Oh, botnets. Never give up hope.

Last month, fully 0.27% of the hits on my various domains were for a nonexistent /wp-login.php document.

That's 1 out of every 360 hits.

And that number is lower than it would otherwise be because I have a fail2ban rule where a single hit on that URL results in an immediate 3-day blacklist entry for the IP address.

And, that tally doesn't even include hits on the login page that actually exists (under /blog/ instead of in the root directory).

This is rivalling Bitcorn mining in its sleepless, mechanized optimism.

Previously, previously, previously, previously, previously, previously, previously, previously, previously, previously, previously, previously.

Tags: , , , , , ,

14 Responses:

  1. J. Peterson says:

    Similar observations from fifteen years ago. Back then most of the traffic was looking for Windows holes.


  2. Chris Davies says:

    This isn't exactly unprecedented. I remember attempts to exploit the code red vulnerability being a major part of my error logs almost a decade after the fact.

  3. Care to publish your fail2ban rules? It sounds like you might have some cool ones.

    • jwz says:

      It's nothing particularly clever, I just made a list of the noisiest 404s that were obvious attacks.

  4. Josh Dersch says:

    The VAX-11/780-5 we have on the 'net at the Living Computer Museum in Seattle got so overwhelmed with botnets attempting to log in (as "Administrator" or as "root") that it was spending a significant portion of its processor time dealing with logins. (And the audit logs being spewed out at 1200 baud on the system console would continue for hours after you unplugged the ethernet cable...)

    Not many bots know how to deal with VMS systems, it appears. We've since moved the machine behind a login server frontend to reduce the load and to increase the security a bit.

    • Huh. I had wondered if that was a problem, there. I assumed you were safe because nobody even bothered to try those hacks anymore.

      Like, are people still bothering to try any of the TCP hacks that would bluescreen Windows 3.11?

      • jwz says:

        (And the audit logs being spewed out at 1200 baud on the system console would continue for hours after you unplugged the ethernet cable...)

        Upload a multi-hour youtube video of this please!

        • Josh Dersch says:

          Alas, now that it's behind the login server we no longer get endless streams of failed login attempts. Even when it was happening it wasn't that exciting to watch, we have the console on a terminal server (both for logging and so we can access it from anywhere) so it's just a telnet session with text scrolling by... slowly. If it had been on an actual VT100 I probably would have taken a video at the time...

          (We have a VAX 7000-640 that's still directly connected to the Internet, and that is currently using a VT420 for the console, but the botnet hits have slowed to a trickle today.)

          But you might be interested in this video I took this morning. I assume you've seen the original Dali Clock running on an Alto at some point, but just in case, click here. Now if I could just track down the source code...

          • jwz says:

            Nice! I never found the source for the Alto version, but the Lisa source is in the xdaliclock tarball in the mac128 subdirectory. "The 68K is hand translated from an obscure high-level microcode language used on Altos."

            • Josh Dersch says:

              I'll have to check out that 68K code, thanks! Now I'm curious what "high-level microcode language" that was... there were a couple of attempts to create higher-level languages that compiled to Alto microcode (for example, Micro-SPL but most people just wrote their microcode by hand.

              I wonder if Steve Capps has any of this stuff lying around.

    • Moofie says:

      The webmaster at a previous job ran the public facing web server on an IBM RS6000 running AIX. He showed me the logs scrolling away with all the attempts to attack PHP or IIS logins. The server used custom Perl scripts to statically generate all the pages so he would just laugh at the attacks.

  5. robert_ says:

    I love you cold unfeeling wp-login.php

  6. Anon says:

    Just to confirm that your fail2ban rulz workz. I tried to hackz your non-existent jwz org/wp-login.php, and couldn't access your website for E days after.

  7. Anon says:

    If you created a system to go through the log and automatically attempt to ssh back into those originating IPs with the very most obvious login and password combinations, you might be surprised to find the high percentage of these hosts that were probably themselves compromised by stupid password guessing attacks, converted into attack platforms, and haven't been secured since. Then it might be interesting to see what's up with these systems. For research.

    I'm speaking completely hypothetically here, of course, because such activity might be frowned upon in some jurisdictions.

  • Previously