WordPress login Brute force / Web App Attack on client site.

xmlrpc attack

WordPress login Brute force / Web App Attack on client site.

[munged]::443 2001:41d0:303:22ca:: - - [10/Aug/2019:14:11:14 +0200] "POST /[munged]: HTTP/1.1" 200 6980 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
[munged]::443 2001:41d0:303:22ca:: - - [10/Aug/2019:14:11:19 +0200] "POST /[munged]: HTTP/1.1" 200 6980 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
[munged]::443 2001:41d0:303:22ca:: - - [10/Aug/2019:14:11:22 +0200] "POST /[munged]: HTTP/1.1" 200 6960 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
[munged]::443 2001:41d0:303:22ca:: - - [10/Aug/2019:14:11:26 +0200] "POST /[munged]: HTTP/1.1" 200 6981 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
[munged]::443 2001:41d0:303:22ca:: - - [10/Aug/2019:14:11:29 +0200] "POST /[munged]: HTTP/1.1" 200 6975 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
[munged]::443 2001:41d0:303:22ca:: - - [10/Aug/2019:14:11:33 +0200] "POST /[munged]: HTTP

WordPress wp-login brute force :: 2001:41d0:303:22ca:: 0.056 BYPASS [31/Jul/2019:08:31:24  1000] [censored_2] "POST /wp-login.php HTTP/1.1" 200 4630 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"

xmlrpc attack

Nov 21 07:12:26 mxgate1 postfix/postscreen[7403]: CONNECT from [141.105.66.254]:63166 to [176.31.12.44]:25
Nov 21 07:12:26 mxgate1 postfix/dnsblog[7468]: addr 141.105.66.254 listed by domain zen.spamhaus.org as 127.0.0.3
Nov 21 07:12:26 mxgate1 postfix/dnsblog[7466]: addr 141.105.66.254 listed by domain b.barracudacentral.org as 127.0.0.2
Nov 21 07:12:32 mxgate1 postfix/postscreen[7403]: DNSBL rank 3 for [141.105.66.254]:63166
Nov x@x
Nov 21 07:12:32 mxgate1 postfix/postscreen[7403]: DISCONNECT [141.105.66.254]:63166


........
-----------------------------------------------
https://www.blocklist.de/en/view.html?ip=141.105.66.254

2019-11-21T06:56:30.626851abusebot-4.cloudsearch.cf sshd\[31423\]: pam_unix\(sshd:auth\): authentication failure\; logname= uid=0 euid=0 tty=ssh ruser= rhost=111.231.237.245  user=root

61.136.101.84 was recorded 68 times by 1 hosts attempting to connect to the following ports: 3128. Incident counter (4h, 24h, all-time): 68, 392, 7651

49.80.63.136 - - [21/Nov/2019:07:11:20 +0100] "GET / HTTP/1.1" 301 299 "-" "Googlebot/2.1 (+hxxp://www.googlebot.com/bot.html)"


........
-----------------------------------------------
https://www.blocklist.de/en/view.html?ip=49.80.63.136

2019-11-21T07:22:39.507394stark.klein-stark.info postfix/smtpd\[2270\]: NOQUEUE: reject: RCPT from marmalade.shrewdmhealth.com\[81.28.100.129\]: 554 5.7.1 \: Relay access denied\; from=\ to=\ proto=ESMTP helo=\
...

Nov 21 07:19:48 lvps87-230-18-106 sshd[22420]: Did not receive identification string from 196.217.154.115
Nov 21 07:19:52 lvps87-230-18-106 sshd[22421]: Invalid user thostname0nich from 196.217.154.115
Nov 21 07:19:55 lvps87-230-18-106 sshd[22421]: Failed password for invalid user thostname0nich from 196.217.154.115 port 60496 ssh2
Nov 21 07:19:55 lvps87-230-18-106 sshd[22421]: Connection closed by 196.217.154.115 [preauth]


........
-----------------------------------------------
https://www.blocklist.de/en/view.html?ip=196.217.154.115

Lines containing failures of 110.78.153.176
Nov 21 07:15:07 hvs sshd[17381]: Invalid user tech from 110.78.153.176 port 20096
Nov 21 07:15:08 hvs sshd[17381]: Connection closed by invalid user tech 110.78.153.176 port 20096 [preauth]


........
-----------------------------------------------
https://www.blocklist.de/en/view.html?ip=110.78.153.176

Nov 20 23:21:19 hanapaa sshd\[24208\]: pam_unix\(sshd:auth\): authentication failure\; logname= uid=0 euid=0 tty=ssh ruser= rhost=49.88.112.110  user=root
Nov 20 23:21:21 hanapaa sshd\[24208\]: Failed password for root from 49.88.112.110 port 15811 ssh2
Nov 20 23:21:24 hanapaa sshd\[24208\]: Failed password for root from 49.88.112.110 port 15811 ssh2
Nov 20 23:24:26 hanapaa sshd\[24446\]: pam_unix\(sshd:auth\): authentication failure\; logname= uid=0 euid=0 tty=ssh ruser= rhost=49.88.112.110  user=root
Nov 20 23:24:28 hanapaa sshd\[24446\]: Failed password for root from 49.88.112.110 port 64618 ssh2

Nov 21 12:44:28 dedicated sshd[23853]: Failed password for root from 132.145.213.82 port 32440 ssh2
Nov 21 12:47:56 dedicated sshd[24412]: Invalid user com** from 132.145.213.82 port 50409
Nov 21 12:47:56 dedicated sshd[24412]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=132.145.213.82 
Nov 21 12:47:56 dedicated sshd[24412]: Invalid user com** from 132.145.213.82 port 50409
Nov 21 12:47:58 dedicated sshd[24412]: Failed password for invalid user com** from 132.145.213.82 port 50409 ssh2

Port scan: Attack repeated for 24 hours

2019-11-21 05:13:15,010 fail2ban.actions        \[14488\]: NOTICE  \[sshd\] Ban 27.128.175.209
2019-11-21 05:44:09,428 fail2ban.actions        \[14488\]: NOTICE  \[sshd\] Ban 27.128.175.209
2019-11-21 06:20:04,238 fail2ban.actions        \[14488\]: NOTICE  \[sshd\] Ban 27.128.175.209
2019-11-21 06:52:02,254 fail2ban.actions        \[14488\]: NOTICE  \[sshd\] Ban 27.128.175.209
2019-11-21 07:23:38,335 fail2ban.actions        \[14488\]: NOTICE  \[sshd\] Ban 27.128.175.209
...

Microsoft-Windows-Security-Auditing

port scan and connect, tcp 23 (telnet)

Honeypot attack, port: 23, PTR: PTR record not found

2019-11-20 UTC: 4x - root(4x)