The February 2017 WordPress Attack Report
This report contains a new kind of analysis on the top 25 attacking IPs, called topology analysis. We have used this technique to identify groups of IPs acting in concert with each other. It is a fun visual kind of analysis and is a powerful way to analyze graph data. I think you are going to find it provides a clearer picture of the WordPress threat landscape.
The report also contains the data you have come to expect, including top 25 attacking IPs and their details, charts of brute force and complex attacks, top attacked themes and plugins and top attacking countries.
Most Active IPs
I’m including our usual explanation of how the table below works. If you’re familiar with our attack reports, you can skip down to the table below which contains the February data and read my comments that follow the table.
Brief introduction if you’re new to viewing these reports
In the table below we have listed the most active attack IPs for February 2017. Note that the ‘Attacks’ column is in millions and is the total of all attacks that originated from each IP. Further right in the table (you may have to scroll right) we break out the attacks into ‘brute force’ attacks and ‘complex’ attacks.
Brute force attacks are login guessing attacks. What we refer to as ‘complex’ attacks are attacks that were blocked by a rule in the Wordfence firewall.
We have also included the netblock owner which is the organization, usually a company, that owns the block of IP addresses that the attack IP belongs to. You can Google the name of the owner for more information. A Google search for any of these IP addresses frequently shows reports of attacks.
The hostname included is the PTR record (reverse DNS record) that the IP address owner created for their IP, so this is not reliable data but we include it for interest. For example, we have seen PTR records that claim the IP is a Tor exit node, but it is clearly not, based on traffic.
We also include the country and a country flag. To the far right of the report we show the date in February we started logging attacks and the date attacks stopped. For many of these IPs we logged attacks for the entire month. For some you can see there is a clearly defined attack ‘window’ where the IP started and stopped.
The Top 25 Most Active IPs
Note that the table below contains many more columns than are visible. You can scroll to the right to see the rest of the columns.
If we display our list of the top 25 attacking IPs for February visually, a trend becomes clear. (Click the image for a full size version)
The red squares above are our top 25 IPs. We have added additional data showing who owns each IP address and how they are linked. The green splotches are network ASNs or autonomous system numbers. The little houses are organization names associated with each IP.
Turkish Provider “Ideal Hosting” generated 23.85 million attacks from 9 IPs
As you can see the cluster on the top left has 9 attacking IP addresses on the same network. We zoom into that cluster below. The AS number for that network is 29262 which belongs to an organization called Ideal Hosting based in Turkey. Their company website is at: http://www.idealhosting.net.tr/.
Ideal Hosting provides managed services with ports speeds up to 10Gbps. Their website includes full contact info, so we don’t think that they are a bullet proof host but are instead just suffering from a severe security problem across multiple IP addresses. They may be leasing dedicated servers to a smaller hosting provider who is not securing the servers correctly, providing an attack platform.
All of the attacks from this network were brute force attacks. Every IP except one is a new entrant onto our top 25 list. The highest spot they achieved was 25 in January for a single IP. Now they’re up to 9 IPs attacking and have hit the number 7 spot on our top 25 list.
Dutch Provider HostKey.com generated 17.53 million attacks from 6 IPs during February
The second cluster on the right of our image is AS number 57043 which belongs to a Dutch hosting provider called HostKey. They also sell dedicated servers.
As is the case above, HostKey may be leasing servers to a customer that is not securing them and who has inadvertently created an attack platform. HostKey appeared on our top 25 list for the first time with 3 IP addresses at positions 8, 9 and 12 respectively. They have now expanded to 6 IP addresses on the list and have generated a total of 17.53 million attacks across the sites we protect for February.
Connecting Attackers Across Hosts
In today’s report it is clear that specific hosting providers are generating large numbers of attacks. So it is tempting to believe that the hosting providers themselves are malicious actors.
Lets take a look at the data through a different lens. We are going to perform topological analysis on our attack data in February for the top 25 IPs. This will give us a visual indication of how attacking IPs are connected to the sites they attack and to each other.
Topological analysis of the Top 25 attacking IPs in February
To do this we are going to include all attacks originating from our top 25 IP addresses during the month of February. We have a lot of data, so to pare it down, we are only going to consider target websites that received more than 100 attacks from a single IP address during any 24 hour period in February.
What we end up with is: The top 25 IP addresses and which websites they attacked more than 100 times in any day during February.
The attack data is represented graphically showing the attacking IPs as large blobs connected by threads to the websites they attacked, which are small blobs.
The above image, while quite beautiful, represents brute force attacks from our top 25 IP addresses targeting websites during February. The image actually contains a lot of data:
- Attacking IPs are large blobs and their size is dependent on the number of attacks they launched.
- The lines linking nodes indicates an IP attacking a target website.
- The websites are all small blobs.
- The colorization indicates related communities of attackers.
To explain what is happening here, lets zoom into the topmost cluster.
As you can see in the above cluster, the IP addresses include all 9 of the 185.X.X.X IPs in our top 25 that belong to Ideal Hosting.
It also includes all four IPs that are 5.39.X.X from HostKey.com in the Netherlands.
Lets drag the IPs out of that cluster and separate them from the websites they are attacking to clear things up.
The cluster above shows that the attacking IPs in that cluster all appear to be attacking, for the most part, the same cluster of websites. They are attacking other websites, but there is a clear and large group of websites that these IPs are all attacking together. The IPs above appear to be behaving as a group.
What does normal non-related behavior look like?
In the cluster that appears on the right of our overview image, about halfway down, you can see what is more independent behavior by attacking IP addresses. In this case the mushroom shapes are groups of websites that are only being attacked by the IP address they are connected to and by no other attacker. That shows independent behavior.
You can also see in the above image that there are clear groups of victim websites that are being targeted by two IPs. And then in the center there are groups of websites that are being targeted by multiple IPs.
It is inevitable that many of the websites that Wordfence protects will be attacked by several of our most prolific attackers, so those center clusters are expected. The two-IP clusters are also expected for the same reason – because we have two attackers who overlapped in their attacks.
One possible reason for attackers targeting the same websites is “Google dorking” where an attacker identifies a vulnerable website based on data from Google’s index. If attackers use the same technique to locate target websites, they will end up attacking the same clusters of websites.
When we have a large mushroom shape, it indicates that IP is acting alone and is the only one attacking the sites in that cluster. So in the case of this purple cluster, these IPs appear to be acting independently because each of them is the only one attacking a large cluster of websites.
Completely independent behavior by 220.127.116.11
At the very bottom of our overview image, we have a single IP address belonging to Reliance Communications based in Hyderabad, India. The IP is attacking a large number of websites that no other IP in our top 25 is attacking. This IP is the only IP based in India in our top 25 list.
One possible theory to explain the completely independent behavior of this IP is that it is targeting Indian websites. The attacker may also have a unique way of locating target websites that no other IP in our top 25 used.
By performing topological analysis on the behavior of our top 25 attacking IPs for February, it reveals behaviors and patterns that we would otherwise miss. In this case it has revealed that IPs at our two most prolific hosting providers are actually behaving as a group and are probably controlled by a single attacker.
Brute Force Attacks on WordPress in February 2017
As you can see we experienced a huge spike in brute force attack activity this February starting at approximately February 20th and sustaining until the end of the month. As a reminder, these are simply login guessing attacks. Wordfence blocked an average of 30 million brute force attacks per day across the websites that we protect in February. This is an increase from the 26 million attacks per day average we saw in January.
Complex Attacks on WordPress in February 2017
While brute force attacks were up significantly in February, complex attacks on WordPress sites dropped from 4.6 million per day average in January to only 3.3 million per day. Complex attacks are attacks that are blocked by our firewall and that try to exploit vulnerabilities in plugins, themes, WordPress core and other products installed with WordPress.
Attacks on Themes for February 2017
Once again we are not seeing much change in the rankings in the themes that are targeted for attack in WordPress. The biggest change is the ‘authentic’ theme has climbed 11 places to number 4 for February. This attack is probably trying to exploit the arbitrary file download vulnerability in that theme and is of course blocked by Wordfence.
Attacks on Plugins for February 2017
Our biggest gainer among attacked plugins in February is wp-pagenavi which gained 28 places. Attackers occasionally install fake versions of this plugin once a site is compromised. These may be attempts by attackers to access a fake plugin as part of a check to see if a site has been compromised. These are blocked by Wordfence.
Attacks by Country for February 2017
There are a few changes in the top 25 attacking countries for February 2017. Indonesia has made their debut into the top 25 by climbing 19 places since last month. The Philippines and Malaysia are also big gainers climbing 12 and 10 places respectively.
That concludes the attack report for February 2017. I hope this has given you a clear picture of the threat landscape that confronts WordPress currently. In this report the new topology analysis we included has provided unique insight on how threat actors spread themselves across countries and hosting providers.
We saw a huge spike in brute force attacks in February and an average drop in the number of complex attacks. There was little change in the attacked themes and some change in the plugins we are seeing targeted.
As always you are welcome to share your thoughts and questions in the comments and I will be around to read and reply where needed.
Mark Maunder – Wordfence Founder/CEO.