Jump to content

Wordpress Attack Scanner


digip

Recommended Posts

My site gets attacked daily, and for whatever reason, someone or some group truly wants into my site. This has been going on for about two years now, and they are pretty relentless, hitting me a few hundred times a day, sometimes taking it down with DoS attacks, and almost always with the same stupid attacks, looking for TimThumb flaws in my site, so they can try to get a reverse shell.

They also try a number of other types of attacks as well, like XSS, SQLi, RFI and LFI attacks, all of which fail, but none the less, they keep trying.

So I started writing a decoder and grepping my logs every day for all of their shell scripts. After a few weeks of downloading and decoding their shell scripts, I realized this wasn't some random drive by, but targeted attacks. I went on the offensive, and started tracking down the attackers, their sites, the sites they compromised and so on. A few people took notice on Twitter about my complaining and such, one of whom is our very own Brian Wallace, aka Bwall, from the forums and FireBwall and Ballast Security. He took a look at what I was doing, and wrote his own decoder, which decodes more types of obfuscation than my decoder was doing. This also spawned a few papers he wrote on the subject of RFI attacks and Bot-Nets that he invited me to work on with him and MaXe from Inern0t.

When the paper was done, I had collected somewhere around 200mb's of shell scripts, perl and php bots, and so on. What was I going to do with all these files? Nothing really, but I was using the decoded bots and scripts to track down who my attackers were, and with the help of Brian, shutting down some of these bot nets. My attackers didn't seem to like that to much, and as such, took notice of the paper Bwall had written and also the decoder site we we're using to reverse their bots and infiltrate their IRC channels.

Then it dawned on me, We needed an easier way to catch these attacks, instead of me grepping logs on a daily basis, we needed an attack scanner to do the work for us. Initially, all we we're doing, was sending any RFI attack to FireBwall.com, and while thats great for decoding and collecting their shell scripts, I figured if we we're going to be checking and logging these attacks, we might as well start blocking them as well.

Thats when I asked Brian to help me re-write some horrible code I had thrown together to log the attacks, and he turned it into a nice little Firewall for WordPress. Right now, we have a free version of our WordPress Attack Scanner Plug-in up for anyone to download and use, check it out and see whats happening to your own WordPress based site. You might be surprised by some of the things you see show up on the logs.

The free version is only a logging utility, which lets you see what attacks we're tried against your site, but also where and who your attackers are. We do Geo-IP lookups from our own database now as well, and offer some basic stats on the various attacks.

wp-attack-scanner.png

Here is a sample of what one of the attacks looks like. We're still working on this and will also be releasing the full blown Firewall based version within the next few weeks, but we wanted to offer up the free one to anyone who wants to give it a try, send us feedback, feature requests, bugs or hacks you may have discovered with it, etc, and we will be sure to add those fixes and look into adding more features.

Again, this is still under heavy development, but we wanted to give everyone a chance to try it out and give us some feedback on what they thought. While the free version does not block the attacks, its till a very useful tool in discovering things you might not have known were happening to your WordPress based site.

Check our http://www.attack-scanner.com/wp-attack-scanner-firewall.php'>http://www.attack-scanner.com/wp-attack-scanner-firewall.php to see all the things we currently check for. If you have ideas on things we should add, we're all ears!!

Also, another plug-in I wrote, that works well with this one, is a Login Alerts plug-in that notifies you when someone is trying to brute force their way into your WordPress site. one of the things our attack scanner does, is check to see if anyone is trying to do user name enumeration. If they find the true admin name for the site, they will then try brute forcing their way in, and WordPress by default has no lockout periods or ways to notify site owners this is happening, so check out our Attack Scanner as well as our Login Alerts plug-in and let us know what you think.

Links to both can be found on http://www.attack-scanner.com

We're also going to be working with Dave Kennedy, aka Rel1k of TrustedSec and SET fame, to integrate the Artillery IP Ban list from his central database of banned attackers, so hopefully we'll have that in the full version when we are ready to release sometime before Derbycon is here.

Thanks guys, let us know what you think, or if you run into any problems with installing them, etc.

Big shout out to Bwall for all his help.

You can learn more about this project on our site.

NOTE!!! Once you activate the attack scanner, go to the configuration panel, and CHANGE THE DEFAULT PASSWORD!!! If you don't, and someone sees you are running it, they can download and read your logs. This password, encrypts your logs, and if you forget what the password is when migrating the file to another site running the same plug-in, there is no way to read the logs without the original password you used to encrypt the logs!!

Link to comment
Share on other sites

Thanks. Let me know what you think when you get it installed and running. Not sure how much traffic or attacks you get on your site, but I list a few of the ones we check for on the site, so give those a try, see what happens. Just do them when not logged into wordpress, or it ignores the attack scan. Only logs attacks from non-authenticated users, so logout before testing stuff to see what it catches. If you trigger one, you'll get a message about the attack ;)

Link to comment
Share on other sites

This is really interesting! Good work and thanks for the links. I have to admit, it was not quite what I was expecting when I saw the title "attack scanner", but now I see what you mean ;) Is it open source?

Now... any thoughts on how to evade/exploit this scanner? :ph34r: Proxies/Tor/VPN should help with the IP part, but ideally a hacker would want to avoid the being logged all together and/or actually exploit this software somehow.

If you needed to pen test a site where this might be installed would it be possible to use a bunch of free proxies and to launch a flood of automated attacks that would set it off and hopefully either crash it or at least make your real attack a needle in the haystack of red herring attacks using all those free proxies?

Link to comment
Share on other sites

This is really interesting! Good work and thanks for the links. I have to admit, it was not quite what I was expecting when I saw the title "attack scanner", but now I see what you mean ;) Is it open source?

Now... any thoughts on how to evade/exploit this scanner? :ph34r: Proxies/Tor/VPN should help with the IP part, but ideally a hacker would want to avoid the being logged all together and/or actually exploit this software somehow.

If you needed to pen test a site where this might be installed would it be possible to use a bunch of free proxies and to launch a flood of automated attacks that would set it off and hopefully either crash it or at least make your real attack a needle in the haystack of red herring attacks using all those free proxies?

Feel free to download, install it on your own WordPress machine, and then give it a shot, see what works, what doesn't what flaws you find, etc. We're all ears. We actually WANT people to test it and try to break it, because we want to fix any flaws or holes that might be in it. The free version doesn't block anything by the way. It only logs the attacks. The Full version, which we are still working on, if it sees something on the logs, its also blocked at the same time via its built in Firewall. That version is not yet public or nearly finished adding everything we want in it.

By the way, we resolve IP addresses, and I personally, have seen a number of TOR exit nodes trying to attack my site. If need be, we could put something in there to block TOR all together. Won't work for every type of proxy, but TOR is fairly easy to detect, and they even publish a list of known TOR exit nodes that you can check against, so won't help you to attack, just because you're hiding your true IP. If the attack is picked up in the full version, its going to be blocked no matter what the IP is.

http://exitlist.torproject.org/

http://www.irongeek.com/i.php?page=security/detect-tor-exit-node-in-php

Edited by digip
Link to comment
Share on other sites

We've updated the plug-in quite a bit, added some more stats on the attackers, things like most attacked plug-in and most attacked themes. I've also developed a plug-in, stand alone, that will also block TOR Exit Nodes from WordPress. Mainly because I now see enough attacks on the Attack Scanner, coming from TOR users, that I figured, why the hell not.

I love TOR, and its a great tool for legit reasons such as countries that try to suppress users from access to certain sites or for Censorship, something I am completely against. However, TOR is also widely used to attack sites with the attackers thinking they can get away with anything if they are using TOR. Because of this, and because of the seen attacks on my own site, I now give you "TOR Block" for WordPress: http://www.attack-sc...tor-blocker.php

It keeps count of how many TOR Exit Nodes it has blocked, and also displays a message to the TOR user about why they we're blocked and how many others have been blocked!

tor-block.png

Edited by digip
Link to comment
Share on other sites

Checking out the "TOR Block" plug in. Apart from that, you've done an amazing job.

Edited by Infiltrator
Link to comment
Share on other sites

Checking out the "TOR Block" plug in. Apart from that, you've done an amazing job.

You have a wordpress site? Just wondering if you've tried the Attack Scanner too, and if you've caught anything on the logs. Some of the things that get caught, look like false positives for RFI attacks, but because of how we do the RFI lookup, we catch things that while aren't true RFI attacks, are still attacks of other kinds. One in particular someone on the TOR network has been trying was to attack a plug-in I don't have installed, and it showed as an RFI when in fact they were trying to inject spoofed data into the plug-in.

We actually found the plug-in the person was trying to attack, and from viewing the source code, realized it wasn't sanitizing the data sent by the visitors, so you could spoof your user agent and in the process, send XSS attacks to the admin reading it. If they had a web based email client that natively allowed Javascript, like some smartphones or just plain web page based email systems(aside from Gmail and such) that allowed the XSS to run, the attacker could scrape the admins session, cookies, url, etc, potentially gain access to their email account. Then they could send a password reset for wordpress, intercept the change password link and login as the admin to their site. I notified the authors, but they have not responded nor updated the plug-in in over 2 years, so I will be publishing the findings tomorrow on my site.

Link to comment
Share on other sites

By the way, if you have any ideas for new features, bugs, and/or holes please don't hesitate to contact either digip or me. :)

Link to comment
Share on other sites

Show some love and give us some feedback on the new site: http://www.attack-scanner.com

Our WordPress Firewall and Attack Scanner is finished, we just have to tidy up a few back end things on the site for the central logging and stats for subscribers, but we could really use some feedback from the community.

Thanks in advance!

Link to comment
Share on other sites

You have a wordpress site? Just wondering if you've tried the Attack Scanner too, and if you've caught anything on the logs. Some of the things that get caught, look like false positives for RFI attacks, but because of how we do the RFI lookup, we catch things that while aren't true RFI attacks, are still attacks of other kinds. One in particular someone on the TOR network has been trying was to attack a plug-in I don't have installed, and it showed as an RFI when in fact they were trying to inject spoofed data into the plug-in.

We actually found the plug-in the person was trying to attack, and from viewing the source code, realized it wasn't sanitizing the data sent by the visitors, so you could spoof your user agent and in the process, send XSS attacks to the admin reading it. If they had a web based email client that natively allowed Javascript, like some smartphones or just plain web page based email systems(aside from Gmail and such) that allowed the XSS to run, the attacker could scrape the admins session, cookies, url, etc, potentially gain access to their email account. Then they could send a password reset for wordpress, intercept the change password link and login as the admin to their site. I notified the authors, but they have not responded nor updated the plug-in in over 2 years, so I will be publishing the findings tomorrow on my site.

Hi Digip,

Thank you very much for your response and as always very welcomed and educational. I don't have a WordPress site yet, but looking to get one soon, so that I can host my website. I will definitely look into securing my website with your plug ins once it's up and running. I will also try to keep you posted if anything comes up.

Link to comment
Share on other sites

  • 2 weeks later...

We currently implement TrustedSec's(Dave ReL1k's) Artillery Block list, and have a user defined block list implemented in the pro version. Are there any other block lists you guys think would be a good idea?

Link to comment
Share on other sites

Man, you guys, once again, rock. I have been to your scanner site, and it looks phenomenal!

One day, Uncle Digipetto, I will be a real boy!

Edited by Pwnd2Pwnr
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...