Tools for Analyzing Threats to a WordPress Website
It is not common for bloggers to post the record of attacks against their own site. But, I have chosen to post this to illustrate that Security by Obscurity does not work anymore: small business owners using WordPress, take note. What follows is a series of lists and visuals that illustrate a pattern of attacks against this website: SedonaCyberLink.com. I will describe some of the tools I’ve used for these analyses and illustrate how you can use them for your own analysis of attacks against your website.
I do not have a back-office database of customers. I do not have any specific intellectual property of note. Here, I have only the musings of a few thinkers and writers. But, what might be making this attractive to hackers from around the world is that I have set up a plug-in (Transposh) that provides for the translation of the website into several different languages. You can see which languages by browsing to the top right drop-down menu under “View in Your Language____” on the landing page.
I have divided this essay into two parts:
- Brute Force password cracking attempts; and
- All Other Attacks.
Brute Force Password Cracking Attempts
Techopedia.com defines Brute Force as: “A brute force attack is a trial-and-error method used to obtain information such as a user password or personal identification number (PIN). In a brute force attack, automated software is used to generate a large number of consecutive guesses as to the value of the desired data. Brute force attacks may be used by criminals to crack encrypted data, or by security analysts to test an organization’s network security.”
I’ve been tracking the Brute Force password cracking attacks since July, 2012. The data visualizations you will see reflect patterns from over a year of logging and data analysis. This is basically an authentication-type attack method; and one that we are all subjected to on a regular basis. What is happening is that hackers, political activists, or criminals are looking for “weak” passwords to gain unauthorized access to websites. Once they have “cracked” a password and gained access to the root control for a site, they use that site as a proxy to launch their attacks on others. So, even if you are not selling anything or don’t have “data” that a hacker or criminal would want, you are still vulnerable by virtue of being a potential beachhead for attacks on others: small businesses are especially vulnerable.
The key with these types of attacks is to set a limit on the number of attempts that a user can try before being locked out. Also, web administrators should set up alerts when a user exceeds the number of attempts. For my site, I blacklisted each user that exceeded a certain number of attempts against a specific service. Note that logs post the service attacked, as well as the number of attempts. The IP address origin is sometimes questionable because attackers can be using compromised websites (from people with unpatched computers) and/or TOR anonymzing, or another unsuspecting proxy. Therefore, take care of drawing any conclusions based only on IP addresses. Nonetheless, it is useful to track them, even if it is only to see where the proxies are coming from, geographically.To the right is a visual diagram that shows the decrease in hits against my own site once I started blacklisting the IP addresses responsible for Brute Force attacks against SedonaCyberLink.com. Note that I’ve color-coded the figure based on the geographic area that the attack came from. This diagram was generated using the data visualization tool: Tableau.
Another useful data visualization for showing the magnitude of attacks from any one country is a “Heat Map.” This shows that most of the Brute Force attacks against this site are coming from Asia and North America, and, to a lesser extent, Europe.
As noted above, website administrators should bar users from too many passwords attempts in a single session. Then, set up an “alert” to be sent to the administrative eMail when a user exceeds the limit set. The website manager should then “black list” IP addresses that are Brute Force attacking services on the server. If you don’t know how, contact your hosting service for instructions.
I’ve also been logging all other types of attacks for about three months beginning on June 10, 2013. These other attacks are being tracked using a WordPress Plugin called: Attack-Scanner. There is a free version, and a paid version of this software. The paid version allows the website manager to “block” the IP addresses generating the attacks with the single push of a button. There is also a statistics tool within Attack-Scanner that allows for the roll-up and visualization of the data. Below are some images generated from the embedded statistics tool of the paid version.
Top 10 Attacks by City
Beijing attacked 3507 times.
Ho Chi Minh City attacked 1837 times.
Sayreville attacked 1224 times.
San Jose attacked 830 times.
Kansas City attacked 469 times.
Hanoi attacked 350 times.
Tianjin attacked 289 times.
Seattle attacked 262 times.
Top 10 Attacks by Country
China attacked 4039 times.
United States attacked 3843 times.
Vietnam attacked 2187 times.
Germany attacked 481 times.
Netherlands attacked 204 times.
Czech Republic attacked 143 times.
France attacked 120 times.
United Kingdom attacked 95 times.
To the right is a map that illustrates where these attacks are coming from: As you can see, many of the attacks against this site in this category are also from the U.S., Europe and China. Within the plugin there is an interactive map that allows the user to mouse over and see a pop-up with the IP address and other data associated with each attack. Website administrators can use this tool for further investigating patterns of attack against their sites.
The following tables show the top 10 attack types and the top 10 attackers by IP address.
Top 10 Attack Types
WordPress Username Deduction was used 11083 times.
Possible XML-RPC Attacks was used 199 times.
SQLi was used 173 times.
WordPress Trackback was used 126 times.
XSS was used 4 times.
Directory Traversal/Local File Inclusion was used 2 times.
Top 10 Attackers by IP Address
126.96.36.199 attacked 2229 times.
188.8.131.52 attacked 829 times.
184.108.40.206 attacked 339 times.
220.127.116.11 attacked 309 times.
18.104.22.168 attacked 292 times.
22.214.171.124 attacked 284 times.
126.96.36.199 attacked 262 times.
188.8.131.52 attacked 239 times.
184.108.40.206 attacked 232 times.
The User Name Deduction attack was by far the most frequent, followed by the XML remote procedure call (RPC) attack method, then the SQL injection (SQLi) method. Trackback was used 126 times and there were only 4 attempts at Cross Site Scripting (XSS). What this tells me is that the attackers are trying to use, primarily, an access and privilege escalation tactic. This would be consistent with the profile of a state-actor or cyber-criminal seeking to compromise a vulnerable website and use it as a beachhead for conducting further attacks on other sites with sensitive data (personally identifiable information [PII] of customers and/or intellectual property).
The Statistics tools within the paid version of AttackScanner will also give the user the top 10 attack strings (not shown here). This is helpful for fixing vulnerable code within your WordPress site.
Most Frequent Days of Attacks
The Attack-Scanner tool also automatically compiles the most frequent days of attack, as shown to the left. Saturday appears to be a busy day in the hacker and criminal world.
I also exported the data into an Excel file for use with Tableau. The data visualization at the right showed that IP addresses from the same countries as the Brute Force attack pattern are responsible for most of the attacks. The horizontal bar chart is just one of many visual tools that Tableau offers. The user also has control over such features as font style and type, and size. Colors can also be modified through a simple control panel.
Another useful view of these same data show the type of browser (by version) the various attacks were coming from. The “Bubble” image to the right presents these data. As you can see, attacks from Beijing are primarily coming through the Sogou web portal, with Mozilla a close 2nd. Most of the attacks from a U.S. IP address are coming from Sayerville, New Jersey.
Another useful piece of information is a summary of the attack vector by country. The diagram below presents these analyses. Note that the Get Method is the most used both for remote calls and for user name deduction attacks.
The material presented in this essay illustrates that Security by Obscurity does not work. No matter how small you are, if you have a presence on the web, you are subject to attack. The tools presented here are valuable for gauging attack patterns for WordPress sites.
Now, the objective is, to protect your site. Besides Attack-Scanner, there are other useful tools including an excellent administrative tool that includes a security feature: GD Press Tools. With all of these tools that I have recommended, note that I’ve also found excellent customer support.
Signing off now to go battle the attackers.