It’s late February / early March 2023 and we’ve been tracking a big surge in brute force login attempts across the networks we work with.
Usually this sort of attack comes from server-based IP addresses in the USA, Russia and China… data-centre IP addresses. This week’s attack is interesting because the IP addresses don’t usually have a reverse-lookup… they look like domestic IP addresses and they’re coming from Kenya, Kuwait, Colombia, Brazil, Sudan and lots more (not the usual big data centres). It’s likely that some sort of router or mobile device OS/App has been compromised and the attacks are coming from those devices.
Rather than the attack being spread wide an thin across lots of sites, it seemed to focus on a small number of sites and batter “wp-login.php” and “xmlrpc.php”. Standard security practices should help, and blocking access to “xmlrpc.php” via “.htaccess” is usually a good idea too.
As of Friday 3rd March, the attacks have died right down so it’s either finished or the botnet has been completely blocked by the firewalls.