Updates on CyberSecurity, WordPress and what we're cooking in the lab today.

Profile of a Russian Attack IP

This entry was posted in Research, Vulnerabilities, Wordfence, WordPress Security on August 3, 2016 by Mark Maunder   71 Replies

At Wordfence we track attacks across all our customer sites, both free and paid to learn more about attacker tactics, techniques and procedures (TTP’s). Mining this data helps us improve Wordfence Firewall, Wordfence’s Scan and our other features and to do a better job of keeping you safe.

We use a large distributed cluster to mine the huge amount of attack data we receive. Looking at the data for the past 7 days alone, we have logged 16.6 million attacks for just that period.

Analyzing our data has been incredibly productive and in the coming weeks we will be sharing additional insights. For today’s post we want to share some detail on the IP address that is responsible for the most attacks on our WordPress customer sites during the past 7 days.

The first part of this IP is: 46.161.X.X. We’re not sharing the full IP and in general we will mask the addresses of attacking IP’s in case those servers contain vulnerabilities. We don’t want to create new targets for attack. So for the sake of conversation, lets call this IP address Ivan.

Ivan has been a very bad IP address. In the past 7 days he has launched 2,036,508 attacks on our customer sites which we’ve blocked.

The next highest attacking IP address is responsible for 468,661 attacks, so this IP is head and shoulders the leading attack IP during the past week.

In fact Ivan is responsible for over 12% of all the attacks on all WordPress sites that Wordfence protects. That’s quite an achievement.

During the past 7 days the total number of IP addresses we have blocked attacks from is 77,939 unique IP’s. This gives you an idea of how many attackers there are out there. Ivan has quite a lot of competition and despite that, he managed to come out at number 1.

During the past 7 days Ivan attacked 32,091 unique websites.

97% of attacks from this IP address tried to download the wp-config.php file using a wide range of arbitrary file download vulnerabilities in both plugins and themes.

The themes that were attacked by Ivan are shown in the following table. We also show the total attacks launched on each theme across all sites, along with the number of unique sites that were attacked by trying to exploit a vulnerability in the theme.

All these attacks use known file download vulnerabilities except one which may be a zero day vulnerability, so we are redacting the name of that theme.

Theme name Total attacks Unique sites attacked
infocus 83095 20587
acento 43898 20481
XXXXX* 43613 20340
jarida 43451 20292
markant 43307 20259
yakimabait 43291 20300
tess 43015 20110
felis 42854 20030
ypo-theme 42671 19995
persuasion 41527 20316
echelon 41398 20264
modular 41322 20263
awake 41123 20145
fusion 41012 20132
method 40908 20101
myriad 40702 20007
elegance 40677 19976
dejavu 40551 19997
construct 40278 19882
epic 37141 17850
linenity 36656 17619
parallelus-salutation 36586 17623
trinity 36295 17503
antioch 36180 17322
urbancity 36118 17416
parallelus-mingle 35740 17179
authentic 35683 17073
churchope 35532 17040
lote 35445 17027

 

The following table shows the plugins that are being attacked by Ivan. In all cases the attacker is using an arbitrary file download vulnerability in these plugins to try and download wp-config.php. All plugins have known arbitrary file download vulnerabilities except for one which may be a zero day and which we’ve redacted from this report.

Plugin Name Total attacks Unique Sites Attacked
filedownload 46037 21373
ajax-store-locator-wordpress 44123 20558
plugin-newsletter 38227 18351
pica-photo-gallery 37795 18126
simple-download-button-shortcode 37684 18066
wp-filemanager 37457 17236
tinymce-thumbnail-gallery 37270 17888
dukapress 36697 17495
XXXXXX* 36303 17358
db-backup 34966 16627

 

One of the things we examined when looking at data from this IP address is whether any cloud WAF providers are blocking these attacks. We were surprised to see 58,089 attacks from this IP in the past week bypassed Cloudflare (came in through their servers) and were not blocked. These attacks occurred on 1,183 unique websites. In each case the attack passed through a Cloudflare server and was blocked by Wordfence.

The attacks exploit well known vulnerabilities. These customers may be running Cloudflare’s free package which includes “broad security protection” but does not include a WAF. In each case the request we received contained the HTTP header that verifies the source is the attacker we’re analyzing and it came via Cloudflare.

Cf-Connecting-Ip: 46.161.X.X

The attacking IP we’ve dubbed ‘Ivan’ is based in St. Petersburg, Russia. It is operated by “Petersburg Internet Network ltd.”. The IP runs Debian Linux and runs a range of services including an FTP daemon, web server (with placeholder page), mail services and SSH.

What to do

We are working to contact the net block owner and have this IP shut down. It is already on our internal black lists and it’s attacks are blocked by the Wordfence firewall.

If you’re a theme or plugin developer and your theme or plugin is listed above, we recommend you put some effort into ensuring that all your customers have already upgraded to your newest theme, assuming you’ve fixed your vulnerability. This IP is exploiting these vulnerabilities because they provide results, so it’s likely there are still a few vulnerable sites out there.

If you’re a WordPress user, the free version of Wordfence will protect you against the exploits we’re seeing from this IP. As new attacks emerge, we improve our firewall rules which we release to our premium customers in real-time and to our free customers on a 30 day delayed schedule. That’s why we recommend you upgrade to Wordfence Premium.

Did you enjoy this post? Share it!


Your rating:

71 Comments on "Profile of a Russian Attack IP"

vinoth August 3, 2016 at 8:36 am • Reply

thanks for this info

Rudolf August 3, 2016 at 8:44 am • Reply

A bunch of those attacked themes are based on mysitemyway.com. You might point that out.

Janice Sand August 3, 2016 at 10:37 am • Reply

The themes by Mysitemyway are all listed with vulnerabilities! I have notified Envato regarding the theme InFocus which they continue to sell. These themes have not been updated in over a year.

Jim August 3, 2016 at 8:45 am • Reply

Glad to see nothing I'm using made the lists.

Rick Harris August 3, 2016 at 8:45 am • Reply

Why not report this to the FBI as well?

Gary August 3, 2016 at 8:55 am • Reply

Just wondering if this is reported to the Cloudflare folks.

mark August 3, 2016 at 11:38 am • Reply

We currently don't have a channel to communicate with their team. We have however captured the relevant forensic data in case they reach out to us. We're headed to defcon this week, so if we meet any of their team (I've met some at previous conferences) we'll definitely reach out regarding this. I'd love to find out what happened and help them improve their ruleset. They have a ton of customers and WordPress powers over 25% of the web now so it's important they also protect against this stuff.

Jaime August 3, 2016 at 1:08 pm • Reply

Hi Mark,

CloudFlare employee here. We isolated "Ivans" IP address ourselves and have have taken actions to block it completely. It's important to note that, over the past 7 days, our WAF blocked exactly 1,055,907 requests from this IP alone. We'll be monitoring for similar behavior moving forward. In the future, feel free to contact support here: https://support.cloudflare.com/hc/en-us or file an abuse report here: https://www.cloudflare.com/abuse/ when trying to reach us with this kind of information.

Thanks,
Jaime

mark August 3, 2016 at 3:51 pm • Reply

Thanks Jaime, much appreciated. You can reach out to us at genbiz at wordfence.com. We're at defcon in case any of your team are here and wants to connect to discuss or just say hi. Most of the team is here all week. You can reach me at mark at wordfence.com

Kofi August 3, 2016 at 9:08 am • Reply

Great info. Thanks guys. You're doing a great job.

Matt August 3, 2016 at 9:12 am • Reply

Great work as usual. Thanks for what you do.

kathleen August 3, 2016 at 9:19 am • Reply

I wonder if this is apart of the DNC attack?

MySemakan August 3, 2016 at 9:19 am • Reply

Great, Many thanks for the alert

Jimmy Barroga August 3, 2016 at 9:23 am • Reply

Many thanks for the info.

Jean-Pierre August 3, 2016 at 9:24 am • Reply

Thank your for your info. Our site was attacked last week, from a range of countries. We have a paid subscription to cloudflare. We received more than 1400 email alerts from Wordfence. The site was unharmed. I thank you for your firewall, blocking and informations given.

Di August 3, 2016 at 9:26 am • Reply

thank you for posting this...Would be great though if I was actually able to set up the firewall. I couldn't get past that part of the setup process because my server doesn't allow modifications to the php.ini. So unless there's another way to install the firewall, I'm still vulnerable. Thanks for this info though, now I know what to look for.

mark August 3, 2016 at 11:35 am • Reply

Hi Di,

Please visit our support forums at: https://wordpress.org/support/plugin/wordfence and our team will help you get set up in short order.

Or you can visit our Premium support system if you're a Premium customer to get priority support at: https://support.wordfence.com/support/home.

We don't offer support here at all, but we're very active in both our free and premium support systems.

Mark.

Richard August 3, 2016 at 9:29 am • Reply

Not surprised, with the way things are going in political campaigns, or rather the way it is even encouraged to play out the other side.

Mike Davis August 3, 2016 at 9:32 am • Reply

Appreciate the info, guys. For those of us who develop our own themes and plugins, it would be a great resource if you could point us toward a list of the actual vulnerabilities that are being exploited, and/or some sort of best practices guide for developing themes and plugins without introducing known vulnerabilities.

Cheers!

mark August 3, 2016 at 11:33 am • Reply

Thanks Mike. Duly noted. We'll consider some kind of technical bulletin for devs.

Paul Bailey August 3, 2016 at 9:32 am • Reply

Why does it seem that we are powerless agains these criminals. Report them to the Internet service provider, and what will they do ? Jack, yes jack. I've contacted the Russian authorities about this on many occasions and got nothing back.

Yvonne Finn August 3, 2016 at 9:33 am • Reply

Thank you for the information and for the steps you take to protect us from these attacks.
Much appreciation!

Nick August 3, 2016 at 9:34 am • Reply

Great Post, thanks - so why doesn't each ISP (or even better each country) just have an optional "clean" web - the internet where blacklisted IPs are blocked by default - from where all the trouble originates?

Surely that would go so far to combating the cybercrime we're all exposed to all the time.

Then, 99% of people would be protected (because why would we want to allow this sort of trouble) without hoping that their AV/Wordfence/Firewall is spotting all the bad guys?

There's probably some very valid reason why, but it pisses me off that these gangs don't just get a proper job and be part of society.

Uncle.Davy August 3, 2016 at 9:41 am • Reply

Just started to notice. Why the bad fellows are always based in Russia, China, North Korea or the former Communist countries? Just a passing thought.

Jetpack August 3, 2016 at 1:14 pm • Reply

Attacks come from all over the globe, including the U.S. The countries you mention among the top of course, but there are regular attacks from the U.K., Brazil, India and other points. I got tired of it and just blocked all the countries we don't do business with entirely - everything but the U.S. and Canada, basically. That has drastically reduced the number of pesky issues as well as the serious ones.

Jason Noel August 3, 2016 at 9:45 am • Reply

Thanks for the post. I'm pretty sure that a couple of my client wp sites were affected by this attack. One site in particular had 200 banned ip addresses reported by Wordfence within 8 hours... it was nuts. I had to shut down the email notifications after 15 or so. Thanks for such a great plugin and the updated blog post talking about it.

Adam August 3, 2016 at 9:53 am • Reply

Does WordFence premium work on WordPress Multisites?

mark August 3, 2016 at 11:32 am • Reply

Absolutely. We fully support multi-site.

Joel August 3, 2016 at 10:10 am • Reply

Does anyone know if the DNC was operating a WordPress site when they got hacked by Russia?

The SEO Doctors August 3, 2016 at 10:22 am • Reply

Excellent read. The Russians are at it again!

Do you know what exactly they are downloading? Is it a backdoor or virtual FTP to bypass security and roam around on your server? Or are they just trying to get your wp-config.php file so they can log on to your WordPress and destroy it? Any idea their motives?

Bill Tirmer August 3, 2016 at 10:31 am • Reply

Thanks Mark and crew. Really appreciate the work you folks are doing and the way you are sharing your finds.

Rama August 3, 2016 at 10:48 am • Reply

Only posting "46.161.X.X" - Now we don't know which IP to block.

mark August 3, 2016 at 11:31 am • Reply

These attacks are already blocked by the Wordfence firewall.

Cristian Balan August 8, 2016 at 5:55 am • Reply

Yes, but I'm using a server SaaS solution which I would like to check and see if caught already this IP, which I believe it does, but I would like to check.

Mary Hiott August 3, 2016 at 11:04 am • Reply

can you give us the IP addresses of the attackers?

mark August 3, 2016 at 11:31 am • Reply

Saw your other reply Mary. :-) No worries!

Mary Hiott August 3, 2016 at 11:09 am • Reply

I'm sorry I skipped over you details about giving out the full IP. Trying to super speed read (just made that one up) LOL. thanks

Tore Olafsen August 3, 2016 at 11:10 am • Reply

Thanks, and keep up the good work!

tore

Ashwin August 3, 2016 at 11:11 am • Reply

Using Wordffence was my best decision. You guys are doing a great job.

I am lucky to not use any of above plugin and theme

This week I also faced Bruit force attack on my blog but they were not able to penetrate in my site because of Wordffence.

Thanks Wordffence team.

Chris August 3, 2016 at 11:27 am • Reply

Which Plugin are you exactly referring to with "plugin-newsletter"? If you search the Plugin Directory on wordpress.org you get a lot of Newsletter Plugins.

Are you refering to this one: https://wordpress.org/plugins/newsletter/
In the plugins directory on the server it's just called "newsletter".

mark August 3, 2016 at 11:30 am • Reply

These are the plugin 'slugs' that uniquely identify the plugin in the repository. So you'd have to use wordpress.org/plugins/[insert slug here]/ if the plugin is in the repository. Otherwise, it's a proprietary plugin.

Psx123 August 3, 2016 at 11:29 am • Reply

Why spread propaganda against Russia, it could be an infected server using it as a proxy.

Don't blame Russia, many attacks from other countries as well for example, the United States and UK.

Mitchell August 4, 2016 at 1:39 am • Reply

Agree with you here 100%. I have a major problem with people doing Geo blocking of entire countries simply because a few rogue IP blocks from that country are launching attacks. I don't and will not ever block an entire country, seldom even an entire subnet block either.

I have an automated blocking system on all my servers, very accurate and IP based. 10 repeat attempts at failing to gain access to any resource and they are perma-banned for 365 days. In 2 years my perma ban list is only 435 IP's and a new one get's perma banned maybe once a week.

Sure most attacks originate from Russia and China but blocking the entire countries is simply not a sensible way to go about things. They will find other routes to get to you anyway (if they really want to) but in the interim you are denying major segments of the internet access to your site(s).

psx12 August 5, 2016 at 7:19 am • Reply

Yeah, I never block a whole block a whole country I just use Fail2ban like you I think that's what you use?

CJ Hardy August 30, 2016 at 5:24 pm • Reply

Many of us happen to appreciate using country blocking and many of us do not need nor want traffic from certain countries which can distort site analytics I.e. bounce rate
It is convenient safe and saves our business time money and useless metrics. Multi million dollar turnover just from one State/region here, so imo we do not need, will not suffer, will hardly notice the effect of blocking most countries. Wordfence is an important tool, do what you will with it, be smarter, use it, learn more, whatever it takes. Regret is a bitch.

Oleg (rus: Олег) August 3, 2016 at 11:42 am • Reply

To prevent attacks from 46.161.*.* can attract special in Russia "Department To the" Department of cyber crimes, it is possible to write and inform about what is happening, and to clarify the direct attack from this ip or is it just a proxy server, I think that this kind of attack to do directly just nobody. "The Department" certainly knows what to do with offenders of this kind.
https://en.mvd.ru/structure/Structure/Administrations/Administration_K_of_the_MIA_of_Russia
---
I often see in reports firewall occur that picks passwords from different ip. This is screenshot from email http://www.pixic.ru/i/k0Y121X8M565g5b4.png this is one site.

mark August 3, 2016 at 11:56 am • Reply

Hi Oleg,

Thanks for your reply. This does not look like a proxy server - it appears to be a server where attacks are originating from because it does not send any proxy headers. If you can put us in contact with the Ministry with someone who speaks english we'd be happy to work with them.

Thank you.

Mark.

Anton August 4, 2016 at 4:44 am • Reply

Mark... he give you a direct link to this persons...

But if you so lazy to visit i can copy past it for you here:

Administration "K" of the MIA of Russia
Press Service:
Chief of the Press Service, Major of Police, Aleksandr Alekseevich Vurasko
E-mail for mass media representatives: vurasko@cyberdept.ru (applications of citizens, sent to this e-mail address, are not processed)

----------------

Btw MOST attack i have in my English site, came from "Amazon micro services"... There is a TON of crapware... but its cool to think that Russians so stupid to hide his ip, but so smart to hack goverments... =)

Oleg August 3, 2016 at 11:54 am • Reply

Recently I noticed that picked up a long time ssh access to the server from Chinese ip addresses and if you block one of them the attack was from a different ip but the same subnet blocked by the mask turned out not block all Chinese ip segment but only a small part of the roughly 255*255 = 65025 ip addresses for the network. the authorization logs are clean.

Jack Smith August 3, 2016 at 12:51 pm • Reply

Better party to report it to would be 'US-CERT'. They can be found at the following, and you might be interested in the stuff that they post:

https://www.us-cert.gov/

mark August 3, 2016 at 3:54 pm • Reply

Thanks Jack, we have friends there and in other orgs like Mitre and are already working on data sharing. It's important to underline that this is a microscopic view of the very large attack surface that is the WP ecosystem and the huge number of attacks - and then the permutations of attacks. It's interesting nonetheless and we'll share some macro view stuff in the coming weeks.

Jay August 3, 2016 at 1:29 pm • Reply

Why not block Russia, Ukraine and China by default? I know, one can do so in your paid version (which we use on several sites), but on my other sites those 3 countries stand out - imagine just blocking them, reducing server loads, Wordfence overhead etc.

alexandr August 4, 2016 at 2:37 am • Reply

geoip + iptables for you

OLeg August 4, 2016 at 6:38 am • Reply

really? so you can just cover up the default access of an entire country?
About The Population:
- Russia: 146 519 759 people
- Ukraine: 42 318 294 people
- China: 1 373 541 278 people
= 1 562 379 331 people
for example, only 0.01% is the Internet and you can go to the site
it would be: 156 237 people :)
so the problem is that you cannot close the access to some sites from the whole country, because of the attacker) necessary to neutralize the attacker and to just patch holes in the code) I Have a server in Russia we have the same attack from different sides and not the fact that that country is attacked there is a proxy server, through them can be attack, and by default the block is not an option almost 20-30% sites use worpdress and we also in Russia and in Ukraine I have some friends also use Wordfence to protect me, if I hadn't put Wordfence, I probably would not know what on my site is attack and sample selection of passwords.
I'm on the server just can't ban a whole country because on the website people come from different countries. And if you disable the default and what will happen? ) I will install in Russian in my site Wordfence and there in the configuration ban all of Russia's very fun to sit and watch report statistics and there 0. This is not the way out.

Oleg August 4, 2016 at 6:47 am • Reply

Rough Example: if one of the Windows of the house will shoot a man with a gun you're not going to blow up the whole city) is not humane) you just have to know who is doing special services are doing exactly that. They just will not destroy the city) If you think logically they just start on a special operation aimed at neutralizing 1 person.

Margret August 3, 2016 at 3:05 pm • Reply

Hi Mark.

Just popped in to thank yous for all the work you do preventing and protecting our websites from these predators........THANKS!!

MUCH APPRECIATED!!

The World August 3, 2016 at 4:55 pm • Reply

Thanks for everything - We love you guys!

Michael Love August 3, 2016 at 10:41 pm • Reply

Great work Mark! Thanks

Mitchell August 4, 2016 at 1:30 am • Reply

Great work guys and good results here. Wordfence always the first plugin installed on any site I create.

In addition to Wordfence there are also some very simple ways in Nginx to stop people calling any php file directly outright like upload.php etc.

# Stop external direct calling of any .php files in Wordpress sub directories.
location ~* /wp-includes/.*.php$ {
deny all;
access_log off;
log_not_found off;
}
location ~* /wp-content/.*.php$ {
deny all;
access_log off;
log_not_found off;
}

Same thing with protecting your sensitive wordpress files like wp-config.php

# Protect specific TXT and config files
location ~ /(\.|wp-config.php|readme.html|license.txt|schema.txt|password.txt|passwords.txt)
{
deny all;
}

Stephanie August 4, 2016 at 2:23 am • Reply

Hi Mark,
thank you for your great support!
Your protection works fantastic.

Ish Sarwar August 4, 2016 at 6:32 am • Reply

Hi,

Thanks for sharing.

I just recently got Word Fence and I'm glad I did. I'm happy to know Word Fence is blocking the attack.

Thanks

John D August 4, 2016 at 6:38 am • Reply

Great job Mark... Keep up this type of notification, its very helpful to the community. Also thanks Jamie at Cloudflare for the willingness to collaborate with Wordfence! Were all in this fight together!!

Greg August 4, 2016 at 6:49 am • Reply

You may not release the full IP for this user but I happen to have it ! he is the only address on that network to have came up in our server & wordfence logs.

don't worry I'm not going to do anything with it aside from add it into our server firewall to ensure he never gets anywhere with that IP. Ivan is a bad man! and with the amount of attacks he has launched from the stats above there is a high chance that he is trying to exploit more than just wordpress !

Mitchell Krog August 5, 2016 at 1:11 am • Reply

I grep'd through some log files this morning over 16 sites and since yesterday (since this was published) I have had 4 different IP's in the 41.161.*.* range which are starting to poke around for things in wordpress sites. Apache is generating 500 errors for all of them so I guess that is Wordfence taking control of that for me already. Certainly keeping an eye on this IP range. Obviously this guy pays attention to articles like this and seems to be ramping up his efforts using different IP's now and not just one. These were all new attempts in the last 24 hours.

Mitchell Krog August 5, 2016 at 1:13 am • Reply

Sorry typo ... 46.161.*.* range (can comment moderator please amend above comment)

Janio August 4, 2016 at 4:47 pm • Reply

Muito obrigado, e que vocês continuem fazendo esse excelente trabalho.

Que Deus Abençoes vocês e Nós também!

Mitchell Krog August 5, 2016 at 1:18 am • Reply

And interestingly this morning I am seeing the very same exploits listed above from a new IP in the US (8.26.*.*) which :) Thanks to WordFence is already being blocked out without my intervention. Well done Wordfence I can clearly see you are hot on their heels already.

A Holland August 5, 2016 at 9:01 am • Reply

One of our client's websites was hacked by Russians during the past 3 weeks. After we did the first cleanup, they attacked again. The victimized website was inadvertently scanned by Cloudflare - not at our request - which occurred during installation of another website on Cloudflare. We found reference to Cloudflare as indicated in a Malicious Attack Report. On Aug. 2, we emailed Cloudflare asking for an investigation and fix to the problem. No response yet. Our client's theme is not on your list but we believe the vulnerability was the Wordpress plugin Landing-pages, owned by Inbound Now. The wp-config file was edited with a reference to the landing-pages plugin.
We hope this information is helpful and we will be installing the Wordfence plugin today!

Kristian Kristensen August 9, 2016 at 10:42 am • Reply

I wonder.
How many russian websites, using WordFence, have been attacked by Ivan?
Is the percentage the same?
Country blocking and WordFence has kept me safe so far.
Thanks for a Great product.

criminalvictim August 15, 2016 at 6:49 am • Reply

Please spare me the lofty lectures about the ethics of country blocking. It works, and is going to be an even more important part of website defense as more of the world has internet access so they can sit there and watch the Kardashians while scheming on how to steal money so they can afford the Kardashian lifestyle and perhaps their next meal.

Fact is that we pay for the bandwidth. If a given website, for example, has no need of traffic from Brazil, and 99.99 percent of traffic from Brazil to the example website is criminal, it's ridiculous to pay for that bandwidth to satisfy some lofty ideal of never blocking a country.

Joel Scarborough August 22, 2016 at 12:17 pm • Reply

Hey, you got it brother. Time for being politically correct is over. I had to completely rebuild 22 websites in February. I installed wordfence and blocked those countries involved. I still get more that 400 to 500 attempts a day, but wordfence blocks them. 90% of the attempts are Russia, China, Ukrainde, Rominia - I don't need clients from those locations so why let them mess with my bandwidth..

Leave a Reply

Get the latest WordPress security updates and news

Sign up for WordPress security alerts, Wordfence product updates and security news via email.