Who or what is df7c8c98dfd88d9dfad ?

  • Resolved kwisatz

    (@kwisatz)


    1 year ago

    I’m seeing this hash being used for log-in attempts on one particular WordPress website, several times a day, from IPs all over the world.

    I have found two other people online who have written about this same user being tried on their sites.

    In my case, such a user has never existed on the site. I imagine it must be part of some leak, but I can’t find any really useful info about it.

    I’d like to use the crowd intelligence to figure out where these log-in attempts are coming from, why this particular user-name?

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Support wfmark

    (@wfmark)

    Hi @kwisatz, Thank you for reaching out.

    Are these login attempts being blocked by Wordfence?

    When logged in to the site, could you please navigate to Wordfence> Tools> Live Traffic and confirm whether you see any Traffic entries of the blocked login attempts on this page?

    Brute force login attacks are one of the most common attacks that we see and are normal. We see millions of brute force login attempts per hour on WordPress sites protected with Wordfence.

    Wordfence does all of the important blocking for you automatically so you don’t have to, but if you wish to make your brute force or rate limiting rules a little stricter so that they can’t retry as frequently, for example reducing login failures to 3 or 5 instead of 20, you might find the following links useful:

    https://www.wordfence.com/help/firewall/brute-force/ 

    https://www.wordfence.com/help/firewall/rate-limiting/ 

    If there are successful login attempts and the user has administrative access, please let me know.

    Thanks,

    Mark.

    Thread Starter kwisatz

    (@kwisatz)

    Yes, they are being blocked after the first failing log-in attempt. After all, such a user does not exist.

    E.g.

    A user with IP address 102.129.x.y has been locked out from signing in or using the password recovery form for the following reason: Used an invalid username ‘df7c8c98dfd88d9dfad’ to try to sign in. The duration of the lockout is 4 hours. User IP: 102.129.x.y

    I’m not worried about them logging in, I was merely curious why this specific username. I thought, maybe it’s part of EICAR, or something similar.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Who or what is df7c8c98dfd88d9dfad ?’ is closed to new replies.