At Wordfence we track attacks across all our customer sites, both free and paid to learn more about attacker tactics, techniques and procedures (TTPโs). Mining this data helps us improve Wordfence Firewall, Wordfenceโs Scan and our other features and to do a better job of keeping you safe.
Weย use a large distributed cluster to mine the huge amount of attack data we receive. Looking at the data for the past 7 days alone, we have logged 16.6 million attacks for just that period.
Analyzing our data has been incredibly productive and in the coming weeks we will be sharing additional insights. For todayโs post we want to share some detail on the IP address that is responsible for the most attacks on our WordPress customer sites during the past 7 days.
The first part of this IP is:ย 46.161.X.X.ย Weโre not sharing the full IP and in general we will mask the addresses of attacking IPโs in case those servers contain vulnerabilities. We donโt want to create new targets for attack. So for the sake of conversation, lets call this IP address Ivan.
Ivan has been a very badย IP address. In the past 7 days he has launched 2,036,508 attacks on our customer sites which weโve blocked.
The next highest attacking IP address is responsible forย 468,661 attacks, so this IP is head and shoulders the leading attack IP during the past week.
In fact Ivan is responsible for over 12% of all the attacks on all WordPress sites that Wordfence protects. Thatโs quite an achievement.
During the past 7 days the total number of IP addresses we have blocked attacks from is 77,939 unique IPโs. This gives you an idea of how many attackers there are out there. Ivan has quite a lot of competition and despite that, he managed to come out at number 1.
During the past 7 days Ivan attacked 32,091 unique websites.
97%ย of attacks from this IP address tried to download the wp-config.php file using a wide range of arbitrary file download vulnerabilities in both plugins and themes.
The themes that were attacked by Ivanย are shown in the following table. We also show the total attacks launched on each theme across all sites, along with the number of unique sites that were attacked by trying to exploit a vulnerability in the theme.
Allย these attacks use known file download vulnerabilities except one which may be a zero day vulnerability, so we are redactingย the name of that theme.
| Theme name | Total attacks | Unique sites attacked |
| infocus | 83095 | 20587 |
| acento | 43898 | 20481 |
| XXXXX* | 43613 | 20340 |
| jarida | 43451 | 20292 |
| markant | 43307 | 20259 |
| yakimabait | 43291 | 20300 |
| tess | 43015 | 20110 |
| felis | 42854 | 20030 |
| ypo-theme | 42671 | 19995 |
| persuasion | 41527 | 20316 |
| echelon | 41398 | 20264 |
| modular | 41322 | 20263 |
| awake | 41123 | 20145 |
| fusion | 41012 | 20132 |
| method | 40908 | 20101 |
| myriad | 40702 | 20007 |
| elegance | 40677 | 19976 |
| dejavu | 40551 | 19997 |
| construct | 40278 | 19882 |
| epic | 37141 | 17850 |
| linenity | 36656 | 17619 |
| parallelus-salutation | 36586 | 17623 |
| trinity | 36295 | 17503 |
| antioch | 36180 | 17322 |
| urbancity | 36118 | 17416 |
| parallelus-mingle | 35740 | 17179 |
| authentic | 35683 | 17073 |
| churchope | 35532 | 17040 |
| lote | 35445 | 17027 |
ย
The following table shows the plugins that are being attacked by Ivan. In all cases the attacker is using an arbitrary file download vulnerability in these plugins to try and download wp-config.php. All plugins have known arbitrary file download vulnerabilities except for one which may be a zero day and which weโve redacted from this report.
| Plugin Name | Total attacks | Unique Sites Attacked |
| filedownload | 46037 | 21373 |
| ajax-store-locator-wordpress | 44123 | 20558 |
| plugin-newsletter | 38227 | 18351 |
| pica-photo-gallery | 37795 | 18126 |
| simple-download-button-shortcode | 37684 | 18066 |
| wp-filemanager | 37457 | 17236 |
| tinymce-thumbnail-gallery | 37270 | 17888 |
| dukapress | 36697 | 17495 |
| XXXXXX* | 36303 | 17358 |
| db-backup | 34966 | 16627 |
ย
One of the things we examined when looking at data from this IP address is whether any cloud WAF providers are blocking these attacks. We were surprised to see 58,089 attacks from this IP in the past week bypassed Cloudflare (came in through their servers) and were not blocked. These attacks occurred on 1,183 unique websites. In each case the attack passed throughย a Cloudflare server and was blocked by Wordfence.
The attacks exploit well known vulnerabilities. These customers may be running Cloudflareโs free package which includes โbroad security protectionโ but does not include a WAF. In each case the request we received contained the HTTP header that verifies the source is the attacker weโre analyzing and it came via Cloudflare.
Cf-Connecting-Ip: 46.161.X.X
The attacking IP weโve dubbed โIvanโ is based in St. Petersburg, Russia. It is operated by โPetersburg Internet Network ltd.โ. The IP runs Debian Linux and runs a range of services including an FTP daemon, web server (with placeholder page), mail services and SSH.
What to do
Weย are working to contact the net block owner and have this IP shut down. It is already on our internal black lists and itโs attacksย are blocked by the Wordfenceย firewall.
If youโre a theme or plugin developer and your theme or plugin is listed above, we recommend you put some effort into ensuring that all your customers have already upgraded to your newest theme, assuming youโve fixed your vulnerability. This IP is exploiting these vulnerabilities because they provide results, so itโs likely there are still a few vulnerable sites out there.
If youโre a WordPress user, the free version of Wordfence will protect you against the exploits weโre seeing from this IP. As new attacks emerge, we improve our firewall rules which we release to our premium customers in real-time and to our free customers on a 30 day delayed schedule. Thatโs why we recommend you upgrade to Wordfence Premium.
The post Profile of a Russian Attack IP appeared first on Wordfence.