Suspicious WordPress Plugins Scan

Suspicious ActivityHere is an interesting example I would like to share with you. It proves how log management is important. If you read my blog, you already know that I’m addicted to logs. They can be very useful to trace incidents or suspicious activities.

Today I received several alerts from my OSSEC server with multiple HTTP 403 errors generated from a few IP addresses. From an OSSEC point of view, this is a very basic rule: If a identical event is detected x times during a period of y seconds and with the same source IP address, generate an alert.

The received alerts looked very suspicious to me. Web scans are very common but this time, it was different. All the  requests had the same format:

x.x.x.x - - [08/Jul/2011:18:17:35 +0200] "GET /wp-content/plugins/xxx HTTP/1.1" 403 406 "-" "-"

Where “xxx“  was a WordPress plugin name without any referer  or User-Agent logged. Hopefully all the GET requests were properly blocked by my Apache configuration.

Here is the list of all the 144 plugins tested:

all-in-one-seo-pack, gtranslate, wordpress-importer, contact-form-7,
si-contact-form, google-analytics-for-wordpress, yet-another-related-posts-plugin,
nextgen-gallery, ourstatsde-widget, google-sitemap-generator, akismet,
video-playlist-and-gallery-plugin, sexybookmarks, wp-super-cache, smart-youtube,
social-media-widget, wp-pagenavi, google-analyticator, tinymce-advanced,
wp-db-backup, wp-e-commerce, add-to-any, wordpress-seo, lightbox-gallery,
add-link-to-facebook, simple-tags, w3-total-cache, wp-tweet-button,
backupwordpress, wp-polls, facebook-comments-for-wordpress, feedburner-plugin,
category-posts, pretty-link, subscribe2, wordtwit, addthis, social-slider-2,
wp-postviews, really-simple-captcha, platinum-seo-pack, tubepress,
wp-google-fonts, seo-ultimate,breadcrumb-navxt, podpress, flash-album-gallery,
polldaddy, wp-postratings, page-links-to, wp-stats-dashboard,
contact-form-7-to-database-extension, backwpup, redirection,
ozh-admin-drop-down-menu, wordpress-facebook-like-plugin,custom-contact-forms,
wp-table-reloaded, tweetmeme, adrotate, share-and-follow, s2member, digg-digg,
maintenance-mode, seo-automatic-links, wp-to-twitter, simple-facebook-connect,
exclude-pages, link-library, broken-link-checker, visitor-maps, lightbox-2,
twitter-tools, powerpress, wp-dbmanager, commentluv, quick-cache, theme-my-login,
qtranslate, disqus-comment-system, eshop, wp-mail-smtp, share-this,audio-player,
wp-optimize, google-analytics-dashboard, wp-cumulus, blog-protector,
stream-video-player, feedwordpress, sidebar-login, wp-security-scan,
wordpress-mobile-pack, mappress-google-maps-for-wordpress,
all-in-one-adsense-and-ypn, vipers-video-quicktags, sitepress-multilingual-cms,
wickett-twitter-widget, exec-php, image-widget, sociable, wp-maintenance-mode,
regenerate-thumbnails, featured-content-gallery, my-page-order, events-calendar
wordpress-video-plugin, gd-star-rating, calendar, adminimize, tweet-this,
custom-field-template, mailchimp, sitemap-generator, statpress,
wordpress-23-related-posts-plugin, lightbox-plus, dynamic-content-gallery-plugin,
headspace2, global-translator, newsletter, my-category-order,
facebook-like-button, count-per-day, easy-adsenser, advertising-manager,
wp-recaptcha, twitter-widget-pro, wp-piwik, exploit-scanner, wp-jquery-lightbox,
sociable, wp-maintenance-mode, regenerate-thumbnails, featured-content-gallery,
my-page-order, events-calendar, wordpress-video-plugin, gd-star-rating, calendar,
adminimize, tweet-this, custom-field-template, mailchimp, sitemap-generator,
statpress, wordpress-23-related-posts-plugin, wassup, lightbox-plus,
dynamic-content-gallery-plugin, headspace2, global-translator, newsletter,
my-category-order, facebook-like-button, count-per-day, easy-adsenser,
advertising-manager, wp-recaptcha, twitter-widget-pro, wp-piwik, exploit-scanner,
wp-jquery-lightbox, hyper-cache, twitter-for-wordpress, robots-meta,
php-code-widget, wp125, all-in-one-webmaster, popularity-contest,
search-everything, wordpress-mobile-edition, wp-followme, wp-syntax, wp-email

Those GET requests originated from 11 different IP addresses from several locations:

  • DRTORNYC2, US
  • Universiteit van Tilburg (UvT), NL
  • CLIENT1360, CH
  • Ligne Web Services SARL, FR
  • OVH, FR,
  • Advitel Ltd, UK
  • Shaw Telecom G.P. BGPP, UK
  • Psychz Networks, US
  • Formless Networking, US
  • IQHost, RU
  • BLUTMAGIE, DE

Those requests were performed via the Tor network as described in this ARIN object. I tried to find a common point between all the tested plugins but nothing popped up in my mind. This looks clearly an enumeration attack to detect the presence of specific WordPress plugins but for which purpose? The selected plugins cover multiple domains. Some are very simple without DB backend or potential security hole.

Anybody already saw the same type of scan? Please share!

Post Navigation