Categories
Security

The October 2017 WordPress Attack Report

This month’s WordPress Attack Report is a continuation of a series we have been publishing since December 2016. Reports from the previous months can be found here.

This report contains the top 25 attacking IPs for October 2017 and their details. It also includes charts of brute force and complex attack activity for the same period, along with a new section revealing changes to the Wordfence real-time IP blacklist throughout the month. We also include the top themes and plugins that were attacked, and which countries generated the most attacks for this period.

Real-time IP Blacklist

For the second month, we are sharing information on changes to the Wordfence real-time IP blacklist throughout the month. Sites protected by Wordfence Premium block all traffic from the malicious IP addresses that attack WordPress sites at any given time. In an effort to evade blocks by blacklists and manual blocking actions, attackers rotate through IP addresses constantly.

In the graph below, we show the number of IPs added to the blacklist each day in green and the number removed in blue. We added a total of 123,277 IPs during October, an average of just over 4,000 per day, up 5% from last month. That means that, on average, we added three new IPs per minute throughout the month.  The number of IPs we removed was nearly identical.

The Top 25 Attacking IPs

The next section is our standard explanation of how the table below works. If you are familiar with our attack reports, you can skip down to the table below this section, which contains the data for October along with some commentary.

Brief Introduction (If You Are New to Viewing These Reports)

In the table below, we’ve listed the most active attack IPs for  October 2017. Note that the “Attacks” column is in millions, and is the total of all attacks that originated from each IP. Farther right in the table (you may have to scroll right) we break down the attacks into “brute force” attacks and “complex” attacks.

Brute force attacks are login-guessing attacks. You can learn more about how brute force attacks work in our Learning Center article about them. What we refer to as “complex attacks” are attacks blocked by a rule in the Wordfence firewall.

We have also included the netblock owner, which is the organization (usually a company) that owns the block of IP addresses that the attack IP belongs to. You can Google the name of each owner for more information. A Google search for any of these IP addresses frequently shows reports of attacks.

The hostname included is the PTR record (reverse DNS record) that the IP address owner created for the IP, so this is not reliable data, but we still include it for interest. For example, we have seen PTR records that claim an IP is a Tor exit node, when, based on traffic, it is clearly not.

We also include the city and country, if available. To the far right of the report, we show the date in August when we started logging attacks and the date the attacks stopped.

The Top Attacking IPs

The total attacks from the top 25 attacking IPs were down 3% from September.

Brute force attacks made up 95% of total attacks for October, up slightly from September.

With 13 of the top 25 IPs, Turkey dominated the list for the second consecutive month. PP SKS-Lugan from the Ukraine once again dominated the very top of the list, hosting four of the most active malicious IPs.

Brute Force Attacks on WordPress in October 2017

In the chart below, we show the number of daily brute force attacks on the sites we monitor for the month of October.

The average number of daily brute force attacks was down 9% from September. Daily attack volumes grew toward the latter half of the month, but remain very low relative to earlier in the year.

Complex Attacks on WordPress in October 2017

In the graph below, we show the daily complex attacks (attacks that attempt to exploit a security vulnerability) for the month of October.

Average daily attack volume for October was down 23% from September for the sites that we protect at 3.6 million. This marks the second month of declining attack volumes. Daily activity was relatively consistent throughout the month, with a slight increase in daily volumes toward the back half of the month.

Attacks on Themes in October 2017

The table below shows the total number of attacks on WordPress themes. We identify each theme using its slug, which is the directory where it is installed in WordPress.

There was a lot of change in the top 25 attacked themes in October as usual. The biggest mover was the ‘sketch’ theme, moving up 161 spots to number 22. None of the attacks that we looked at were attempting to exploit a security vulnerability in a theme. Instead, they appear to be either probing for the existence of malicious files that had been added to the theme or attempting to send commands to them.

The next two big movers on the list were the ‘twentyfifteen’ and ‘twentysixteen’ themes. The attacks on these themes follow the same pattern we saw with the ‘sketch’ theme.

Coming in at number 7 on the list is ‘template-parts’, which isn’t even a valid theme. Over 99% of the attacks originated from a single Latvian IP address. Based on the requests, it appears that attacker is attempting to probe for or send commands to malicious files in a directory that sounds like a legitimate theme file.

Attacks on Plugins in October 2017

The table below shows the total number of attacks on WordPress plugins. As with themes, we identify each plugin by its unique slug, which is the unique installation directory where the plugin is installed.

As usual, the top 25 list for plugins was very stable at the top, with almost no movement in the top 10. There were 8 plugins on the list that weren’t in the top 25 in September. We looked into the details behind the first big mover toward the top of the list, ‘Wp-LayerSlider’. As far as we can tell, this is not even a real plugin. It appears to be a name that attackers are using for a web shell that they are disguising as a slider plugin.

The next biggest mover on the list was ‘easyrotator-for-wordpress’. The majority of attacks on this plugin appear to be attempts to upload malicious files via any backdoor files that may already exist on a site.

The next to big movers on the list were ‘shortcodes-ultimate’ and ‘wp-filemanager’. The large majority of attacks on both plugins are attempts to exploit an old vulnerability in timthumb.php. Any sites that are running updated versions of these two plugins should be immune to these attempts.

Attacks by Country for October 2017

The table below shows the top 25 countries from which attacks originated in the month of October on the WordPress sites that we monitor.

The top of the list was pretty stable, with Russia and the United States holding their spots at first and second place, respectively. China, Ukraine and Turkey all remained in the top 5, though in different spots than the previous month. Latvia was the biggest mover on the list, climbing 52 spots to number 16 overall.

Conclusion

That concludes our October 2017 WordPress attack report. We were very pleased to see drops in complex and brute force attack volumes once again, potentially marking a trend. Regardless of the volume of attacks, WordPress website owners should not let their guard down, but instead stay vigilant about their site security with up-to-date firewalls and other security best practices to keep their sites safe.

The post The October 2017 WordPress Attack Report appeared first on Wordfence.

Categories
Security

The September 2017 WordPress Attack Report

This edition of the WordPress Attack Report is a continuation of the monthly series we’ve been publishing since December 2016. Reports from the previous months can be found here.

This report contains the top 25 attacking IPs for September 2017 and their details. It also includes charts of brute force and complex attack activity for the same period, along with a new section revealing changes to the Wordfence real-time IP blacklist throughout the month. We also include the top themes and plugins that were attacked and which countries generated the most attacks for this period.

Real-time IP Blacklist

The Wordfence real-time IP blacklist protects our Premium customers from attacks originating from the most malicious IP addresses. Two weeks ago we shared a deep dive on how how the blacklist changed throughout the month of August. The post was well-received, so we decided to include some of that information in these monthly attack reports going forward.

In the graph below we show the number of IPs added to the blacklist each day in green and the number removed in blue. A total of 117,516 IPs were added during the month, an average of just under four thousand per day. An almost identical number was removed. 

The Top 25 Attacking IPs

The next section is our standard explanation of how the table below works. If you are familiar with our attack reports, you can skip down to the table below this section, which contains the data for September along with some commentary.

Brief Introduction (If You Are New to Viewing These Reports)

In the table below, we’ve listed the most active attack IPs for September 2017. Note that the “Attacks” column is in millions, and is the total of all attacks that originated from each IP. Farther right in the table (you may have to scroll right) we break down the attacks into “brute force” attacks and “complex” attacks.

Brute force attacks are login-guessing attacks. You can learn more about how brute force attacks work in our Learning Center article about them. What we refer to as “complex attacks” are attacks blocked by a rule in the Wordfence firewall.

We have also included the netblock owner, which is the organization (usually a company) that owns the block of IP addresses that the attack IP belongs to. You can Google the name of each owner for more information. A Google search for any of these IP addresses frequently shows reports of attacks.

The hostname included is the PTR record (reverse DNS record) that the IP address owner created for the IP, so this is not reliable data, but we still include it for interest. For example, we have seen PTR records that claim an IP is a Tor exit node, when, based on traffic, it is clearly not.

We also include the city and country, if available. To the far right of the report, we show the date in August when we started logging attacks and the date the attacks stopped.

The Top Attacking IPs

The total attacks from the top 25 attacking IPs decreased by 8% from August.

Brute force attacks made up 91% of total attacks for September, the same as August. Complex attacks accounted for 9% of the volume.

Turkey topped the list this month with 11 of the top 25 IPs after having disappeared from the list last month. The four most active IPs were from Ukraine, with PP SKS-Lugan hosting three of them.

Brute Force Attacks on WordPress in September 2017

In the chart below, we show the number of daily brute force attacks on the sites we monitor for the month of September.

The average number of daily brute force attacks was down a massive 45%. Daily attack volumes grew toward the later half of the month, but were still very low relative to normal months.

Complex Attacks on WordPress in September 2017

In the graph below, we show the daily complex attacks (attacks that attempt to exploit a security vulnerability) for September.

Average daily attack volume for September was down 39% from August for the sites that we protect at 4.7 million. With the exception of a single spike on the 29th, daily volume was significantly lower in the back half of the month.

Attacks on Themes in September 2017

The table below shows the total number of attacks on WordPress themes. We identify each theme using its slug, which is the directory where it is installed in WordPress.

As usual we saw a lot of movement in the top 25 attacked themes. The biggest move on the list moved up 1,382 spots to number 9. We have redacted the theme name as it appears to be contain an unpatched vulnerability. We will attempt to reach out to the author to share what we’ve discovered. It is a premium theme with extremely low lifetime sales quantity. Over 98% of the attacks on this theme originated from just 5 IP addresses, suggesting the attacks are likely the work of a single attacker.

The second biggest mover was the ‘revelance’ theme, moving up 1103 spots to number 18. The attacker is attempting to exploit the very well-known TimThumb vulnerability. ‘Revelance’ is a premium theme that has been around since 2014, so we assume that at one time it included a vulnerable version of TimThumb.

The ‘rightnow’ theme was our third biggest mover for the month. The attacks on this theme are attempting to exploit an arbitrary file upload vulnerability from 2014. The theme appears to be abandoned, as we were unable to find any trace of it online. If you’re using this theme, we recommend that you replace it immediately.

Attacks on Plugins in September 2017

The table below shows the total number of attacks on WordPress plugins. As with themes, we identify each plugin by its unique slug, which is the unique installation directory where the plugin is installed.

As usual the top 25 list for plugins was pretty stable at the top, with quite a bit of movement toward the bottom. There were 9 plugins on the list that weren’t in the top 25 in August. We looked into the details behind the first big mover toward the top of the list, Zen Mobile App Native. Attacks on this plugin are trying to exploit a remote file upload vulnerability that was publicly disclosed on February 28th of this year. The plugin has been removed from the WordPress.org plugin directory, so we assume that a fix has not been released. If you are running this plugin we recommend that you remove it from your site immediately.

We have redacted the details for the next big mover on the list, number 14, because the attack vector may not have a fix yet, so we don’t want to call attention to it and turn it into a much larger problem. (Note: We regret we can’t answer questions about this privately or in the comments.) We were unable to find a reputable source of information on either plugin or the vulnerability. It isn’t listed in the WordPress.org plugin directory, and doesn’t appear to ever have been. We are attempting to reach out to the plugin author to share what we’ve discovered.

Attacks by Country for September 2017

The table below shows the top 25 countries from which attacks originated in the month of September on the WordPress sites that we monitor.

The top of the list was pretty stable, with the United States and Russia trading places at the top and the Ukraine holding at number 3. Turkey jumped into the number 4 spot from 7 with a significant increase in overall volume.

Conclusion

That concludes our September 2017 WordPress attack report. We find the dramatic drops in the complex and brute force attack volumes encouraging, though not necessarily indicative of an ongoing trend. Regardless of the volume of attacks, WordPress website owners should not let their guard down, but instead stay vigilant about their site security with up-to-date firewalls and other security best practices to keep their sites safe.

The post The September 2017 WordPress Attack Report appeared first on Wordfence.

Categories
Security

The August 2017 WordPress Attack Report

This is the ninth edition of the WordPress Attack Report series we’ve been publishing since December 2016. You can find reports from the previous months here:

This report contains the top 25 attacking IPs for the month of August and their details. It also includes charts of brute force and complex attack activity for the same period. We also include the top themes and plugins that were attacked and which countries generated the most attacks for this period.

The Top 25 Attacking IPs

The next section is our standard explanation of how the table below works. If you are familiar with our attack reports, you can skip down to the table below this section, which contains the data for August along with some commentary.

Brief Introduction (If You Are New to Viewing These Reports)

In the table below, we’ve listed the most active attack IPs for August 2017. Note that the “Attacks” column is in millions, and is the total of all attacks that originated from each IP. Farther right in the table (you may have to scroll right) we break down the attacks into “brute force” attacks and “complex” attacks.

Brute force attacks are login-guessing attacks. You can learn more about how brute force attacks work in our Learning Center article about them. What we refer to as “complex attacks” are attacks blocked by a rule in the Wordfence firewall.

We have also included the netblock owner, which is the organization (usually a company) that owns the block of IP addresses that the attack IP belongs to. You can Google the name of each owner for more information. A Google search for any of these IP addresses frequently shows reports of attacks.

The hostname included is the PTR record (reverse DNS record) that the IP address owner created for the IP, so this is not reliable data, but we still include it for interest. For example, we have seen PTR records that claim an IP is a Tor exit node, when, based on traffic, it is clearly not.

We also include the city and country, if available. To the far right of the report, we show the date in August when we started logging attacks and the date the attacks stopped.

The Top Attacking IPs

The total attacks from the top 25 attacking IPs increased by almost 9% from August.

Brute force attacks made up 91% of total attacks for August, up from 87% in July, which we had thought was an amazing number. Complex attacks accounted for 9% of the volume.

The United States dominated the list this month, with 13 of the top 25 IPs. Ukraine had the second most IPs with 7. Turkey was notably absent from the top 25 this month.

Brute Force Attacks on WordPress in August 2017

In the chart below, we show the number of daily brute force attacks on the sites we monitor for the month of August.

 

The average number of daily brute force attacks was down 9% from last month after growing the previous two months. Daily attack volumes were stable for most of the month, but plummeted on the 27th, dropping by roughly half for the final five days.

Complex Attacks on WordPress in August 2017

In the graph below, we show the daily complex attacks (attacks that attempt to exploit a security vulnerability) for August.

Average daily attack volume for August was up 1% from August for the sites that we protect at 7.8 million. Daily volume was stable throughout the month, similar to what we saw in July.

Attacks on Themes in August 2017

The table below shows the total number of attacks on WordPress themes. We identify each theme using its slug, which is the directory where it is installed in WordPress.

As usual we saw a lot of movement in the top 25 in August compared to July. The biggest move  on the list was the ‘twentyseventeen’ theme, moving up 95 spots to #2. Another big mover, the ‘sketch’ theme, moved up 34 spots to #6. Looking at the attacks involving both, they appear to be probe requests, looking for vulnerabilities that can be exploited in a subsequent request. We do not believe the attackers were attempting to compromise a vulnerability in these themes directly; rather, they were referencing very common themes in the probe requests.

Another big mover on the list is the ‘nemesis’ theme, a premium WordPress theme that has been around since 2012. All of those attacks attempted to exploit a vulnerability in TimThumb versions <= 1.33, so we assume that the the theme included a vulnerable version of TimThumb some time in the past. The attacks appear to be coming from at least one large botnet as we saw attacks from 1637 unique IP addresses.

Attacks on Plugins in August 2017

The table below shows the total number of attacks on WordPress plugins. As with themes, we identify each plugin by its unique slug, which is the unique installation directory where the plugin is installed.

As usual the top 25 list for plugins was pretty stable at the top with quite a bit of movement toward the bottom. There were 8 plugins on the list that weren’t in the top 25 in July. We looked into the details behind the first big mover toward the top of the list, ‘formcraft’. Almost all of the attacks were malicious file upload attacks, likely attempting to exploit a vulnerability that was made public in February of 2016.

We took a look at the attacks on the next highest big mover, ‘easyrotator-for-wordpress’, and found that almost all of the requests appear to be attempting to probe for and in some cases send commands to back door files. Over 30 thousand unique sites were hit with these attacks, so we assume that the attacker was looking for backdoors that another attacker had already installed versus communicating with back doors they had installed themselves.

The next big mover on the list, ‘hb-audio-gallery-lite’, moved up as a result of attempts to exploit a vulnerability that has been public since March of 2016. Over 89% of the attacks originated from just two IP addresses.

Another big mover, ‘rb-agency’, saw attempts to exploit a vulnerability made public in September of 2016. Interestingly, over 91% of the attacks originated from the same two IP addresses responsible for the majority of the ‘hb-audio-gallery-lite’ attacks.

Attacks by Country for August 2017

The table below shows the top 25 countries from which attacks originated in the month of August on WordPress sites that we monitor.

The top of the list was pretty stable, with the United States and Russia trading places at the top and the Ukraine holding at number 3.

Conclusion

That concludes our August 2017 WordPress attack report. It was nice to see attack volumes drop off at the end of the month, and we hope that trend continues through the month of September.

The post The August 2017 WordPress Attack Report appeared first on Wordfence.

Categories
Security

The July 2017 WordPress Attack Report

This post is a continuation of the WordPress Attack Report series we’ve been publishing since December 2016. Reports from previous months can be found here:

This report contains the top 25 attacking IPs for the month of July and their details. It also includes charts of brute force and complex attack activity for the same period. We also include the top themes and plugins that were attacked and which countries generated the most attacks for this period.

The Top 25 Attacking IPs

The next section is our standard explanation of how the table below works. If you are familiar with our attack reports, you can skip down to the table below this section, which contains the data for July along with some commentary.

Brief Introduction (If You Are New to Viewing These Reports)

In the table below, we’ve listed the most active attack IPs for July 2017. Note that the “Attacks” column is in millions, and is the total of all attacks that originated from each IP. Farther right in the table (you may have to scroll right) we break down the attacks into “brute force” attacks and “complex” attacks.

Brute force attacks are login-guessing attacks. (You can learn more about how brute force attacks work in our Learning Center article about them.)  What we refer to as “complex attacks” are attacks that were blocked by a rule in the Wordfence firewall.

We have also included the netblock owner, which is the organization (usually a company) that owns the block of IP addresses that the attack IP belongs to. You can Google the name of each owner for more information. A Google search for any of these IP addresses frequently shows reports of attacks.

The hostname included is the PTR record (reverse DNS record) that the IP address owner created for the IP, so this is not reliable data, but we still include it for interest. For example, we have seen PTR records that claim an IP is a Tor exit node, when, based on traffic, it is clearly not.

We also include the city and country, if available. To the far right of the report, we show the date in July when we started logging attacks and the date the attacks stopped.

The Top Attacking IPs

The total attacks from the top 25 attacking IPs decreased slightly from 133 million in June to 124 million in July.

Brute force attacks made up an amazing 87% of total attacks for July, up from 67% in June. Complex attacks accounted for 13% of the volume.

As usual, the list is dominated by Ukraine and Turkey followed by the United States.

Brute Force Attacks on WordPress in July 2017

In the chart below, we show the number of daily brute force attacks on the sites we monitor for the month of July.

The average number of daily brute force attacks increased 21% from last month, which was up substantially from May. Daily attack volumes were incredibly stable throughout the month, with no big peaks or valleys. It’s almost like the attackers went on vacation and left their malicious bots running on autopilot.

Complex Attacks on WordPress in July 2017

In the graph below, we show the daily complex attacks (attacks that attempt to exploit a security vulnerability) for July.

Average daily attack volume for July was up 6% from June for the sites that Wordfence protects at 7.2 million. As with brute force attacks, daily volume was incredibly stable.

Attacks on Themes in July 2017

The table below shows the total number of attacks on WordPress themes. We identify each theme using its slug, which is the directory where it is installed in WordPress.

We saw a lot of movement in the top 25 this month when compared to June. The biggest mover on the list was the ‘clockstone’ theme, coming out of nowhere to take the #3 spot in the rankings. Digging into the details the attacks are all malicious file upload attempts, attempting to exploit a vulnerability that has been public knowledge since August of 2014. Furthermore, the theme appears to no longer be supported by the author. The attacks targeting this plugin originated from 1336 unique IPs during the month, suggesting that the attacker (or attackers) are using a botnet to launch the attack. The top 10 IPs were responsible for just over two thirds of the attacks.

Another big mover on the list is the ‘sealight’ theme, moving up 32 places to number 12 on the list. Looking at the detailed attacks they are all attempting to exploit a very well known vulnerability in TimThumb, which was discovered in 2011. The vulnerability impacted many WordPress themes, apparently including the ‘sealight’ theme. The attacks on this theme originated from 130 IP address, with the top 10 account for 75% of attacks.

The last big mover on the list that we looked into was the ‘typebased’ theme, which moved up 26 places to number 17. This is another theme that appears to no longer be supported or available for download. Looking at the the attacks they are all trying to exploit the same TimThumb vulnerability that the attacks on the ‘sealight’ theme are targeting. Attacks came from 136 unique IP addresses during the month, with the top 10 accounting for over 68% of the total.

Attacks on Plugins in July 2017

The table below shows the total number of attacks on WordPress plugins. As with themes, we identify each plugin by its unique slug, which is the unique installation directory where the plugin is installed.

The top 25 list for plugins also changed a lot toward the bottom, with six plugins month weren’t on the list in June. We looked into the details of the biggest mover on the list, ‘wp-pagenavi’, which moved up 38 spots to number 11. The surge in attacks are attempting to exploit the TimThumb vulnerability we discussed in the theme section. We couldn’t find reference to the plugin including TimThumb, but given that the TimThumb vulnerability in question is over 5 years old now it would be difficult to say for sure.

The next biggest mover on the list was ‘wp-rocket’, a caching plugin that is running on over 260k sites according to their website. The surge in attacks are attempts to exploit a Local File Inclusion vulnerability that was fixed and publicly announced in June when version 2.10.4 was released.  Attacks originated from over 89k unique IP addresses, with the top 10 accounting for just under 50% of the total.

Attacks by Country for July 2017

The table below shows the top 25 countries from which attacks originated in the month of July on WordPress sites that we monitor.

The top 3 countries remained the same, with very little movement throughout the list.

Conclusion

That concludes our July 2017 WordPress attack report. We were disappointed to see attack volume up yet again in July and hope to see that trend reverse itself again in August.

The post The July 2017 WordPress Attack Report appeared first on Wordfence.