Dirty Penguins!

One of the WordPress-powered blogs I admin is currently under attack, not this one mind you, but another. It’s a fairly typical brute force password guessing attempt hitting the admin account. From what I am seeing, it appears it’s somewhat automated and it’s using a botnet of sorts, so that as soon as one ip gets blocked, another attempt on the account occurs from another ip address.

So I’m logging all these attempts and not really actively trying to thwart the aggressor, but they have been so persistent, going on months now, that I’ve decided to investigate a bit. I grabbed a handful of ip addresses and I was surprised that so far every host attacking my system is running some flavour of Linux. To be honest, I was expecting home users and Windows OS to be the culprit. Most of these hosts I’m finding are running ftp, ssh and web servers. If I visit the websites they seem fairly legit, I expect the site owners have no clue their systems are being coerced into a life of crime.

I have half a mind to run a vulnerability scan against the attacking hosts to see if I can figure out how they were exploited in the first place. Maybe they were running WordPress themselves, wouldn’t that be interesting.

This all doesn’t lend much credence to the overblown belief that Linux systems are somehow inherently more secure than Windows. The same thing holds true for any OS, if you aren’t locking the gate and manning the walls, someone is going to take advantage. In addition to the WordPress login activity, there is also currently an SSH brute force going on, it too is from a Linux host, but I do not think it’s necessarily related.

I recommend the WordPress Limit Logins plugin, at the very least it can be configured to give you a heads-up when something nefarious is afoot. Of course, I also recommend keeping thing patched, especially any public facing services that could potentially have known exploits.

NMAP results below are fairly typical of attacking hosts:

PORT      STATE  SERVICE    VERSION
21/tcp    open   ftp        PureFTPd
22/tcp    open   ssh        OpenSSH 4.7 (protocol 2.0)
43/tcp    closed whois
80/tcp    open   http       Apache httpd
443/tcp   open   ssl/http   Apache httpd
8021/tcp  closed ftp-proxy
8080/tcp  closed http-proxy

UPDATE: (4/13/2013)

Dumped some of the offending ip addresses from a few hosts and compiled a list, posted to PasteBin http://pastebin.com/eCjGyyBR – you could use the list for null routes, .htaccess, firewall ACL, TCPWrappers etc. Some of the addresses are serious repeat offenders, while others appear only once.