… sigh.
A few hours ago we started seeing an interesting trend. A highly distributed set of clients is attempting to authenticate to WordPress sites using a very distinct pattern. Captures and initial analysis below.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 |
T 31.47.254.62:51020 -> X.X.X.X:80 [AP] POST /wp-login.php HTTP/1.1. User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html). Host: **redacted** Accept: */*. Cookie: wordpress_test_cookie=WP+Cookie+check. Content-Length: 131. Content-Type: application/x-www-form-urlencoded. . log=admin&pwd=admin%21%21%21&wp-submit=Log+In&redirect_to=http://**redacted**/wp-admin/tes1a0&testcookie=1 T 62.210.207.146:43322 -> X.X.X.X:80 [AP] POST /wp-login.php HTTP/1.1. User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html). Host: **redacted** Accept: */*. Cookie: wordpress_test_cookie=WP+Cookie+check. Content-Length: 113. Content-Type: application/x-www-form-urlencoded. . log=ahenry&pwd=Ahenry%24%24%24&wp-submit=Log+In&redirect_to=http://**redacted**/wp-admin/tes1a0&testcookie=1 T 109.199.82.5:46902 -> X.X.X.X:80 [AP] POST /wp-login.php HTTP/1.1. User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html). Host: **redacted** Accept: */*. Cookie: wordpress_test_cookie=WP+Cookie+check. Content-Length: 110. Content-Type: application/x-www-form-urlencoded. . log=natemc&pwd=Johns666&wp-submit=Log+In&redirect_to=http://**redacted**/wp-admin/tes1a0&testcookie=1 |
Nothing particularly out of the ordinary here at first glance. The source IPs are be coming from a large number of hosting providers, including OVH (go figure), Rackspace, AWS, and O2Switch. Each requests spoofs a Googlebot user agent, which initially makes sense as an evasion tactic, until you realize that a). verifying Google’s botnet range is trivial, and b). there’s no reason Googlebot should be hitting that URL, so developing an IPS signature is trivial. The other interesting tidbit we see is the ‘redirect_to’ param, which is a URL that WP core uses as part of the login process, contains the string ‘tes1a0’, to which I could find no references for having any meaning. Perhaps it’s just a marker for success?
I’m going to keep some packet captures running on a few honeypots and see if there’s any correlation in source address or target host. In the meantime, I’ve shot off a quick note to SANS ISC; I’d be interested to see if this behavior gets widely reported in the next few days. I also posted a signature for this behavior for FreeWAF.
Update 1: After groking through some honeypot logs, the earliest I’ve seen this looks like 1100 UTC on January 13th (give or take a few hours). Because we first noticed this pattern while investigating an unrelated issue, it looks like the low-and-slow approach used by this botnet has been successful at avoiding detection so far.
Update 2: Started doing some brief analysis of honeypot logs from the last few hours. In one sample, 347 unique client IPs were captured. The most common one seen is an AWS instance, followed by servers from OVH and French service provider VeePee, all with more than 100 attempts; a number of sampled addresses were only captured once. The credentials used vary by domain, and seem targeted to users associated with the installation, indicating that iteration had previously been performed prior to the launch of the authentication traffic we’re seeing now.
Problem could be greater than it seems. How to check if our serwer is infected (is part of a botnet):
“grep -lir “lsicxvsnwb” /home”
return list of infected files to remove.
Thank you! Can you tell us what the string “lsicxvsnwb” is in reference to? Are there any known malware signatures for the presence of this file?
HI,
thanks for you write up. I stumble across this googlebot today and your blog was the only source to confirm my thoughts.
Can you tell more about the marker ““lsicxvsnwb”? Has it probably changed? What else can i look for as a sign of an infection?
Thank you very much!
Arne