BFM Wordpress attack stays undetected

Freddy

Verified User
Joined
Apr 14, 2016
Messages
137
My server was under attack by one and the same IP for multiple domains. Normally this IP would get blocked very soon because the Brute Force Monitor scans the Wordpress logs. Except, this one didn't. I blocked the IP manually and went looking for the source of the problem. The access log looked like this:

Code:
167.88.60.248 - - [12/Oct/2021:09:35:32 +0200] "POST //wp-login.php HTTP/1.0" 200 9396 "https://mydomain.com//wp-login.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4240.193 Safari/537.36"
167.88.60.248 - - [12/Oct/2021:09:35:35 +0200] "POST //wp-login.php HTTP/1.0" 200 9396 "https://mydomain.com//wp-login.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4240.193 Safari/537.36"
167.88.60.248 - - [12/Oct/2021:09:35:39 +0200] "POST //wp-login.php HTTP/1.0" 200 9396 "https://mydomain.com//wp-login.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4240.193 Safari/537.36"

What I can see here is that instead of using one forward slash the attacker used two slashes. Normally one would look for the login page on "/wp-login.php" but this attack took place on "//wp-login.php". Note the double //. My guess is that the BFM ignores this page as not being a login page. Maybe a developer can take a look at this? Because Wordpress does accept requests on this URL.
 
Today the same attack happened again from a different source. Could anyone take a look at this or maybe inform me on how to adapt the BFM script so I can monitor and block these attacks?
 
my advice : Install Wordfence plugin for Wordpress then your are protected for BF and other vulnerability's
 
my advice : Install Wordfence plugin for Wordpress then your are protected for BF and other vulnerability's
That would require installing plugins for multiple Wordpress sites that all keep their own blacklist. It also prevents attacks at a much higher level so the serverload would still rise when under attack. DirectAdmin BFM has a built-in Wordpress attack monitor that works way more efficient. It only needs to be adapted a little to detect this attack.
 
You might like to use this in your csf's regex.custom.pm file:
Code:
# WP-LOGINS
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /^(\S+).*POST.*(wp-login\.php|xmlrpc\.php).* (200|401)/)) {
    return ("Get lost please",$1,"WPLOGINorWHATEVER","10","80,443","604800");
    }
 
I did some testing and it seems that Wordpress logins are not detected for particular domains by the BFM. I checked the /usr/local/directadmin/data/admin/brute.conf file and the domain is listed there and pointing to the right file. I can see my own (failed) login in the logfile but the BFM does not seem to pick it up. Even with the normal single / it doesn't.

I have no clue why it isn't working.

I could use Richards code with CSF but I rather want to solve this using the standard BFM detection. Any tips on why this isn't working?
 
Back
Top