Function is the key!
Showing posts with label WordPress. Show all posts
Showing posts with label WordPress. Show all posts
16 February 2017
Firefox 40.1 and WordPress attacks
There are many attempts to brute force the WordPress login page against websites that are not running WordPress.
Looking at an Apache access log, there seem to be many of these entries:
187.108.232.211 - - [15/Feb/2017:10:12:44 -0700] "GET /wp-login.php HTTP/1.1" 403 - "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"
187.108.232.211 - - [15/Feb/2017:10:12:44 -0700] "GET / HTTP/1.1" 403 - "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"
All of these probes to find the WordPress login page share the same thing in common: they all indicate Firefox 40.1 as the User Agent.
This makes them an easy target for blocking in an .htaccess file.
Here is an example of an .htaccess file to block many of these tools and robots:
## No directory listings
IndexIgnore *
## Can be commented out if causes errors, see notes above.
Options +FollowSymLinks
Options -Indexes
## Mod_rewrite in use.
RewriteEngine On
RewriteBase /
## Block Hacking Tools and Miscreant bots by User-Agent
SetEnvIfNoCase User-Agent "^-?$" scum
# wp-login User-Agent
SetEnvIfNoCase User-Agent "Firefox/40.1" tool
# ZED User-Agent (39.0) and others
# All versions of Firefox prior to 40.0 are blocked
SetEnvIfNoCase User-Agent Firefox\/[1-3]?[0-9]\.[0-9] tool
# BurpSuite spider User-Agent
SetEnvIfNoCase User-Agent "Trident/5.0" tool
SetEnvIfNoCase User-Agent "Arachni" tool
# Ruby-based web scraper
SetEnvIfNoCase User-Agent "Mechanize" tool
SetEnvIfNoCase User-Agent "Nikto" tool
SetEnvIfNoCase User-Agent "scrapy-redis" tool
SetEnvIfNoCase User-Agent "SQLmap" tool
SetEnvIfNoCase User-Agent "Vega" tool
SetEnvIfNoCase User-Agent "Wget" tool
SetEnvIfNoCase User-Agent "wpscan" tool
SetEnvIfNoCase User-Agent "360Spider" scum
SetEnvIfNoCase User-Agent "AhrefsBot" scum
SetEnvIfNoCase User-Agent "ADmantX" scum
SetEnvIfNoCase User-Agent "Blexbot" scum
SetEnvIfNoCase User-Agent "Buzzbot" scum
SetEnvIfNoCase User-Agent "CRAZYWEBCRAWLER" scum
SetEnvIfNoCase User-Agent "DomainCrawler" scum
SetEnvIfNoCase User-Agent "Ezooms" scum
SetEnvIfNoCase User-Agent "GetIntent" scum
SetEnvIfNoCase User-Agent "GrapeshotCrawler" scum
SetEnvIfNoCase User-Agent "ias_crawler" scum
SetEnvIfNoCase User-Agent "James Bot" scum
SetEnvIfNoCase User-Agent "linkdexbot" scum
SetEnvIfNoCase User-Agent "ltx71" scum
SetEnvIfNoCase User-Agent "MaxPointCrawler" scum
SetEnvIfNoCase User-Agent "MJ12bot" scum
SetEnvIfNoCase User-Agent "proximic" scum
SetEnvIfNoCase User-Agent "Qwantify" scum
SetEnvIfNoCase User-Agent "RU_Bot" scum
SetEnvIfNoCase User-Agent "SEOkicks" scum
SetEnvIfNoCase User-Agent "SemrushBot" scum
SetEnvIfNoCase User-Agent "seoscanner" scum
SetEnvIfNoCase User-Agent "SiteExplorer" scum
SetEnvIfNoCase User-Agent "SISTRIX" scum
SetEnvIfNoCase User-Agent "SurdotlyBot" scum
SetEnvIfNoCase User-Agent "TestiTest1" scum
SetEnvIfNoCase User-Agent "UptimeRobot" scum
SetEnvIfNoCase User-Agent "XoviBot" scum
SetEnvIfNoCase User-Agent "YFF35" scum
Deny from env=tool
Deny from env=scum
## End - Hacking and Miscreant block
Update 9 Mar 2017:
Further research indicates that these machines are all part of a botnet and that is why they all share the same characteristics. Firefox 40.1 has never existed.
Subscribe to:
Comments (Atom)