16 February 2017

Firefox 40.1 and WordPress attacks


There are many attempts to brute force the WordPress login page against websites that are not running WordPress.

Looking at an Apache access log, there seem to be many of these entries:

187.108.232.211 - - [15/Feb/2017:10:12:44 -0700] "GET /wp-login.php HTTP/1.1" 403 - "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"
187.108.232.211 - - [15/Feb/2017:10:12:44 -0700] "GET / HTTP/1.1" 403 - "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"


All of these probes to find the WordPress login page share the same thing in common: they all indicate Firefox 40.1 as the User Agent.

This makes them an easy target for blocking in an .htaccess file.

Here is an example of an .htaccess file to block many of these tools and robots:


## No directory listings
IndexIgnore *

## Can be commented out if causes errors, see notes above.
Options +FollowSymLinks
Options -Indexes

## Mod_rewrite in use.
RewriteEngine On
RewriteBase /


## Block Hacking Tools and Miscreant bots by User-Agent
SetEnvIfNoCase User-Agent "^-?$" scum
# wp-login User-Agent
SetEnvIfNoCase User-Agent "Firefox/40.1" tool
# ZED User-Agent (39.0) and others

# All versions of Firefox prior to 40.0 are blocked
SetEnvIfNoCase User-Agent Firefox\/[1-3]?[0-9]\.[0-9] tool
# BurpSuite spider User-Agent
SetEnvIfNoCase User-Agent "Trident/5.0" tool
SetEnvIfNoCase User-Agent "Arachni" tool
# Ruby-based web scraper
SetEnvIfNoCase User-Agent "Mechanize" tool
SetEnvIfNoCase User-Agent "Nikto" tool
SetEnvIfNoCase User-Agent "scrapy-redis" tool
SetEnvIfNoCase User-Agent "SQLmap" tool
SetEnvIfNoCase User-Agent "Vega" tool
SetEnvIfNoCase User-Agent "Wget" tool
SetEnvIfNoCase User-Agent "wpscan" tool

SetEnvIfNoCase User-Agent "360Spider" scum
SetEnvIfNoCase User-Agent "AhrefsBot" scum
SetEnvIfNoCase User-Agent "ADmantX" scum
SetEnvIfNoCase User-Agent "Blexbot" scum
SetEnvIfNoCase User-Agent "Buzzbot" scum
SetEnvIfNoCase User-Agent "CRAZYWEBCRAWLER" scum
SetEnvIfNoCase User-Agent "DomainCrawler" scum
SetEnvIfNoCase User-Agent "Ezooms" scum
SetEnvIfNoCase User-Agent "GetIntent" scum
SetEnvIfNoCase User-Agent "GrapeshotCrawler" scum
SetEnvIfNoCase User-Agent "ias_crawler" scum
SetEnvIfNoCase User-Agent "James Bot" scum
SetEnvIfNoCase User-Agent "linkdexbot" scum
SetEnvIfNoCase User-Agent "ltx71" scum
SetEnvIfNoCase User-Agent "MaxPointCrawler" scum
SetEnvIfNoCase User-Agent "MJ12bot" scum
SetEnvIfNoCase User-Agent "proximic" scum
SetEnvIfNoCase User-Agent "Qwantify" scum
SetEnvIfNoCase User-Agent "RU_Bot" scum
SetEnvIfNoCase User-Agent "SEOkicks" scum
SetEnvIfNoCase User-Agent "SemrushBot" scum
SetEnvIfNoCase User-Agent "seoscanner" scum
SetEnvIfNoCase User-Agent "SiteExplorer" scum
SetEnvIfNoCase User-Agent "SISTRIX" scum
SetEnvIfNoCase User-Agent "SurdotlyBot" scum
SetEnvIfNoCase User-Agent "TestiTest1" scum
SetEnvIfNoCase User-Agent "UptimeRobot" scum
SetEnvIfNoCase User-Agent "XoviBot" scum
SetEnvIfNoCase User-Agent "YFF35" scum

Deny from env=tool
Deny from env=scum
## End - Hacking and Miscreant block



Update 9 Mar 2017:
Further research indicates that these machines are all part of a botnet and that is why they all share the same characteristics. Firefox 40.1 has never existed.
 

3 comments:

  1. I unblocked it to see what would happen. I had hundreds of requests for / and wp-login.php in one day before I blocked it again.

    ReplyDelete
  2. I found a write-up on this issue here:
    https://www.wordfence.com/blog/2017/04/home-routers-attacking-wordpress/

    ReplyDelete
  3. Thanks for this great post, i find it very interesting and very well thought out and put together. I look forward to reading your work in the future. 24h schlüsseldienst

    ReplyDelete