At Wordfence we track attacks across all our customer sites, both free and paid to learn more about attacker tactics, techniques and procedures (TTP’s). Mining this data helps us improve Wordfence Firewall, Wordfence’s Scan and our other features and to do a better job of keeping you safe.
We use a large distributed cluster to mine the huge amount of attack data we receive. Looking at the data for the past 7 days alone, we have logged 16.6 million attacks for just that period.
Analyzing our data has been incredibly productive and in the coming weeks we will be sharing additional insights. For today’s post we want to share some detail on the IP address that is responsible for the most attacks on our WordPress customer sites during the past 7 days.
The first part of this IP is: 46.161.X.X. We’re not sharing the full IP and in general we will mask the addresses of attacking IP’s in case those servers contain vulnerabilities. We don’t want to create new targets for attack. So for the sake of conversation, lets call this IP address Ivan.
Ivan has been a very bad IP address. In the past 7 days he has launched 2,036,508 attacks on our customer sites which we’ve blocked.
The next highest attacking IP address is responsible for 468,661 attacks, so this IP is head and shoulders the leading attack IP during the past week.
In fact Ivan is responsible for over 12% of all the attacks on all WordPress sites that Wordfence protects. That’s quite an achievement.
During the past 7 days the total number of IP addresses we have blocked attacks from is 77,939 unique IP’s. This gives you an idea of how many attackers there are out there. Ivan has quite a lot of competition and despite that, he managed to come out at number 1.
During the past 7 days Ivan attacked 32,091 unique websites.
97% of attacks from this IP address tried to download the wp-config.php file using a wide range of arbitrary file download vulnerabilities in both plugins and themes.
The themes that were attacked by Ivan are shown in the following table. We also show the total attacks launched on each theme across all sites, along with the number of unique sites that were attacked by trying to exploit a vulnerability in the theme.
All these attacks use known file download vulnerabilities except one which may be a zero day vulnerability, so we are redacting the name of that theme.
| Theme name | Total attacks | Unique sites attacked |
| infocus | 83095 | 20587 |
| acento | 43898 | 20481 |
| XXXXX* | 43613 | 20340 |
| jarida | 43451 | 20292 |
| markant | 43307 | 20259 |
| yakimabait | 43291 | 20300 |
| tess | 43015 | 20110 |
| felis | 42854 | 20030 |
| ypo-theme | 42671 | 19995 |
| persuasion | 41527 | 20316 |
| echelon | 41398 | 20264 |
| modular | 41322 | 20263 |
| awake | 41123 | 20145 |
| fusion | 41012 | 20132 |
| method | 40908 | 20101 |
| myriad | 40702 | 20007 |
| elegance | 40677 | 19976 |
| dejavu | 40551 | 19997 |
| construct | 40278 | 19882 |
| epic | 37141 | 17850 |
| linenity | 36656 | 17619 |
| parallelus-salutation | 36586 | 17623 |
| trinity | 36295 | 17503 |
| antioch | 36180 | 17322 |
| urbancity | 36118 | 17416 |
| parallelus-mingle | 35740 | 17179 |
| authentic | 35683 | 17073 |
| churchope | 35532 | 17040 |
| lote | 35445 | 17027 |
The following table shows the plugins that are being attacked by Ivan. In all cases the attacker is using an arbitrary file download vulnerability in these plugins to try and download wp-config.php. All plugins have known arbitrary file download vulnerabilities except for one which may be a zero day and which we’ve redacted from this report.
| Plugin Name | Total attacks | Unique Sites Attacked |
| filedownload | 46037 | 21373 |
| ajax-store-locator-wordpress | 44123 | 20558 |
| plugin-newsletter | 38227 | 18351 |
| pica-photo-gallery | 37795 | 18126 |
| simple-download-button-shortcode | 37684 | 18066 |
| wp-filemanager | 37457 | 17236 |
| tinymce-thumbnail-gallery | 37270 | 17888 |
| dukapress | 36697 | 17495 |
| XXXXXX* | 36303 | 17358 |
| db-backup | 34966 | 16627 |
One of the things we examined when looking at data from this IP address is whether any cloud WAF providers are blocking these attacks. We were surprised to see 58,089 attacks from this IP in the past week bypassed Cloudflare (came in through their servers) and were not blocked. These attacks occurred on 1,183 unique websites. In each case the attack passed through a Cloudflare server and was blocked by Wordfence.
The attacks exploit well known vulnerabilities. These customers may be running Cloudflare’s free package which includes “broad security protection” but does not include a WAF. In each case the request we received contained the HTTP header that verifies the source is the attacker we’re analyzing and it came via Cloudflare.
Cf-Connecting-Ip: 46.161.X.X
The attacking IP we’ve dubbed ‘Ivan’ is based in St. Petersburg, Russia. It is operated by “Petersburg Internet Network ltd.”. The IP runs Debian Linux and runs a range of services including an FTP daemon, web server (with placeholder page), mail services and SSH.
What to do
We are working to contact the net block owner and have this IP shut down. It is already on our internal black lists and it’s attacks are blocked by the Wordfence firewall.
If you’re a theme or plugin developer and your theme or plugin is listed above, we recommend you put some effort into ensuring that all your customers have already upgraded to your newest theme, assuming you’ve fixed your vulnerability. This IP is exploiting these vulnerabilities because they provide results, so it’s likely there are still a few vulnerable sites out there.
If you’re a WordPress user, the free version of Wordfence will protect you against the exploits we’re seeing from this IP. As new attacks emerge, we improve our firewall rules which we release to our premium customers in real-time and to our free customers on a 30 day delayed schedule. That’s why we recommend you upgrade to Wordfence Premium.
The post Profile of a Russian Attack IP appeared first on Wordfence.