I have a site which is temporarily hosted w/ HostMonster and it appears to be getting attacked by some loser in Ukraine. As per CPANEL logs, it looks like my .htaccess is giving them 301 responses, but I’m worried that my interpretation of the logs I see may not be 100% truthful because I know you can bypass .htaccess files through some clever packet / header manipulation. So I’d love some input on this…
Here’s a sample of what’s been constantly going on now for the past 3 days (as per the CPANEL “Latest Visitors” page; it’s a Wordpress site, so this isn’t necessarily surprising or new but the aggressiveness of this attack is what’s worrisome: this attack “process” happens every 2 minutes and doesn’t show any signs of stopping):
…
[TABLE]
[TR=“class: yui-dt-rec yui-dt-even”]
[TD=“class: yui-dt0-col-ip yui-dt-col-ip yui-dt-desc yui-dt-sortable yui-dt-resizeable yui-dt-first”]46.119.124.230
[/TD]
[TD=“class: long_string yui-dt0-col-url yui-dt-col-url yui-dt-sortable yui-dt-resizeable”]/wp-login.php
[/TD]
[TD=“class: yui-dt0-col-localtime yui-dt-col-localtime yui-dt-sortable yui-dt-resizeable”]10/13/12 10:00 AM
[/TD]
[TD=“class: numeric_data yui-dt0-col-size yui-dt-col-size yui-dt-sortable yui-dt-resizeable”]698
[/TD]
[TD=“class: yui-dt0-col-status yui-dt-col-status yui-dt-sortable yui-dt-resizeable”] 301
[/TD]
[TD=“class: yui-dt0-col-method yui-dt-col-method yui-dt-sortable yui-dt-resizeable”]POST
[/TD]
[TD=“class: yui-dt0-col-protocol yui-dt-col-protocol yui-dt-sortable yui-dt-resizeable”]HTTP/1.1
[/TD]
[TD=“class: long_string yui-dt0-col-referer yui-dt-col-referer yui-dt-sortable yui-dt-resizeable”]http://www.mywebsite.com/wp-login.php
[/TD]
[TD=“class: long_string yui-dt0-col-agent yui-dt-col-agent yui-dt-sortable yui-dt-resizeable yui-dt-last”]Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
[/TD]
[/TR]
[TR=“class: yui-dt-rec yui-dt-odd”]
[TD=“class: yui-dt0-col-ip yui-dt-col-ip yui-dt-desc yui-dt-sortable yui-dt-resizeable yui-dt-first”]46.119.124.230
[/TD]
[TD=“class: long_string yui-dt0-col-url yui-dt-col-url yui-dt-sortable yui-dt-resizeable”]/wp-login.php
[/TD]
[TD=“class: yui-dt0-col-localtime yui-dt-col-localtime yui-dt-sortable yui-dt-resizeable”]10/13/12 9:58 AM
[/TD]
[TD=“class: numeric_data yui-dt0-col-size yui-dt-col-size yui-dt-sortable yui-dt-resizeable”]697
[/TD]
[TD=“class: yui-dt0-col-status yui-dt-col-status yui-dt-sortable yui-dt-resizeable”] 301
[/TD]
[TD=“class: yui-dt0-col-method yui-dt-col-method yui-dt-sortable yui-dt-resizeable”]POST
[/TD]
[TD=“class: yui-dt0-col-protocol yui-dt-col-protocol yui-dt-sortable yui-dt-resizeable”]HTTP/1.1
[/TD]
[TD=“class: long_string yui-dt0-col-referer yui-dt-col-referer yui-dt-sortable yui-dt-resizeable”]http://www.mywebsite.com/wp-login.php
[/TD]
[TD=“class: long_string yui-dt0-col-agent yui-dt-col-agent yui-dt-sortable yui-dt-resizeable yui-dt-last”]Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
[/TD]
[/TR]
[TR=“class: yui-dt-rec yui-dt-even”]
[TD=“class: yui-dt0-col-ip yui-dt-col-ip yui-dt-desc yui-dt-sortable yui-dt-resizeable yui-dt-first”]46.119.124.230
[/TD]
[TD=“class: long_string yui-dt0-col-url yui-dt-col-url yui-dt-sortable yui-dt-resizeable”]/wp-login.php
[/TD]
[TD=“class: yui-dt0-col-localtime yui-dt-col-localtime yui-dt-sortable yui-dt-resizeable”]10/13/12 9:56 AM
[/TD]
[TD=“class: numeric_data yui-dt0-col-size yui-dt-col-size yui-dt-sortable yui-dt-resizeable”]699
[/TD]
[TD=“class: yui-dt0-col-status yui-dt-col-status yui-dt-sortable yui-dt-resizeable”] 301
[/TD]
[TD=“class: yui-dt0-col-method yui-dt-col-method yui-dt-sortable yui-dt-resizeable”]POST
[/TD]
[TD=“class: yui-dt0-col-protocol yui-dt-col-protocol yui-dt-sortable yui-dt-resizeable”]HTTP/1.1
[/TD]
[TD=“class: long_string yui-dt0-col-referer yui-dt-col-referer yui-dt-sortable yui-dt-resizeable”]http://www.mywebsite.com/wp-login.php
[/TD]
[TD=“class: long_string yui-dt0-col-agent yui-dt-col-agent yui-dt-sortable yui-dt-resizeable yui-dt-last”]Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
[/TD]
[/TR]
[TR=“class: yui-dt-rec yui-dt-odd”]
[TD=“class: yui-dt0-col-ip yui-dt-col-ip yui-dt-desc yui-dt-sortable yui-dt-resizeable yui-dt-first”][/TD]
[/TR]
[/TABLE]
…
[TABLE]
[TR=“class: yui-dt-rec yui-dt-odd”]
[TD=“class: yui-dt0-col-ip yui-dt-col-ip yui-dt-desc yui-dt-sortable yui-dt-resizeable yui-dt-first”]Obviously, they’re attacking the login page and I’d love to see what they’re submitting, but due to HostMonster’s wonderful tech support, I can’t access my raw access logs on my Windows machines nor even on their own servers (HostMonster doesn’t have a single Windows machine in their entire building as per what one of their tech support people told me yesterday over the phone, and since they could see the raw logs fine on their end, they basically implied that I was SOL–which has me looking for a new host). I actually posted about this issue yesterday and will update that thread here in a few…
[/TD]
[/TR]
[/TABLE]
But that aside, should CPANEL be trusted in this case? Is this just some automated bot that nobody has turned off or programmed to better interpret 301s or is this something more insidious? The site is working fine and I haven’t seen or suspected that this attack has done anything… YET.
I’ve contacted authorities about it–which I don’t expect to see anything happen from–and I even contacted the RIPE people to see if there’s anything they can do about it (which, again, I don’t expect to see any action from). I also created a ticket w/ HostMonster people to see if they can blacklist the IP at the firewall level–which hasn’t been responded to yet since being created yesterday (not surprisingly).
Any suggestions or insight into this is appreciated. FWIW, I have blocked the IP in .htaccess as well as through CPANEL. Not sure what else I can do. I’ll admit that I don’t have any CAPTCHA installed on my login, but the only reason for this is because I didn’t think I’d have to go that far with it (especially since I’m planning on replacing the site anyway).