Rule ID:230011 Failed to Block wp-login.php Login with Different Session.

hosyeow · December 21, 2015, 8:33am

Hi, I am using Comodo WAF on IIS and my WordPress wp-login.php page always gets boot by hackers.
The issue is, every time the hacker boots the wp-login.php it uses a new session.
The WAF rule ID 230011 will record every session in a different line in the ip.pag file, rather then updating the counter.

For example the ip.pag file below, thousands of attack from the same IP 94.23.73.13 but hacker is using different session.
Hence every session it created one line in the ip.pag rather then updating the counter!

[Below is the ip.pag file]
expire_KEY
1450685732 KEY <94.23.73.13:21988_ffa2829a0d77fcd0a169b26a7988fdf1539609ce TIMEOUT 900 __key <94.23.73.13:21988_ffa2829a0d77fcd0a169b26a7988fdf1539609ce __name ip CREATE_TIME
1450684827 UPDATE_COUNTER 1 previous_username admin brute_force_counter 2 LAST_UPDATE_TIME
1450684832 94.23.73.13:21988_ffa2829a0d77fcd0a169b26a7988fdf1539609ce IR

expire_KEY
1450685714 KEY <94.23.73.13:21981_fe3bf9678dbc51bfa726541a83a9d72572a4bdd2 TIMEOUT 900 __key <694.23.73.13:21981_fe3bf9678dbc51bfa726541a83a9d72572a4bdd2 __name ip CREATE_TIME
1450684801 UPDATE_COUNTER 1 previous_username admin brute_force_counter 3 LAST_UPDATE_TIME
1450684814 94.23.73.13:21981_fe3bf9678dbc51bfa726541a83a9d72572a4bdd2

[Below you can see thousand of attack in the log file]
2015-12-21 03:20:48 W3SVC452 xxx.xxx.xxx.xxx POST /wp-login.php - 80 - 94.23.73.13 - 200 0 0 3817 165 1731
2015-12-21 03:20:50 W3SVC452 xxx.xxx.xxx.xxx POST /wp-login.php - 80 - 94.23.73.13 - 200 0 0 3817 164 1762
2015-12-21 03:20:52 W3SVC452 xxx.xxx.xxx.xxx POST /wp-login.php - 80 - 94.23.73.13 - 200 0 0 3817 167 1731
2015-12-21 03:20:54 W3SVC452 xxx.xxx.xxx.xxx POST /wp-login.php - 80 - 94.23.73.13 - 200 0 0 3817 165 1731
2015-12-21 03:20:56 W3SVC452 xxx.xxx.xxx.xxx POST /wp-login.php - 80 - 94.23.73.13 - 200 0 0 3817 165 1794
2015-12-21 03:20:58 W3SVC452 xxx.xxx.xxx.xxx POST /wp-login.php - 80 - 94.23.73.13 - 200 0 0 3817 162 1762
2015-12-21 03:21:00 W3SVC452 xxx.xxx.xxx.xxx POST /wp-login.php - 80 - 94.23.73.13 - 200 0 0 3817 167 1747
2015-12-21 03:21:02 W3SVC452 xxx.xxx.xxx.xxx POST /wp-login.php - 80 - 94.23.73.13 - 200 0 0 3817 163 1762
2015-12-21 03:21:04 W3SVC452 xxx.xxx.xxx.xxx POST /wp-login.php - 80 - 94.23.73.13 - 200 0 0 3817 164 1762
2015-12-21 03:21:05 W3SVC452 xxx.xxx.xxx.xxx POST /wp-login.php - 80 - 94.23.73.13 - 200 0 0 3817 165 1762
2015-12-21 03:21:08 W3SVC452 xxx.xxx.xxx.xxx POST /wp-login.php - 80 - 94.23.73.13 - 200 0 0 3817 163 1778
2015-12-21 03:21:10 W3SVC452 xxx.xxx.xxx.xxx POST /wp-login.php - 80 - 94.23.73.13 - 200 0 0 3817 160 1731

The ip.pag file grows to Gigabyte large due to attacks with different session.
Is there anyway to block IP not based on its session? I have turned on all brute force rules but failed to prevent this attack.

akabakov · December 21, 2015, 2:55pm

Hello,
I suppose you can try to block this ip-address with some firewall or if it’s possible to use this article: https://support.microsoft.com/en-us/kb/324066

But I don’t know which IIS versions support embedded firewall. I didn’t find it for IIS 7.5 (WinServ2008 R2)

hosyeow · December 22, 2015, 3:40am

Hi, my server host many WordPress sites and the WordPress wp-login.php is constantly being brute force attack from many IP addresses.
I hope WAF can block it automatically, if not block at least detect it and store in the audit log.

The problem is the hacker uses different session all the time to brute force attempt to guess the WordPress password.
And Comodo’s WAF failed to increase the counter if the attack comes from the same IP but using unique session to boot the wp-login.php.

When this kind of brute force is happening, the wp-login.php is being boot once every few seconds and the ip.pag file grows to 1GB with 10 minutes.
Same IP brute force, but hacker is cleaver to use unique session on every attempt.

I tried to one same session to simulate and brute force attack the wp-login.php, the Comodo WAF successfully update the counter and denies my access for 1 minute with 403 status.

TDmitry · December 23, 2015, 2:22pm

We will check this issue and try to find suitable solution.

hosyeow · December 28, 2015, 6:52am

This kind of booting happens everyday on IIS hosting, mostly targeting WordPress “wp-login.php” and sometimes Joomla admin “administrator/index.php”.

Even hardware firewall not able to detect this kind of attack.
Please help, can I write a custom rule to block it? Below is another example that is happening now.

2015-12-28 03:16:24 W3SVC27 xx.x.xxx.xx POST /wp-login.php - 80 - 195.88.84.78 - - 200 0 0 5647 151 2421
2015-12-28 03:16:27 W3SVC27 xx.x.xxx.xx POST /wp-login.php - 80 - 195.88.84.78 - - 200 0 0 5647 150 2517
2015-12-28 03:16:30 W3SVC27 xx.x.xxx.xx POST /wp-login.php - 80 - 195.88.84.78 - - 200 0 0 5647 151 2390
2015-12-28 03:16:33 W3SVC27 xx.x.xxx.xx POST /wp-login.php - 80 - 195.88.84.78 - - 200 0 0 5647 153 2500
2015-12-28 03:16:36 W3SVC27 xx.x.xxx.xx POST /wp-login.php - 80 - 195.88.84.78 - - 200 0 0 5647 153 2546
2015-12-28 03:16:38 W3SVC27 xx.x.xxx.xx POST /wp-login.php - 80 - 195.88.84.78 - - 200 0 0 5647 152 2547
2015-12-28 03:16:41 W3SVC27 xx.x.xxx.xx POST /wp-login.php - 80 - 195.88.84.78 - - 200 0 0 5647 153 2562
2015-12-28 03:16:47 W3SVC27 xx.x.xxx.xx POST /wp-login.php - 80 - 195.88.84.78 - - 200 0 0 5647 151 4878
2015-12-28 03:16:49 W3SVC27 xx.x.xxx.xx POST /wp-login.php - 80 - 195.88.84.78 - - 200 0 0 5647 153 2484
2015-12-28 03:16:53 W3SVC27 xx.x.xxx.xx POST /wp-login.php - 80 - 195.88.84.78 - - 200 0 0 5647 151 3906
2015-12-28 03:16:55 W3SVC27 xx.x.xxx.xx POST /wp-login.php - 80 - 195.88.84.78 - - 200 0 0 5647 151 2500
2015-12-28 03:16:59 W3SVC27 xx.x.xxx.xx POST /wp-login.php - 80 - 195.88.84.78 - - 200 0 64 0 151 2250
2015-12-28 03:17:00 W3SVC27 xx.x.xxx.xx POST /wp-login.php - 80 - 195.88.84.78 - - 200 0 0 5647 151 2437
2015-12-28 03:17:03 W3SVC27 xx.x.xxx.xx POST /wp-login.php - 80 - 195.88.84.78 - - 200 0 0 5647 151 2562
2015-12-28 03:17:06 W3SVC27 xx.x.xxx.xx POST /wp-login.php - 80 - 195.88.84.78 - - 200 0 0 5647 152 3140
2015-12-28 03:17:09 W3SVC27 xx.x.xxx.xx POST /wp-login.php - 80 - 195.88.84.78 - - 200 0 0 5647 153 2391
2015-12-28 03:17:14 W3SVC27 xx.x.xxx.xx POST /wp-login.php - 80 - 195.88.84.78 - - 200 0 64 0 149 2187
2015-12-28 03:17:15 W3SVC27 xx.x.xxx.xx POST /wp-login.php - 80 - 195.88.84.78 - - 200 0 0 5647 149 3015
2015-12-28 03:17:20 W3SVC27 xx.x.xxx.xx POST /wp-login.php - 80 - 195.88.84.78 - - 200 0 64 0 153 2140
2015-12-28 03:17:22 W3SVC27 xx.x.xxx.xx POST /wp-login.php - 80 - 195.88.84.78 - - 200 0 0 5647 153 2343
2015-12-28 03:17:25 W3SVC27 xx.x.xxx.xx POST /wp-login.php - 80 - 195.88.84.78 - - 200 0 0 5647 153 2390
2015-12-28 03:17:28 W3SVC27 xx.x.xxx.xx POST /wp-login.php - 80 - 195.88.84.78 - - 200 0 0 5647 151 3359
2015-12-28 03:17:30 W3SVC27 xx.x.xxx.xx POST /wp-login.php - 80 - 195.88.84.78 - - 200 0 0 5647 151 2453
2015-12-28 03:17:33 W3SVC27 xx.x.xxx.xx POST /wp-login.php - 80 - 195.88.84.78 - - 200 0 0 5647 150 2453
2015-12-28 03:17:36 W3SVC27 xx.x.xxx.xx POST /wp-login.php - 80 - 195.88.84.78 - - 200 0 0 5647 152 2312
2015-12-28 03:17:40 W3SVC27 xx.x.xxx.xx POST /wp-login.php - 80 - 195.88.84.78 - - 200 0 0 5647 149 4234
2015-12-28 03:17:43 W3SVC27 xx.x.xxx.xx POST /wp-login.php - 80 - 195.88.84.78 - - 200 0 0 5647 151 2484
2015-12-28 03:17:47 W3SVC27 xx.x.xxx.xx POST /wp-login.php - 80 - 195.88.84.78 - - 200 0 64 0 151 2312
2015-12-28 03:17:48 W3SVC27 xx.x.xxx.xx POST /wp-login.php - 80 - 195.88.84.78 - - 200 0 0 5647 149 2468
2015-12-28 03:17:51 W3SVC27 xx.x.xxx.xx POST /wp-login.php - 80 - 195.88.84.78 - - 200 0 0 5647 151 2500
2015-12-28 03:17:54 W3SVC27 xx.x.xxx.xx POST /wp-login.php - 80 - 195.88.84.78 - - 200 0 0 5647 151 2547
2015-12-28 03:17:57 W3SVC27 xx.x.xxx.xx POST /wp-login.php - 80 - 195.88.84.78 - - 200 0 64 0 153 2281
2015-12-28 03:17:59 W3SVC27 xx.x.xxx.xx POST /wp-login.php - 80 - 195.88.84.78 - - 200 0 0 5647 153 2296
2015-12-28 03:18:05 W3SVC27 xx.x.xxx.xx POST /wp-login.php - 80 - 195.88.84.78 - - 200 0 0 5647 151 2547
2015-12-28 03:18:09 W3SVC27 xx.x.xxx.xx POST /wp-login.php - 80 - 195.88.84.78 - - 200 0 64 0 152 2312
2015-12-28 03:18:10 W3SVC27 xx.x.xxx.xx POST /wp-login.php - 80 - 195.88.84.78 - - 200 0 0 5647 151 2312
2015-12-28 03:18:13 W3SVC27 xx.x.xxx.xx POST /wp-login.php - 80 - 195.88.84.78 - - 200 0 0 5647 152 2579
2015-12-28 03:18:16 W3SVC27 xx.x.xxx.xx POST /wp-login.php - 80 - 195.88.84.78 - - 200 0 0 5647 151 2375
2015-12-28 03:18:18 W3SVC27 xx.x.xxx.xx POST /wp-login.php - 80 - 195.88.84.78 - - 200 0 0 5647 151 2453
2015-12-28 03:18:21 W3SVC27 xx.x.xxx.xx POST /wp-login.php - 80 - 195.88.84.78 - - 200 0 0 5647 153 2312
2015-12-28 03:18:23 W3SVC27 xx.x.xxx.xx POST /wp-login.php - 80 - 195.88.84.78 - - 200 0 0 5647 149 2406
2015-12-28 03:18:26 W3SVC27 xx.x.xxx.xx POST /wp-login.php - 80 - 195.88.84.78 - - 200 0 0 5647 151 2437
2015-12-28 03:18:29 W3SVC27 xx.x.xxx.xx POST /wp-login.php - 80 - 195.88.84.78 - - 200 0 0 5647 149 2406
2015-12-28 03:18:31 W3SVC27 xx.x.xxx.xx POST /wp-login.php - 80 - 195.88.84.78 - - 200 0 0 5647 152 2500
2015-12-28 03:18:34 W3SVC27 xx.x.xxx.xx POST /wp-login.php - 80 - 195.88.84.78 - - 200 0 0 5647 150 2485
2015-12-28 03:18:37 W3SVC27 xx.x.xxx.xx POST /wp-login.php - 80 - 195.88.84.78 - - 200 0 0 5647 149 2484
2015-12-28 03:18:39 W3SVC27 xx.x.xxx.xx POST /wp-login.php - 80 - 195.88.84.78 - - 200 0 0 5647 150 2500
2015-12-28 03:18:42 W3SVC27 xx.x.xxx.xx POST /wp-login.php - 80 - 195.88.84.78 - - 200 0 0 5647 153 2515
2015-12-28 03:18:44 W3SVC27 xx.x.xxx.xx POST /wp-login.php - 80 - 195.88.84.78 - - 200 0 0 5647 151 2547
2015-12-28 03:18:48 W3SVC27 xx.x.xxx.xx POST /wp-login.php - 80 - 195.88.84.78 - - 200 0 0 5647 151 2578
2015-12-28 03:18:51 W3SVC27 xx.x.xxx.xx POST /wp-login.php - 80 - 195.88.84.78 - - 200 0 0 5647 150 2468
2015-12-28 03:18:54 W3SVC27 xx.x.xxx.xx POST /wp-login.php - 80 - 195.88.84.78 - - 200 0 0 5647 153 3031
2015-12-28 03:18:55 W3SVC27 xx.x.xxx.xx POST /wp-login.php - 80 - 195.88.84.78 - - 200 0 0 5647 151 2281
2015-12-28 03:19:00 W3SVC27 xx.x.xxx.xx POST /wp-login.php - 80 - 195.88.84.78 - - 200 0 64 0 152 4468
2015-12-28 03:19:04 W3SVC27 xx.x.xxx.xx POST /wp-login.php - 80 - 195.88.84.78 - - 200 0 0 5647 150 2578
2015-12-28 03:19:06 W3SVC27 xx.x.xxx.xx POST /wp-login.php - 80 - 195.88.84.78 - - 200 0 0 5647 153 2390
2015-12-28 03:19:10 W3SVC27 xx.x.xxx.xx POST /wp-login.php - 80 - 195.88.84.78 - - 200 0 0 5647 153 2393
2015-12-28 03:19:12 W3SVC27 xx.x.xxx.xx POST /wp-login.php - 80 - 195.88.84.78 - - 200 0 0 5647 151 2515
2015-12-28 03:19:15 W3SVC27 xx.x.xxx.xx POST /wp-login.php - 80 - 195.88.84.78 - - 200 0 0 5647 150 2500
2015-12-28 03:19:17 W3SVC27 xx.x.xxx.xx POST /wp-login.php - 80 - 195.88.84.78 - - 200 0 0 5647 150 2547
2015-12-28 03:19:21 W3SVC27 xx.x.xxx.xx POST /wp-login.php - 80 - 195.88.84.78 - - 200 0 64 0 153 2265
2015-12-28 03:19:23 W3SVC27 xx.x.xxx.xx POST /wp-login.php - 80 - 195.88.84.78 - - 200 0 0 5647 151 2453
2015-12-28 03:19:25 W3SVC27 xx.x.xxx.xx POST /wp-login.php - 80 - 195.88.84.78 - - 200 0 0 5647 152 2500
2015-12-28 03:19:29 W3SVC27 xx.x.xxx.xx POST /wp-login.php - 80 - 195.88.84.78 - - 200 0 0 5647 153 3187
2015-12-28 03:19:31 W3SVC27 xx.x.xxx.xx POST /wp-login.php - 80 - 195.88.84.78 - - 200 0 0 5647 153 2500
2015-12-28 03:19:34 W3SVC27 xx.x.xxx.xx POST /wp-login.php - 80 - 195.88.84.78 - - 200 0 0 5647 153 2421
2015-12-28 03:19:37 W3SVC27 xx.x.xxx.xx POST /wp-login.php - 80 - 195.88.84.78 - - 200 0 0 5647 151 2562
2015-12-28 03:19:39 W3SVC27 xx.x.xxx.xx POST /wp-login.php - 80 - 195.88.84.78 - - 200 0 0 5647 152 2359
2015-12-28 03:19:42 W3SVC27 xx.x.xxx.xx POST /wp-login.php - 80 - 195.88.84.78 - - 200 0 0 5647 153 2549
2015-12-28 03:19:44 W3SVC27 xx.x.xxx.xx POST /wp-login.php - 80 - 195.88.84.78 - - 200 0 0 5647 153 2578
2015-12-28 03:19:47 W3SVC27 xx.x.xxx.xx POST /wp-login.php - 80 - 195.88.84.78 - - 200 0 0 5647 152 2562
2015-12-28 03:19:50 W3SVC27 xx.x.xxx.xx POST /wp-login.php - 80 - 195.88.84.78 - - 200 0 0 5647 154 2312
2015-12-28 03:19:52 W3SVC27 xx.x.xxx.xx POST /wp-login.php - 80 - 195.88.84.78 - - 200 0 0 5647 153 2531
2015-12-28 03:19:56 W3SVC27 xx.x.xxx.xx POST /wp-login.php - 80 - 195.88.84.78 - - 200 0 0 5647 151 2437
2015-12-28 03:19:58 W3SVC27 xx.x.xxx.xx POST /wp-login.php - 80 - 195.88.84.78 - - 200 0 0 5647 151 2468
2015-12-28 03:20:00 W3SVC27 xx.x.xxx.xx POST /wp-login.php - 80 - 195.88.84.78 - - 200 0 0 5647 151 2343
2015-12-28 03:20:03 W3SVC27 xx.x.xxx.xx POST /wp-login.php - 80 - 195.88.84.78 - - 200 0 0 5647 152 2484
2015-12-28 03:20:06 W3SVC27 xx.x.xxx.xx POST /wp-login.php - 80 - 195.88.84.78 - - 200 0 0 5647 152 2547
2015-12-28 03:20:09 W3SVC27 xx.x.xxx.xx POST /wp-login.php - 80 - 195.88.84.78 - - 200 0 0 5647 151 2296

hosyeow · December 28, 2015, 6:53am

Most booting IP comes from Europe, eastern Europe.

TDmitry · December 28, 2015, 10:23am

Please ensure that your bruteforce protection rules are enabled. If these rules are enabled but attack not sopped please PM me with additional contact information.