Waiting for the new year party, this is a last quick post in 2014! It’s not the first time that I see a peak of rogue authentication requests against some of the WordPress websites. But for a while, there is a constant flood of IP addresses trying to bruteforce the WordPress login page. This kind of attack is very common and bots are constantly looking for weak passwords. Looking at the Apache (or any other webserver) log files is not relevant because they don’t log the payload of POST requests. I captured all the POST requests in a pcap file for a few weeks and today I decided to generate some stats!
My rough PCAP file contained 241082 login attempts. I extracted all login/password combinations and passed the results to pipal, the password analyzer wrote by @digininja. Nothing special, the classic weak passwords remain tested. Note that 4K requests where made with the login “‘xavier”‘. This means that, at least, there was some preparation made by the attacker.
Here are the complete results:
Total entries = 241082
Total unique entries = 33252
Top 10 passwords
admin = 1581 (0.66%)
123456 = 1002 (0.42%)
admin123 = 717 (0.3%)
123 = 693 (0.29%)
123123 = 690 (0.29%)
12345 = 687 (0.28%)
password = 552 (0.23%)
1234 = 524 (0.22%)
12345678 = 476 (0.2%)
1234567 = 441 (0.18%)
Top 10 base words
admin = 5120 (2.12%)
password = 1368 (0.57%)
qwerty = 988 (0.41%)
leakedin = 736 (0.31%)
pass = 594 (0.25%)
demo = 514 (0.21%)
rootshell = 479 (0.2%)
test = 453 (0.19%)
administrator = 310 (0.13%)
root = 254 (0.11%)
Password length (length ordered)
1 = 733 (0.3%)
2 = 1217 (0.5%)
3 = 3415 (1.42%)
4 = 21005 (8.71%)
5 = 23279 (9.66%)
6 = 72117 (29.91%)
7 = 40167 (16.66%)
8 = 46567 (19.32%)
9 = 11328 (4.7%)
10 = 6636 (2.75%)
11 = 3660 (1.52%)
12 = 6211 (2.58%)
13 = 1445 (0.6%)
14 = 1278 (0.53%)
15 = 619 (0.26%)
16 = 487 (0.2%)
17 = 316 (0.13%)
18 = 155 (0.06%)
19 = 121 (0.05%)
20 = 116 (0.05%)
21 = 57 (0.02%)
22 = 41 (0.02%)
23 = 14 (0.01%)
24 = 36 (0.01%)
25 = 11 (0.0%)
26 = 11 (0.0%)
27 = 9 (0.0%)
29 = 4 (0.0%)
30 = 10 (0.0%)
31 = 2 (0.0%)
32 = 9 (0.0%)
34 = 1 (0.0%)
37 = 1 (0.0%)
51 = 4 (0.0%)
Password length (count ordered)
6 = 72117 (29.91%)
8 = 46567 (19.32%)
7 = 40167 (16.66%)
5 = 23279 (9.66%)
4 = 21005 (8.71%)
9 = 11328 (4.7%)
10 = 6636 (2.75%)
12 = 6211 (2.58%)
11 = 3660 (1.52%)
3 = 3415 (1.42%)
13 = 1445 (0.6%)
14 = 1278 (0.53%)
2 = 1217 (0.5%)
1 = 733 (0.3%)
15 = 619 (0.26%)
16 = 487 (0.2%)
17 = 316 (0.13%)
18 = 155 (0.06%)
19 = 121 (0.05%)
20 = 116 (0.05%)
21 = 57 (0.02%)
22 = 41 (0.02%)
24 = 36 (0.01%)
23 = 14 (0.01%)
26 = 11 (0.0%)
25 = 11 (0.0%)
30 = 10 (0.0%)
32 = 9 (0.0%)
27 = 9 (0.0%)
29 = 4 (0.0%)
51 = 4 (0.0%)
31 = 2 (0.0%)
37 = 1 (0.0%)
34 = 1 (0.0%)
|
|
|
|
|
| |
| |
|||
|||
|||
||||
|||||
|||||
||||||
||||||| |
||||||||||||||||||||||||||||||||||||||||||||||||||||
0000000000111111111122222222223333333333444444444455
0123456789012345678901234567890123456789012345678901
One to six characters = 121766 (50.51%)
One to eight characters = 208500 (86.49'%)
More than eight characters = 32582 (13.51%)
Only lowercase alpha = 149693 (62.09%)
Only uppercase alpha = 1058 (0.44%)
Only alpha = 150751 (62.53%)
Only numeric = 32379 (13.43%)
First capital last symbol = 590 (0.24%)
First capital last number = 3363 (1.39%)
Single digit on the end = 15856 (6.58%)
Two digits on the end = 5400 (2.24%)
Three digits on the end = 7762 (3.22%)
Last number
0 = 6120 (2.54%)
1 = 17729 (7.35%)
2 = 6062 (2.51%)
3 = 10835 (4.49%)
4 = 5194 (2.15%)
5 = 4687 (1.94%)
6 = 5179 (2.15%)
7 = 4270 (1.77%)
8 = 3774 (1.57%)
9 = 4539 (1.88%)
|
|
|
|
|
|
| |
| |
| |
| |
||||
||||||| |
||||||||||
||||||||||
||||||||||
||||||||||
0123456789
Last digit
1 = 17729 (7.35%)
3 = 10835 (4.49%)
0 = 6120 (2.54%)
2 = 6062 (2.51%)
4 = 5194 (2.15%)
6 = 5179 (2.15%)
5 = 4687 (1.94%)
9 = 4539 (1.88%)
7 = 4270 (1.77%)
8 = 3774 (1.57%)
Last 2 digits (Top 10)
23 = 7037 (2.92%)
00 = 2245 (0.93%)
56 = 2065 (0.86%)
11 = 2046 (0.85%)
12 = 2011 (0.83%)
21 = 1795 (0.74%)
34 = 1786 (0.74%)
45 = 1526 (0.63%)
89 = 1090 (0.45%)
88 = 954 (0.4%)
Last 3 digits (Top 10)
123 = 6586 (2.73%)
456 = 1853 (0.77%)
000 = 1562 (0.65%)
234 = 1529 (0.63%)
321 = 1315 (0.55%)
345 = 1268 (0.53%)
111 = 919 (0.38%)
789 = 752 (0.31%)
567 = 650 (0.27%)
678 = 536 (0.22%)
Last 4 digits (Top 10)
3456 = 1597 (0.66%)
1234 = 1503 (0.62%)
2345 = 1252 (0.52%)
3123 = 804 (0.33%)
1111 = 666 (0.28%)
4321 = 622 (0.26%)
4567 = 619 (0.26%)
6789 = 575 (0.24%)
5678 = 518 (0.21%)
0000 = 494 (0.2%)
Last 5 digits (Top 10)
23456 = 1582 (0.66%)
12345 = 1230 (0.51%)
23123 = 800 (0.33%)
34567 = 595 (0.25%)
56789 = 553 (0.23%)
11111 = 521 (0.22%)
45678 = 505 (0.21%)
54321 = 500 (0.21%)
00000 = 348 (0.14%)
77777 = 302 (0.13%)
Character sets
loweralpha: 149693 (62.09%)
loweralphanum: 38766 (16.08%)
numeric: 32379 (13.43%)
mixedalphanum: 6353 (2.64%)
mixedalphaspecialnum: 2454 (1.02%)
loweralphaspecialnum: 2121 (0.88%)
mixedalpha: 1861 (0.77%)
loweralphaspecial: 1754 (0.73%)
upperalpha: 1058 (0.44%)
upperalphanum: 716 (0.3%)
mixedalphaspecial: 504 (0.21%)
upperalphaspecialnum: 414 (0.17%)
specialnum: 398 (0.17%)
special: 276 (0.11%)
upperalphaspecial: 135 (0.06%)
Character set ordering
allstring: 152612 (63.3%)
alldigit: 32379 (13.43%)
stringdigit: 29763 (12.35%)
othermask: 13658 (5.67%)
digitstring: 4853 (2.01%)
stringdigitstring: 3520 (1.46%)
digitstringdigit: 1357 (0.56%)
stringspecialstring: 939 (0.39%)
stringspecialdigit: 664 (0.28%)
stringspecial: 633 (0.26%)
allspecial: 276 (0.11%)
specialstring: 227 (0.09%)
specialstringspecial: 201 (0.08%)
About the sources now:
- 3552 uniques IP addresses were detected
- 0.18% of the requests were generated by IPv6 addresses
Here is the top-20 of the source AS numbers:
| AS | Requests |
|---|---|
| AS16276 (OVH) | 44754 |
| As62639 (CRISSIC) | 20089 |
| AS26163 (DATAGRAM) | 20079 |
| AS36351 (SOFTLAYER) | 20068 |
| AS34233 (SUPERIOR-AS) | 18829 |
| AS24940 (HETZNER-AS) | 16142 |
| AS14618 (AMAZON-AES) | 15950 |
| AS33322 (NDCHOST) | 10044 |
| AS27257 (WEBAIR-INTERNET) | 9143 |
| AS46606 (UNIFIEDLAYER-AS-1) | 8389 |
| AS19715 (YOUBET) | 5472 |
| AS30633 (LEASEWEB-US) | 5348 |
| AS12874 (FASTWEB) | 5292 |
| AS9121 (TTNet) | 4812 |
| AS57043 (HOSTKEY-AS) | 4471 |
| AS8622 (ISIONUK) | 4111 |
| AS50710 (EarthLink-AS) | 3611 |
| AS12876 (ONLINE S.A.S.) | 3133 |
| AS45538 (VNNIC-ASBLOCK-VN) | 1918 |
| AS3352 (Telefonica_de_Espana) | 1775 |
From a time perspective, I had two peaks of attempts as seen on the graph below. Otherwise, the webservers are facing a constant rate of ~20 attempts/hour. Note that the attackers are rate-limited by OSSEC and often temporary blocked.
It would be interesting to read a post on how you gathered your PCAP data.
Try to use a different login page url (default: /wp-login). I change the login page url I no more login attempts.
RT @xme: [/dev/random] Analysis of WordPress Login Attempts http://t.co/om4o1mc2bj
RT @xme: [/dev/random] Analysis of WordPress Login Attempts http://t.co/om4o1mc2bj
RT @xme: [/dev/random] Analysis of WordPress Login Attempts http://t.co/om4o1mc2bj