Failed Login Attempts With Strange Usernames

  • Resolved Armshouse Group

    (@armshous)


    9 years, 6 months ago

    Hi there,

    Absolutely love your plugin and don’t create a WP site without installing it – many thanks for all the hard work!

    Recently, a few of the sites I have it installed on have been getting failed logins from usernames like:

    %firstuser%
    no_matches
    {login}

    Just thought I’d flag it here in case there was something extra you could recommend to do or it gave a clue to some new vulnerability that people were trying to exploit.

    Thanks again,
    AG

    https://www.ads-software.com/plugins/wordfence/

Viewing 5 replies - 1 through 5 (of 5 total)

  • Hi AG,

    What you are seeing is a normal mode of probing for access. Bots are using these strings hoping to find a vulnerability in the username and then will attempt to crack the password when they find a username match. Wordfence is doing it’s job and letting you know the names of attackers are trying on your site. As long as you don’t have any users with those names, you’ll be fine.

    -Brian

    Thread Starter Armshouse Group

    (@armshous)

    Thanks for the quick reply Brian. Thought so… just wanted to flag.

    Bots are using these strings hoping to find a vulnerability in the username and then will attempt to crack the password when they find a username match.

    Interesting, thanks for the explainer. But out of curiosity, how do the bots match “{login}” or “no_matches” to an actual user name? Why would any user pick a name with those things in their real user name string?

    Today, WordPress alerted me on one of my sites that someone tried to use “feed” as a username to gain access. What human would choose “feed” as their user name? I don’t understand how the bots would piece together a real username being so far off-base.

    Anyway, thanks for providing this life-saving plugin!

    Plugin Author WFMattR

    (@wfmattr)

    Some of them are most likely from misconfigured bots, where the malicious user doesn’t know how to use it — perhaps they’re supposed to type ${login} or something along those lines to fill in a login automatically from a list, but they didn’t get it right (and still didn’t notice!)

    I’m not sure about no_matches — that doesn’t seem to make much sense. ??

    “feed” might be used in some systems for automated logins involved in processing rss feeds. Some of the attempts might be by bots that aren’t targeting WordPress specifically, but just look for login forms in general, so some of the names might be common in other software.

    Very interesting, thanks for the explanation! This whole underground world of hacking bots is fascinating. At some point I was getting so many attempts with the username ‘{login}’ that I had to include it on the immediate block list in Wordfence.

    “feed” makes a lot more sense now — as well as all the other odd ones I often get. Sometimes entire business names are filled out in the login forms (including spaces) and I could not figure out why any hacker would be attempting to gain access through these obviously futile attempts. Now I know! Thanks.

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Failed Login Attempts With Strange Usernames’ is closed to new replies.