Update: Brute force protection now available: http://cloudproxy.sucuri.net/brute-force-protection
A few months ago, we discussed and published details about a very large brute force attack targeting WordPress sites.
The attackers (bad guys) had thousands of servers at their disposal, and were attempting all types of passwords on wp-admin (WordPress admin panel) to try to get access to as many WordPress sites as possible. The attacks lasted for a few weeks and then it calmed down. I can’t attest to their successes, but knowing how bad people are at choosing passwords, I guess it worked well for them.
Lately, we started to see the same thing happen to Joomla sites. While most of the sites we monitor would get a few brute force attempts per day in the past, the last couple of days all of them are getting thousands of requests daily.
Against one website, we saw 11,349 requests during the course of a few hours coming from 1,737 different IP addresses. Each IP address was trying to log in once or twice. And after a few hours, it would try again, making this type of attack very hard to detect and block.
Joomla Brute force timeline
We have seen an average of 6,000 brute force attempts against Joomla sites daily across our honeypots and CloudProxy networks. Some days the attacks increased to almost 13k, and dipped as low as 3k attempts. However, for the last 3 days, you can see a big increase, reaching almost 269,976 scans yesterday, September 2nd, 2013. That’s a very big increase out of nowhere.
We also started to see customers complaining about excessive resources utilization, similar to what happened with the WordPress attacks.
Slow and Low Distribution
Most of the brute force attacks we would see in the past would consist of one IP address hitting the login pages hundreds of times. After that, it would switch to another one, then another one, and so on until it succeeded.
This type of attack takes a different approach and uses the slow and low approach to avoid detection. Instead of the same IP reaching the server many times, it would only do it once or twice, then pass to another IP address.
This is how it looks in the logs:
126.96.36.199 - - [02/Sep/2013:17:20:31 -0400] "POST /administrator/index.php HTTP/1.0" 188.8.131.52 - - [02/Sep/2013:17:20:49 -0400] "POST /administrator/index.php HTTP/1.0" 184.108.40.206 - - [02/Sep/2013:17:20:54 -0400] "POST /administrator/index.php HTTP/1.0" 220.127.116.11 - - [02/Sep/2013:17:21:12 -0400] "POST /administrator/index.php HTTP/1.0" 18.104.22.168 - - [02/Sep/2013:17:21:13 -0400] "POST /administrator/index.php HTTP/1.0" 22.214.171.124 - - [02/Sep/2013:17:21:49 -0400] "POST /administrator/index.php HTTP/1.0" 126.96.36.199 - - [02/Sep/2013:17:21:53 -0400] "POST /administrator/index.php HTTP/1.0" 188.8.131.52 - - [02/Sep/2013:17:22:05 -0400] "POST /administrator/index.php HTTP/1.0" 184.108.40.206 - - [02/Sep/2013:17:22:05 -0400] "POST /administrator/index.php HTTP/1.0"
As you can see, the IP addresses are always changing and taking a few seconds between each attempt. This type of under-the-radar scanning is not new, and has been used for a while on SSHD-based brute force attacks. We typically don’t see this approach in web-based scanning.
Smart brute forcing
Another aspect of this attack is that it seems very “smart”. Instead of going through a wordlist, it seems the attack is customized per site. So if your site URL is yoursite.com, they would be trying the following password combination first:
admin:yoursite.com administrator:yoursite.com admin:yoursite admin:yoursite123 admin:123yoursite.com administrator:yoursite123 administrator:123yoursite.com admin:yoursiteletmein
There are a slew of other variations based on the website URL and title. It looks like the attackers are really stepping up their game to try to increase the success rate.
We are still learning about this attack and seeing where it will go. If you are using Joomla, we highly recommend blocking access to your administrator panel and only allowing your whitelisted IP address. If you are a user of our CloudProxy WAF, this is done by default with no extra work.
We will post more details as we keep tracking them. If you have any questions, let us know.