cont.) Python Script
  • Forensics
    • Windows 10 Notification Database
    • Changing your MAC address in Windows
  • Honeypot
    • Multipot – web application honeypot with built-in analysis tools
    • WordPress Brute-Force – by over 100 distinct IP addresses
    • Multipot – Drupal 8 Update
  • Random Tip
  • Blog
  • About

WordPress Brute-Force – by over 100 distinct IP addresses

2019-05-102019-05-10 by inc0x0

When playing around with a small web honeypot I’m developing, I noticed an interesting brute-force attack on a test deployment. There were 267 password guessing attacks on the WordPress section of the honeypot in the last 24 hours. They were equally distributed between the wp-login.php (default login via browser) being attacked 137 times and the xmlrpc.php (WordPress XML API) attacked 130 times.

This alone is already an interesting observation on its own, since usually this is heavily skewed in either one or the other direction. The most surprising number however is the distinct IP addresses accessing the honeypot in the last 24 hours:

147 different IP addresses in the last 24 hours. This number looks suspiciously similar to the number of password guesses on the two endpoints. When looking closer and the requests made, a pattern occurred:

Every IP address performed only three requests:

  1. GET request to wp-login.php
  2. POST request to wp-login.php -> password guessing attack
  3. POST request to xml-rpc.php -> password guessing attack

There was always a GET requests to the wp-login.php page of WordPress first, followed by a POST login request with a password guess, then followed by a POST request to the xmlrpc.php also performing a password guess. Beside those three, no other requests were made from those IPs.

Quick Analysis – GeoIp + Whois

A very brief GeoIP and Whois lookup with Just-Metadata resulted in the following information:

Top 10 Countries
===================================
United States : 42
France : 13
Singapore : 12
India : 10
Vietnam : 8
Germany : 8
Netherlands : 6
United Kingdom : 5
China : 5
Japan : 4


Top 10 ISPs
===================================
DigitalOcean, LLC : 47
Amazon.com, Inc. : 7
OVH ISP : 6
Online S.A.S. : 5
Amazon Technologies Inc. : 5
OVH SAS : 4
Shenzhen Tencent Computer Systems Company Limited : 3
Google LLC : 3
GoDaddy.com, LLC : 3
1&1 Internet SE : 2

I have uploaded a list of 145 IP addresses performing those requests.

 

Edit:

As of writing this post (UTC: 2019-05-10 14:16), the probing is still ongoing:

 

Edit 2:

UTC 2019-05-10 16:30

Categories Honeypot Tags brute-force, honeypot, login, multipot, password guessing, WordPress
Post navigation
Changing your MAC address in Windows (cont.) Python Script
Multipot – web application honeypot with built-in analysis tools

Contact

Twitter: @inc0x0

Archives

  • October 2019
  • June 2019
  • May 2019
  • February 2019
  • January 2019
  • October 2018
© 2023 inc 0x0
  • Home
  • Networks
    • TCP/IP packets
      • Introduction
      • 1 Recap on network layers and protocols
      • 2 Analysis of a raw TCP/IP packet
      • 3 Manually create and send raw TCP/IP packets
      • 4 Creating a SYN port scanner
    • ICMP/IP packets
      • Ping – Manually create and send ICMP/IP packets
  • Pentesting
    • Budget “USB Rubber Ducky” – Digispark Attiny85
    • Attacking AES CBC non-existent integrity protection
    • How often are my Pastebin pastes read by someone else?
    • Changing your MAC address in Windows
      • Changing your MAC address in Windows (cont.) Python Script
  • Forensics
    • Windows 10 Notification Database
    • Changing your MAC address in Windows
  • Honeypot
    • Multipot – web application honeypot with built-in analysis tools
    • WordPress Brute-Force – by over 100 distinct IP addresses
    • Multipot – Drupal 8 Update
  • Random Tip
  • Blog
  • About