Profile of a Russian Attack IP


At Wordfence we track attacks across all our customer sites, both free and paid to learn more about attacker tactics, techniques and procedures (TTP’s). Mining this data helps us improve Wordfence Firewall, Wordfence’s Scan and our other features and to do a better job of keeping you safe.

We use a large distributed cluster to mine the huge amount of attack data we receive. Looking at the data for the past 7 days alone, we have logged 16.6 million attacks for just that period.

Analyzing our data has been incredibly productive and in the coming weeks we will be sharing additional insights. For today’s post we want to share some detail on the IP address that is responsible for the most attacks on our WordPress customer sites during the past 7 days.

The first part of this IP is: 46.161.X.X. We’re not sharing the full IP and in general we will mask the addresses of attacking IP’s in case those servers contain vulnerabilities. We don’t want to create new targets for attack. So for the sake of conversation, lets call this IP address Ivan.

Ivan has been a very bad IP address. In the past 7 days he has launched 2,036,508 attacks on our customer sites which we’ve blocked.

The next highest attacking IP address is responsible for 468,661 attacks, so this IP is head and shoulders the leading attack IP during the past week.

In fact Ivan is responsible for over 12% of all the attacks on all WordPress sites that Wordfence protects. That’s quite an achievement.

During the past 7 days the total number of IP addresses we have blocked attacks from is 77,939 unique IP’s. This gives you an idea of how many attackers there are out there. Ivan has quite a lot of competition and despite that, he managed to come out at number 1.

During the past 7 days Ivan attacked 32,091 unique websites.

97% of attacks from this IP address tried to download the wp-config.php file using a wide range of arbitrary file download vulnerabilities in both plugins and themes.

The themes that were attacked by Ivan are shown in the following table. We also show the total attacks launched on each theme across all sites, along with the number of unique sites that were attacked by trying to exploit a vulnerability in the theme.

All these attacks use known file download vulnerabilities except one which may be a zero day vulnerability, so we are redacting the name of that theme.

Theme name Total attacks Unique sites attacked
infocus 83095 20587
acento 43898 20481
XXXXX* 43613 20340
jarida 43451 20292
markant 43307 20259
yakimabait 43291 20300
tess 43015 20110
felis 42854 20030
ypo-theme 42671 19995
persuasion 41527 20316
echelon 41398 20264
modular 41322 20263
awake 41123 20145
fusion 41012 20132
method 40908 20101
myriad 40702 20007
elegance 40677 19976
dejavu 40551 19997
construct 40278 19882
epic 37141 17850
linenity 36656 17619
parallelus-salutation 36586 17623
trinity 36295 17503
antioch 36180 17322
urbancity 36118 17416
parallelus-mingle 35740 17179
authentic 35683 17073
churchope 35532 17040
lote 35445 17027

 

The following table shows the plugins that are being attacked by Ivan. In all cases the attacker is using an arbitrary file download vulnerability in these plugins to try and download wp-config.php. All plugins have known arbitrary file download vulnerabilities except for one which may be a zero day and which we’ve redacted from this report.

Plugin Name Total attacks Unique Sites Attacked
filedownload 46037 21373
ajax-store-locator-wordpress 44123 20558
plugin-newsletter 38227 18351
pica-photo-gallery 37795 18126
simple-download-button-shortcode 37684 18066
wp-filemanager 37457 17236
tinymce-thumbnail-gallery 37270 17888
dukapress 36697 17495
XXXXXX* 36303 17358
db-backup 34966 16627

 

One of the things we examined when looking at data from this IP address is whether any cloud WAF providers are blocking these attacks. We were surprised to see 58,089 attacks from this IP in the past week bypassed Cloudflare (came in through their servers) and were not blocked. These attacks occurred on 1,183 unique websites. In each case the attack passed through a Cloudflare server and was blocked by Wordfence.

The attacks exploit well known vulnerabilities. These customers may be running Cloudflare’s free package which includes “broad security protection” but does not include a WAF. In each case the request we received contained the HTTP header that verifies the source is the attacker we’re analyzing and it came via Cloudflare.

Cf-Connecting-Ip: 46.161.X.X

The attacking IP we’ve dubbed ‘Ivan’ is based in St. Petersburg, Russia. It is operated by “Petersburg Internet Network ltd.”. The IP runs Debian Linux and runs a range of services including an FTP daemon, web server (with placeholder page), mail services and SSH.

What to do

We are working to contact the net block owner and have this IP shut down. It is already on our internal black lists and it’s attacks are blocked by the Wordfence firewall.

If you’re a theme or plugin developer and your theme or plugin is listed above, we recommend you put some effort into ensuring that all your customers have already upgraded to your newest theme, assuming you’ve fixed your vulnerability. This IP is exploiting these vulnerabilities because they provide results, so it’s likely there are still a few vulnerable sites out there.

If you’re a WordPress user, the free version of Wordfence will protect you against the exploits we’re seeing from this IP. As new attacks emerge, we improve our firewall rules which we release to our premium customers in real-time and to our free customers on a 30 day delayed schedule. That’s why we recommend you upgrade to Wordfence Premium.

The post Profile of a Russian Attack IP appeared first on Wordfence.