Watching login trolls

kelly7552 · 2013-03-22 19:16:03 UTC

I decided just for the hell of it to track, in a database, all the people trying to hack into wp-login.php from my websites. I’m recording their ip address, the username they are trying to login to, and the password they are attempting to use.

I have 5-6 of my websites tracking these trolls, and I created a website that will list the top 30 username/password combinations and the 10 ten ip addresses of the trolls.

I have an hourly set of cron jobs which will update the database with new attempts.

It’s revealing and amusing. This is a poster boy for why you should never have an wordpress admin account named admin.

The website is wp-securitywatch.com, it’s primitive right now, I only have 2 days of data in the database, but I’ll continue to add info like other hacking attempts gleaned from the access and error logs.

Bill

sierracircle · 2013-03-22 21:51:33 UTC

THat looks like a fun project. It would be cool to see the geo-location of those IP’s as well.

sXi · 2013-03-22 21:55:22 UTC

Very cool. It will be interesting watching those numbers grow.

kelly7552 · 2013-03-22 21:58:31 UTC

Yeah, I’m away for a few weeks, but when I return geo code additions are a great idea. Also I’m thinking of adding user agent and maybe more access to specific info. Also on my list is a separate report on number of non-wordpress commands entered and specific wordpress trolling for failed plugins; but all in good time…

LakeRat · 2013-03-23 00:32:39 UTC

sounds like a site that will attract DDOS and hack attacks =]

they walk tall and are followed by a huge botnet =] Been there, done that Wasn’t here but I’ll never forget that 72 hours of my life =]

bobocat · 2013-03-23 00:36:06 UTC

Yep, that’s been noted here in Application admin account.

The same goes for your mysql subdomain. Avoid naming it something like data or mysql because there’s no limit on the number of login attempts once someone figures out what domain your databases are on. Long, random, meaningless strings are best.

kelly7552 · 2013-04-05 05:32:13 UTC

Update to my website, it’s been roughtly 14 days in operation and on 4 reporting websites, I’ve seen 2,446 login attempts. Most of these are stupid robots, that are trying a boat load of attempted passwords. You can see for yourself at http://wp-securitywatch.com what passwords are being attempted.

I’ve had one troll with an ip address 188.175.122.21 that actually spent the time to use try to hack into one website using two different valid account names. This person is dangerous.

Let me use this time to remind everyone that picking a stronger password than say ‘pa$$word’ would be a good thing, and the majority of hacks are looking for a wordpress account named ‘admin’.

Be Safe!
Bill

sXi · 2013-04-05 08:40:28 UTC

Are the “valid account” names common names or have appeared on the site as “Author” at some stage ?

kelly7552 · 2013-04-05 16:15:03 UTC

Yes but not that common, it’s an account I use. One account is an author and the other has never authored anything. For safety sake neither are admin accounts.

-Bill