After analyzing the data I have, I’ve determined that there are two separate and distinct attackers, and Bad Behavior is successfully blocking 100% of attempts from both of them.

I got an email from Liquid Web early this morning, for instance, referencing the attacks. In this case they wrote borrowed a custom mod_security rule to do what fail2ban already does (but better). If you can’t use fail2ban, you might be able to use their mod_security rule in your .htaccess, depending on your web hosting provider. Unfortunately, since the rule is dependent on IP address, and these attackers are frequently changing IPs, it may not help all that much.

At present, Bad Behavior is the only known tool which is blocking 100% of these attacks out of the box. If you aren’t already using Bad Behavior…

These attacks appear to be originating from two distinct botnets, each with its own distinguishing characteristics. One of them gave little clue as to its command and control stucture, but a spot check of some of the IP addresses indicates that the zombies are likely compromised web servers. The other wasn’t a botnet per se, but one person sending a large number of requests through open Mikrotik and other proxy servers – most of which happily also sent along his IP address, 178.137.18.127. This appears to be registered to a mobile phone in the Ukraine. Oops! Update: Looks like this guy has moved on to 46.118.122.151. He apparently still doesn’t realize that the open proxy servers are sending along his IP address.

The two attackers are distinguishable in that the botnet attacker is sending only the login and password fields in its POST requests, while the idiot on the mobile phone is also sending three other key/value pairs which are present in the WordPress login form.

In both cases, the attacks attempt random passwords and passwords with patterns such as qwertyuiop or 123123. If you have a password that might have such a pattern in it, you should change it immediately.

See also Hardening WordPress for more things you can do to keep your WordPress site secure.

Changes

The following changes have been made since 2.2.13:

• An additional exploit scanner has been identified and blocked.
• A small change has been made to accommodate a change made by Firefox to its User-Agent format, to ensure that Firefox 25 (which doesn’t yet exist) is not improperly blocked.

Download

Download Bad Behavior now.

Notes

Just as a reminder, if you use CloudFlare on your site, you must enable the Reverse Proxy option in Bad Behavior’s settings, or many of your visitors and search engines will be blocked.

Work on Bad Behavior 3.0 is making progress; I have some very basic pre-alpha code and a test framework and I hope to have it cleaned up enough to attempt to begin using in the next few days. If you would like to see this work progress more quickly, or you just want to say thank you, consider making a donation today.

Registration has been reopened for now, and I’m manually dealing with the spammers.

This very bad experience has motivated me to do more about web spammers.

In this case, the bug tracker is Redmine, a web application developed in Ruby on Rails.

My first thought in such a case would have been to throw Bad Behavior at the web app and let it handle the problem. Unfortunately, Bad Behavior is written in PHP, making this impossible. By this point there must be any number of Ruby/Rails apps out there which are now suffering from the spam problems that we all went through and mostly got under control years ago.

It’s therefore my intention, as part of the Bad Behavior 3.0 rewrite, to create a Ruby gem which can be used to help secure such web applications. It may not be a simultaneous release, but something has to be done, and soon.

P.S. It’s also come to my attention that Redmine hasn’t been emailing me when someone enters a new ticket into the system. This should also be fixed. I’ve also taken the time to look at every ticket currently in the system. All bugs and support requests have been responded to, and all features looked at.

Those of you using Bad Behaavior’s Project Honey Pot support will see that requests from FeedBurner are blocked because the IP address is on the http:BL blacklist.

This is caused by an architectural problem at Google, and will require Google to resolve the issue for the problem to go away permanently. The issue is that, in the case of FeedBurner, Google uses IP addresses which are shared by third parties using Google App Engine, some of which are spammers. The spammers quickly get Google’s IP address blacklisted all over the Internet, and suddenly FeedBurner stops working.

If you are impacted by this issue, you can whitelist the affected IP addresses or the FeedBurner user agent string, or disable Project Honey Pot. Be aware that doing any of these will increase the amount of spam you receive. You should also complain to Google, since this isn’t the first time this has happened, and they seem to have done absolutely nothing about it.

Changes

The following changes have been made since 2.2.12:

• Requests from the Baidu search engine now go through screening similar to Google and other major search engines. This will help to prevent illegitimate access from clients which falsely claim to be the Baidu search engine. A logic error which prevented these checks from ever running has been fixed.

Download

Download Bad Behavior now.

Notes

Just as a reminder, if you use CloudFlare on your site, you must enable the Reverse Proxy option in Bad Behavior’s settings, or many of your visitors and search engines will be blocked.

Work on Bad Behavior 3.0 is finally making progress; I have some very basic almost-functional pre-alpha code and I hope to have it cleaned up enough to attempt to begin using in the next few weeks. Since this is usually the slow season for me, I hope to have some extra time to work on it over the holiday season. If you would like to see this work progress more quickly, or you just want to say thank you, consider making a donation today.

Changes

The following changes have been made since 2.2.11:

• Search engine screening by IP address is now more lenient; a failure to match a known IP address range no longer blocks the bot outright. This change is in response to a major search engine which is adding large numbers of IP address ranges faster than they can be tracked and added to Bad Behavior. Requests which don’t match a known IP address range still go through normal screening, while requests which match will be passed immediately.
• Search engine IP address screening is bypassed when the request originates from an IPv6 address, pending the addition of IPv6 subnet matching code.
• Requests from the Baidu search engine now go through screening similar to Google and other major search engines. This will help to prevent illegitimate access from clients which falsely claim to be the Baidu search engine.
• Some URL blacklist strings have been removed due to the possibility of their matching legitimate user input (e.g. in a site search phrase).

Download

Download Bad Behavior now.

Notes

Just as a reminder, if you use CloudFlare on your site, you must enable the Reverse Proxy option in Bad Behavior’s settings, or many of your visitors and search engines will be blocked.

Work on Bad Behavior 3.0 is finally making progress; I have some very basic almost-functional pre-alpha code and I hope to have it cleaned up enough to attempt to begin using in the next few weeks. Since this is usually the slow season for me, I hope to have some extra time to work on it over the holiday season. If you would like to see this work progress more quickly, or you just want to say thank you, consider making a donation today.

I’ve replaced the download with a corrected version. If you are experiencing this issue, you can remove and reinstall Bad Behavior, or edit line 94 of bad-behavior/blacklist.inc.php and add a , (comma) after the second " (quotation mark) so that the beginning of the line reads "Nikto",.

As I’ve noted previously, I’m in the midst of moving away from WordPress subversion and toward git (and github) which will let me put in place processes to prevent this sort of brown paper bag problem again. Please accept my apologies for the inconvenience this may have caused you.

NOTE: Support for the 2.0 series is very limited and will end June 30, 2013. Plan to migrate to the 2.2 series as soon as possible.

Changes

The following changes to 2.2 have been made since version 2.2.10:

• Google AdSense has changed their crawler’s User-Agent string to a string that matches a user agent blacklist entry. This would prevent the delivery of targeted ads to a page, and result in generic ads being displayed. The blacklist entry was temporarily removed pending communication with Google.
• A PHP warning would be generated if any whitelist had blank lines in it. Blank lines are now stripped out of whitelist entries.

The following changes to 2.0 have been made since version 2.0.48:

• Google AdSense has changed their crawler’s User-Agent string to a string that matches a user agent blacklist entry. This would prevent the delivery of targeted ads to a page, and result in generic ads being displayed. The blacklist entry was temporarily removed pending communication with Google.

Download

Download Bad Behavior now.

Changes

The following changes have been made since version 2.2.9:

• Code added in the previous release to support detection of malicious attacks contained an unfortunate typo causing PHP warnings to appear. This has been fixed.

Download

Download Bad Behavior now.

Changes

The following changes have been made since version 2.2.8:

• Several patterns associated with malicious activity such as SQL injection and vulnerability scanning have been identified and blocked.
• WordPress: A code change regarding display of the whitelist in the administrative page was reverted due to unforeseen issues.

Download

Download Bad Behavior now.

Notes

While reviewing the site for the recent disaster recovery, I noted that some ports of Bad Behavior had not been updated in a very long time and do not use the new 2.2 code base, and some which appear to have been abandoned. These have been noted on the list of ports as “legacy” and “abandoned” respectively. If you are a port maintainer, or you think you may want to be, please check the list for your platform.

I also noted that some current ports were released under the GPL version 2 only. Since Bad Behavior 2.2 uses the LGPL version 3 (or any later version) the license is not compatible with GPLv2 only connectors. I’ll be contacting port maintainers individually about these to attempt to resolve these issues, but if you are one and you are aware of this, please update your license to GPLv3 or later, or LGPLv2.1 or later.

Finally, thank you to all of you who provided kind words, offers of technical assistance and of course donations during this very stressful disaster recovery. If you haven’t contributed lately, or at all, please help me keep Bad Behavior going by donating today.