How botnet attack looks like and what you can do about it
I run all my sites on dedicated server and decided to see my web access logs in real time, in particular POST requests (form submissions):
tail -f -n50 /usr/local/apache/domlogs/* | egrep "POST"
And here's the picture of result:
I have about 10 Wordpress sites and here we see that about every 2 seconds there is a request generated that submits "login" for on pretty much each of these sites. Each request looks like this:
Yet IP address of visitor (attacker) is different every time.
This is typical case of programmable botnet in action. All these requests are from "innocent" infected machines that are doing what remote botnet owner is commanding them to do. In this case - trying to guess password to my sites.
And YOURS TOO!
If you'd check your raw apache logs (presuming your websites are somewhat ranked and attract half-decent traffic) - you'll see similar picture.
We all are under constant attack and botnets and scammers are trying to break into our machines day and night.
How to protect ourselves?
Here's what I did:
1. I added free captcha plugin to every form on each of my wordpress sites. This is super simple and now botnet's task is much more complicated.
2. Each attacker's IP is different so I cannot protect server on a level of IPTables. But I noticed that "User Agent" used by these bots is the same:
So I edited my .htaccess file in this manner:
Notice "Botnet blocker" part at the beginning. It detects POST (form submission) request that originated from machine with that User Agent string.
The request kicks bot away and saves my server's bandwidth.
3. If you have SSL certificate for your website, add this to your wp-config.php file:
This line forces HTTPS:// access to all forms and administration pages. This way if you're updating your site from coffee shop over public wifi connection - no one can sniff your passwords.
Hope it helps a bit!
Gleb
tail -f -n50 /usr/local/apache/domlogs/* | egrep "POST"
And here's the picture of result:
I have about 10 Wordpress sites and here we see that about every 2 seconds there is a request generated that submits "login" for on pretty much each of these sites. Each request looks like this:
Code:
201.245.226.147 - - [13/May/2013:20:45:23 -0400] "POST /wp-login.php HTTP/1.0" 200 3390 "http://www.example.com/wp-login.php" "Mozilla/5.0 (Windows NT 6.1; rv:19.0) Gecko/20100101 Firefox/19.0"
This is typical case of programmable botnet in action. All these requests are from "innocent" infected machines that are doing what remote botnet owner is commanding them to do. In this case - trying to guess password to my sites.
And YOURS TOO!
If you'd check your raw apache logs (presuming your websites are somewhat ranked and attract half-decent traffic) - you'll see similar picture.
We all are under constant attack and botnets and scammers are trying to break into our machines day and night.
How to protect ourselves?
Here's what I did:
1. I added free captcha plugin to every form on each of my wordpress sites. This is super simple and now botnet's task is much more complicated.
2. Each attacker's IP is different so I cannot protect server on a level of IPTables. But I noticed that "User Agent" used by these bots is the same:
So I edited my .htaccess file in this manner:
Code:
# Botnet blocker
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{HTTP_USER_AGENT} Mozilla/5\.0\ \(Windows\ NT\ 6\.1;\ rv\:19\.0\)\ Gecko/20100101\ Firefox/19\.0 [NC]
RewriteCond %{REQUEST_URI} wp-login\.php
RewriteRule .* - [F]
</IfModule>
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress The request kicks bot away and saves my server's bandwidth.
3. If you have SSL certificate for your website, add this to your wp-config.php file:
Code:
define('FORCE_SSL_ADMIN', true); Hope it helps a bit!
Gleb
www.bestinsuranceguru.com