Here is an interesting example I would like to share with you. It proves how log management is important. If you read my blog, you already know that I’m addicted to logs. They can be very useful to trace incidents or suspicious activities.
Today I received several alerts from my OSSEC server with multiple HTTP 403 errors generated from a few IP addresses. From an OSSEC point of view, this is a very basic rule: If a identical event is detected x times during a period of y seconds and with the same source IP address, generate an alert.
The received alerts looked very suspicious to me. Web scans are very common but this time, it was different. All the requests had the same format:
x.x.x.x - - [08/Jul/2011:18:17:35 +0200] "GET /wp-content/plugins/xxx HTTP/1.1" 403 406 "-" "-"
Where “xxx“ was a WordPress plugin name without any referer or User-Agent logged. Hopefully all the GET requests were properly blocked by my Apache configuration.
Here is the list of all the 144 plugins tested:
all-in-one-seo-pack, gtranslate, wordpress-importer, contact-form-7, si-contact-form, google-analytics-for-wordpress, yet-another-related-posts-plugin, nextgen-gallery, ourstatsde-widget, google-sitemap-generator, akismet, video-playlist-and-gallery-plugin, sexybookmarks, wp-super-cache, smart-youtube, social-media-widget, wp-pagenavi, google-analyticator, tinymce-advanced, wp-db-backup, wp-e-commerce, add-to-any, wordpress-seo, lightbox-gallery, add-link-to-facebook, simple-tags, w3-total-cache, wp-tweet-button, backupwordpress, wp-polls, facebook-comments-for-wordpress, feedburner-plugin, category-posts, pretty-link, subscribe2, wordtwit, addthis, social-slider-2, wp-postviews, really-simple-captcha, platinum-seo-pack, tubepress, wp-google-fonts, seo-ultimate,breadcrumb-navxt, podpress, flash-album-gallery, polldaddy, wp-postratings, page-links-to, wp-stats-dashboard, contact-form-7-to-database-extension, backwpup, redirection, ozh-admin-drop-down-menu, wordpress-facebook-like-plugin,custom-contact-forms, wp-table-reloaded, tweetmeme, adrotate, share-and-follow, s2member, digg-digg, maintenance-mode, seo-automatic-links, wp-to-twitter, simple-facebook-connect, exclude-pages, link-library, broken-link-checker, visitor-maps, lightbox-2, twitter-tools, powerpress, wp-dbmanager, commentluv, quick-cache, theme-my-login, qtranslate, disqus-comment-system, eshop, wp-mail-smtp, share-this,audio-player, wp-optimize, google-analytics-dashboard, wp-cumulus, blog-protector, stream-video-player, feedwordpress, sidebar-login, wp-security-scan, wordpress-mobile-pack, mappress-google-maps-for-wordpress, all-in-one-adsense-and-ypn, vipers-video-quicktags, sitepress-multilingual-cms, wickett-twitter-widget, exec-php, image-widget, sociable, wp-maintenance-mode, regenerate-thumbnails, featured-content-gallery, my-page-order, events-calendar wordpress-video-plugin, gd-star-rating, calendar, adminimize, tweet-this, custom-field-template, mailchimp, sitemap-generator, statpress, wordpress-23-related-posts-plugin, lightbox-plus, dynamic-content-gallery-plugin, headspace2, global-translator, newsletter, my-category-order, facebook-like-button, count-per-day, easy-adsenser, advertising-manager, wp-recaptcha, twitter-widget-pro, wp-piwik, exploit-scanner, wp-jquery-lightbox, sociable, wp-maintenance-mode, regenerate-thumbnails, featured-content-gallery, my-page-order, events-calendar, wordpress-video-plugin, gd-star-rating, calendar, adminimize, tweet-this, custom-field-template, mailchimp, sitemap-generator, statpress, wordpress-23-related-posts-plugin, wassup, lightbox-plus, dynamic-content-gallery-plugin, headspace2, global-translator, newsletter, my-category-order, facebook-like-button, count-per-day, easy-adsenser, advertising-manager, wp-recaptcha, twitter-widget-pro, wp-piwik, exploit-scanner, wp-jquery-lightbox, hyper-cache, twitter-for-wordpress, robots-meta, php-code-widget, wp125, all-in-one-webmaster, popularity-contest, search-everything, wordpress-mobile-edition, wp-followme, wp-syntax, wp-email
Those GET requests originated from 11 different IP addresses from several locations:
- DRTORNYC2, US
- Universiteit van Tilburg (UvT), NL
- CLIENT1360, CH
- Ligne Web Services SARL, FR
- OVH, FR,
- Advitel Ltd, UK
- Shaw Telecom G.P. BGPP, UK
- Psychz Networks, US
- Formless Networking, US
- IQHost, RU
- BLUTMAGIE, DE
Those requests were performed via the Tor network as described in this ARIN object. I tried to find a common point between all the tested plugins but nothing popped up in my mind. This looks clearly an enumeration attack to detect the presence of specific WordPress plugins but for which purpose? The selected plugins cover multiple domains. Some are very simple without DB backend or potential security hole.
Anybody already saw the same type of scan? Please share!
I have recently installed log management and can see such events occurring on daily basis on my website. Initially I was blocking IPs of such sources but every time it is happening from different IPs. Very confusing.
TiTan is right it might be because peoples are using http-wp-plugins or any such plugins. Now I am looking for a solution to block access to such plugins.
It could also be WPScan or something similar(http://www.ethicalhack3r.co.uk/security/introducing-wpscan-wordpress-security-scanner/). Although Ryan’s tool only checks for 69 vulnerable plugins at time of writing.
I’ve checked WPScan’s list vs. the list you have provided and there is only 11 items in common. So, either the person hitting your blog know about a LOT of 0-day WP plugins, or they are just enumerating installed plugins for some other reason. In that case, I would have expected a lot more hits – there are something like 14,000 plugins listed on the wordpress website.
(I have a nikto plugin that can be used to enumerate all plugins if you are interested..)
<quote>It would be nice if we had a feature in OSSEC like Dshield where we could correlate this kind of stuff.</quote>
I like this! Will investigate… 😉
I re-synced my SVN nmap repository and checked the new NSE plugin. Indeed all the 144 tested plugins were in the list provided with nmap (nselib/data/wp-plugins.lst). You’re probably right!
Tx for the tip!
I tweeted you about this. It’s probably due to the new http-wp-plugins NSE plugin nmap.org released a few days ago. I suppose some fool try it on your blog. His purpose his probably to find the plugins you’re using on your blog and find any vulnerabilities related to it…
I am seeing the same thing today, also from several different IPs. It would be nice if we had a feature in OSSEC like Dshield where we could correlate this kind of stuff.