Http-bf-wordpress_bf does not detect bruteforce attack

TimmiORG · October 29, 2023, 8:05am

Hi Community,

looks like the http-bf-wordpress_bf did not detect the following attack on my Wordpress page.
The page is running with an NGINX.

Please find the sample for the attacker IP from the nginx log.

Do I need to change some configuration or is there a bug in the scenario?

1.2.3.4 - - [28/Oct/2023:22:43:49 +0200] "GET /wp-login.php HTTP/1.1" 200 49978 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
1.2.3.4 - - [28/Oct/2023:22:43:50 +0200] "GET /?author=1 HTTP/1.1" 403 564 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
1.2.3.4 - - [28/Oct/2023:22:43:51 +0200] "POST /xmlrpc.php HTTP/1.1" 444 0 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
1.2.3.4 - - [28/Oct/2023:22:43:52 +0200] "POST /wp-login.php HTTP/1.1" 200 50355 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
1.2.3.4 - - [28/Oct/2023:22:44:52 +0200] "POST /xmlrpc.php HTTP/1.1" 444 0 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
1.2.3.4 - - [28/Oct/2023:22:44:52 +0200] "POST /wp-login.php HTTP/1.1" 200 50355 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
1.2.3.4 - - [28/Oct/2023:22:45:52 +0200] "POST /xmlrpc.php HTTP/1.1" 444 0 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
1.2.3.4 - - [28/Oct/2023:22:45:53 +0200] "POST /wp-login.php HTTP/1.1" 200 50253 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
1.2.3.4 - - [28/Oct/2023:22:46:56 +0200] "POST /xmlrpc.php HTTP/1.1" 444 0 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
1.2.3.4 - - [28/Oct/2023:22:46:56 +0200] "POST /wp-login.php HTTP/1.1" 200 50355 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
1.2.3.4 - - [28/Oct/2023:22:47:58 +0200] "POST /xmlrpc.php HTTP/1.1" 444 0 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
1.2.3.4 - - [28/Oct/2023:22:47:59 +0200] "POST /wp-login.php HTTP/1.1" 200 50355 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
1.2.3.4 - - [28/Oct/2023:22:49:00 +0200] "POST /xmlrpc.php HTTP/1.1" 444 0 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
1.2.3.4 - - [28/Oct/2023:22:49:00 +0200] "POST /wp-login.php HTTP/1.1" 200 50340 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
1.2.3.4 - - [28/Oct/2023:22:50:01 +0200] "POST /xmlrpc.php HTTP/1.1" 444 0 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
1.2.3.4 - - [28/Oct/2023:22:50:02 +0200] "POST /wp-login.php HTTP/1.1" 200 50340 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
1.2.3.4 - - [28/Oct/2023:22:51:02 +0200] "POST /xmlrpc.php HTTP/1.1" 444 0 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
1.2.3.4 - - [28/Oct/2023:22:51:02 +0200] "POST /wp-login.php HTTP/1.1" 200 50355 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
1.2.3.4 - - [28/Oct/2023:22:52:03 +0200] "POST /xmlrpc.php HTTP/1.1" 444 0 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
1.2.3.4 - - [28/Oct/2023:22:52:03 +0200] "POST /wp-login.php HTTP/1.1" 200 50340 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
1.2.3.4 - - [28/Oct/2023:22:53:04 +0200] "POST /xmlrpc.php HTTP/1.1" 444 0 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
1.2.3.4 - - [28/Oct/2023:22:53:04 +0200] "POST /wp-login.php HTTP/1.1" 200 50355 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
1.2.3.4 - - [28/Oct/2023:22:54:05 +0200] "POST /xmlrpc.php HTTP/1.1" 444 0 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
1.2.3.4 - - [28/Oct/2023:22:54:05 +0200] "POST /wp-login.php HTTP/1.1" 200 50355 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
1.2.3.4 - - [28/Oct/2023:22:55:06 +0200] "POST /xmlrpc.php HTTP/1.1" 444 0 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
1.2.3.4 - - [28/Oct/2023:22:55:07 +0200] "POST /wp-login.php HTTP/1.1" 200 50355 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
1.2.3.4 - - [28/Oct/2023:22:56:07 +0200] "POST /xmlrpc.php HTTP/1.1" 444 0 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
1.2.3.4 - - [28/Oct/2023:22:56:08 +0200] "POST /wp-login.php HTTP/1.1" 200 50340 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
1.2.3.4 - - [28/Oct/2023:22:57:08 +0200] "POST /xmlrpc.php HTTP/1.1" 444 0 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
1.2.3.4 - - [28/Oct/2023:22:57:09 +0200] "POST /wp-login.php HTTP/1.1" 200 50340 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
1.2.3.4 - - [28/Oct/2023:22:58:09 +0200] "POST /xmlrpc.php HTTP/1.1" 444 0 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
1.2.3.4 - - [28/Oct/2023:22:58:09 +0200] "POST /wp-login.php HTTP/1.1" 200 50355 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
1.2.3.4 - - [28/Oct/2023:22:59:10 +0200] "POST /xmlrpc.php HTTP/1.1" 444 0 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
1.2.3.4 - - [28/Oct/2023:22:59:11 +0200] "POST /wp-login.php HTTP/1.1" 200 50355 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
1.2.3.4 - - [28/Oct/2023:23:00:11 +0200] "POST /xmlrpc.php HTTP/1.1" 444 0 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
1.2.3.4 - - [28/Oct/2023:23:00:11 +0200] "POST /wp-login.php HTTP/1.1" 200 50340 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
1.2.3.4 - - [28/Oct/2023:23:01:12 +0200] "POST /xmlrpc.php HTTP/1.1" 444 0 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
1.2.3.4 - - [28/Oct/2023:23:01:12 +0200] "POST /wp-login.php HTTP/1.1" 200 50355 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
1.2.3.4 - - [28/Oct/2023:23:02:14 +0200] "POST /xmlrpc.php HTTP/1.1" 444 0 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
1.2.3.4 - - [28/Oct/2023:23:02:15 +0200] "POST /wp-login.php HTTP/1.1" 200 50355 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
1.2.3.4 - - [28/Oct/2023:23:03:14 +0200] "POST /xmlrpc.php HTTP/1.1" 444 0 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
1.2.3.4 - - [28/Oct/2023:23:03:15 +0200] "POST /wp-login.php HTTP/1.1" 200 50340 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
1.2.3.4 - - [28/Oct/2023:23:04:16 +0200] "POST /xmlrpc.php HTTP/1.1" 444 0 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"

iiAmLoz · October 30, 2023, 9:16am

That because you are responding 444 to the requests and 444 has no meaning in http status codes

However another user had the same thing and I responded with a custom scenario

Edit: However, I tested your logs and it does trigger the wordpress bruteforce scenario? Have you got the scenario downloaded?

WARN[30-10-2023 09:19:40] Acquisition is finished, shutting down
INFO[30-10-2023 09:19:40] Killing parser routines
INFO[30-10-2023 09:19:40] Killing parser routines
INFO[30-10-2023 09:19:40] Ip 1.2.3.4 performed 'crowdsecurity/http-bad-user-agent' (2 events over 1s) at 2023-10-28 22:43:50 +0200 +0200
INFO[30-10-2023 09:19:40] Ip 1.2.3.4 performed 'crowdsecurity/http-bad-user-agent' (2 events over 1s) at 2023-10-28 22:45:53 +0200 +0200
INFO[30-10-2023 09:19:40] Ip 1.2.3.4 performed 'crowdsecurity/http-bad-user-agent' (2 events over 1s) at 2023-10-28 22:47:59 +0200 +0200
INFO[30-10-2023 09:19:40] Ip 1.2.3.4 performed 'crowdsecurity/http-bad-user-agent' (2 events over 1s) at 2023-10-28 22:50:02 +0200 +0200
INFO[30-10-2023 09:19:40] Ip 1.2.3.4 performed 'crowdsecurity/http-bad-user-agent' (2 events over 0s) at 2023-10-28 22:52:03 +0200 +0200
INFO[30-10-2023 09:19:40] Ip 1.2.3.4 performed 'crowdsecurity/http-bf-wordpress_bf_xmlrpc' (10 events over 9m13s) at 2023-10-28 22:53:04 +0200 +0200
INFO[30-10-2023 09:19:40] Ip 1.2.3.4 performed 'crowdsecurity/http-bad-user-agent' (2 events over 0s) at 2023-10-28 22:54:05 +0200 +0200
INFO[30-10-2023 09:19:40] Ip 1.2.3.4 performed 'crowdsecurity/http-bad-user-agent' (4 events over 1m1s) at 2023-10-28 22:57:09 +0200 +0200
INFO[30-10-2023 09:19:40] Ip 1.2.3.4 performed 'crowdsecurity/http-bad-user-agent' (3 events over 1m2s) at 2023-10-28 22:59:11 +0200 +0200
INFO[30-10-2023 09:19:40] Ip 1.2.3.4 performed 'crowdsecurity/http-bad-user-agent' (3 events over 1m3s) at 2023-10-28 23:02:15 +0200 +0200
INFO[30-10-2023 09:19:40] Ip 1.2.3.4 performed 'crowdsecurity/http-bf-wordpress_bf_xmlrpc' (10 events over 9m9s) at 2023-10-28 23:03:14 +0200 +0200
INFO[30-10-2023 09:19:42] Bucket routine exiting
INFO[30-10-2023 09:19:42] Bucket routine exiting
INFO[30-10-2023 09:19:43] crowdsec shutdown

Edit Edit: Realized it wasnt the bruteforce scenario that was triggered

$ cscli explain --log '1.2.3.4 - - [28/Oct/2023:22:54:05 +0200] "POST /wp-login.php HTTP/1.1" 200 50355 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"' --type nginx -v
line: 1.2.3.4 - - [28/Oct/2023:22:54:05 +0200] "POST /wp-login.php HTTP/1.1" 200 50355 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
	├ s00-raw
	|	├ 🟢 crowdsecurity/non-syslog (+5 ~8)
	|		├ update evt.ExpectMode : %!s(int=0) -> 1
	|		├ update evt.Stage :  -> s01-parse
	|		├ update evt.Line.Raw :  -> 1.2.3.4 - - [28/Oct/2023:22:54:05 +0200] "POST /wp-login.php HTTP/1.1" 200 50355 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
	|		├ update evt.Line.Src :  -> /tmp/cscli_explain3093210858/cscli_test_tmp.log
	|		├ update evt.Line.Time : 0001-01-01 00:00:00 +0000 UTC -> 2023-10-30 09:23:57.121628297 +0000 UTC
	|		├ create evt.Line.Labels.type : nginx
	|		├ update evt.Line.Process : %!s(bool=false) -> true
	|		├ update evt.Line.Module :  -> file
	|		├ create evt.Parsed.message : 1.2.3.4 - - [28/Oct/2023:22:54:05 +0200] "POST /wp-login.php HTTP/1.1" 200 50355 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
	|		├ create evt.Parsed.program : nginx
	|		├ update evt.Time : 0001-01-01 00:00:00 +0000 UTC -> 2023-10-30 09:23:57.121701426 +0000 UTC
	|		├ create evt.Meta.datasource_path : /tmp/cscli_explain3093210858/cscli_test_tmp.log
	|		├ create evt.Meta.datasource_type : file
	├ s01-parse
	|	├ 🟢 crowdsecurity/nginx-logs (+22 ~2)
	|		├ update evt.Stage : s01-parse -> s02-enrich
	|		├ create evt.Parsed.target_fqdn : 
	|		├ create evt.Parsed.body_bytes_sent : 50355
	|		├ create evt.Parsed.http_referer : -
	|		├ create evt.Parsed.request_length : 
	|		├ create evt.Parsed.remote_addr : 1.2.3.4
	|		├ create evt.Parsed.request : /wp-login.php
	|		├ create evt.Parsed.time_local : 28/Oct/2023:22:54:05 +0200
	|		├ create evt.Parsed.http_version : 1.1
	|		├ create evt.Parsed.status : 200
	|		├ create evt.Parsed.verb : POST
	|		├ create evt.Parsed.request_time : 
	|		├ create evt.Parsed.http_user_agent : Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
	|		├ create evt.Parsed.proxy_alternative_upstream_name : 
	|		├ create evt.Parsed.proxy_upstream_name : 
	|		├ create evt.Parsed.remote_user : -
	|		├ update evt.StrTime :  -> 28/Oct/2023:22:54:05 +0200
	|		├ create evt.Meta.source_ip : 1.2.3.4
	|		├ create evt.Meta.http_path : /wp-login.php
	|		├ create evt.Meta.log_type : http_access-log
	|		├ create evt.Meta.http_status : 200
	|		├ create evt.Meta.http_user_agent : Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
	|		├ create evt.Meta.http_verb : POST
	|		├ create evt.Meta.service : http
	├ s02-enrich
	|	├ 🟢 crowdsecurity/dateparse-enrich (+2 ~2)
	|		├ create evt.Enriched.MarshaledTime : 2023-10-28T22:54:05+02:00
	|		├ update evt.Time : 2023-10-30 09:23:57.121701426 +0000 UTC -> 2023-10-28 22:54:05 +0200 +0200
	|		├ update evt.MarshaledTime :  -> 2023-10-28T22:54:05+02:00
	|		├ create evt.Meta.timestamp : 2023-10-28T22:54:05+02:00
	|	├ 🟢 crowdsecurity/geoip-enrich (+10)
	|		├ create evt.Enriched.ASNOrg : 
	|		├ create evt.Enriched.ASNumber : 0
	|		├ create evt.Enriched.IsInEU : false
	|		├ create evt.Enriched.IsoCode : AU
	|		├ create evt.Enriched.Latitude : -33.494000
	|		├ create evt.Enriched.Longitude : 143.210400
	|		├ create evt.Enriched.ASNNumber : 0
	|		├ create evt.Meta.IsoCode : AU
	|		├ create evt.Meta.ASNNumber : 0
	|		├ create evt.Meta.IsInEU : false
	|	├ 🟢 crowdsecurity/http-logs (+7)
	|		├ create evt.Parsed.static_ressource : false
	|		├ create evt.Parsed.file_dir : /
	|		├ create evt.Parsed.file_frag : wp-login
	|		├ create evt.Parsed.impact_completion : true
	|		├ create evt.Parsed.file_name : wp-login.php
	|		├ create evt.Parsed.file_ext : .php
	|		├ create evt.Meta.http_args_len : 0
	|	├ 🟢 crowdsecurity/jellyfin-whitelist (unchanged)
	|	└ 🟢 crowdsecurity/nextcloud-whitelist (unchanged)
	├-------- parser success 🟢
	├ Scenarios
		├ 🟢 crowdsecurity/http-bad-user-agent
		└ 🟢 crowdsecurity/http-bf-wordpress_bf

It does create the bucket.

Edit Edit Edit: So the issue is the leakspeed is 10 seconds but the attacker is logging in every 1 minute so this isnt caught by our scenario we can create a slower BF scenario

type: leaky
name: crowdsecurity/http-bf-wordpress_bf_slow
description: "detect slow wordpress bruteforce"
debug: false
# failed auth on wp-login.php returns 200
filter: "evt.Meta.log_type == 'http_access-log' && evt.Parsed.file_name == 'wp-login.php' && evt.Parsed.verb == 'POST' && evt.Meta.http_status == '200'"
groupby: evt.Meta.source_ip
capacity: 7
leakspeed: 2m
blackhole: 5m
labels:
  confidence: 3
  spoofable: 0
  classification:
    - attack.T1110
  behavior: "http:bruteforce"
  label: "WP bruteforce"
  service: wordpress
  remediation: true

TimmiORG · November 1, 2023, 10:30am

Hi @iiAmLoz ,
thank you for your answer.
I did not mean the 444 on the xmlrpc.php. This is just blocked by the nginx.
Also I understood that would be a different scenario as the normal Wordpress_BF is for the wp-login.php page.

So I understood that the attacker was slower than the thresholds and due to that it was not identified.
Is your change going into a official release or do I need to add this into my own parser?

Best regards
Timmi

Topic		Replies	Views
Detecting "POST /xmlrpc.php HTTP/1.1" 405 on a WordPress site	4	1242	August 24, 2021
Question about Crowdsec and Wordpress crowdsec	9	1177	March 5, 2021
Crowdsec wordpress block site	1	777	December 16, 2020
How to report IPs and/or scenarios not detected by Crowdec crowdsec	2	643	March 19, 2023
Crowdsec Windows support in is alpha! crowdsec	4	1260	February 19, 2022

Http-bf-wordpress_bf does not detect bruteforce attack

Related Topics