Odd Behavior

  • Resolved Patrick Boehner

    (@patrick-b)


    9 years, 5 months ago

    Hi I have just a quick question.

    I’ve been using your plugin for some time on several site without issue, works great. I did notice something tonight that i wanted to ask about.

    I got around 30+ notifications (threaded for each ip address) of failed logins. When I went to my site to check the records it listed 100 failed attempts for each ip address despite the settings being set to 2 failed attempts within 30min. Not quite sure if the same ip was waiting 30 min each two attempts till it got to 100 before hanging addresses, or what. The details link doesn’t say anything about what username or password they were trying or how much time was between attempts.

    Just curious as i have never seen that behavior before.

    https://www.ads-software.com/plugins/ip-blacklist-cloud/

Viewing 2 replies - 1 through 2 (of 2 total)
  • Thread Starter Patrick Boehner

    (@patrick-b)

    Looking over the logs after seeing this post from sucuri https://blog.sucuri.net/2015/10/brute-force-amplification-attacks-against-wordpress-xmlrpc.html

    Each of the attempt looks like its using XML-RPC to make the 100 attempts in one http request, and would probably explain why the Blacklist log was lacking in details.

    5.79.68.161 - - [06/Oct/2015:23:57:54 -0400] "POST /wordpress/xmlrpc.php/xmlrpc.php HTTP/1.0" 200 21587 "-" "Mozilla/5.0 (X11; Linux i686; U) Opera 7.52  [en]"

    I imagine this is not something that IP Blacklist Cloud is meant to handle but if it is let me know or if anyone has a good recommended way to deal with this.

    Plugin Author Adiie9

    (@ad33lx)

    Hi,

    I have mentioned in earlier posts that there is no security for XML Attacks so far as WordPress itself is not able to handle it.

    I am trying my best to get solution for it but can not trace out attacks

    Regards,
    Adeel

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Odd Behavior’ is closed to new replies.