Today we’re getting our first concerted attempt to brute force attack the skankworks.net. The attack vector is an old xmlrpc bug which was closed months ago, but that needn’t deter crackers. They do not know which version of the software we have on the back-end, or they may be probing for other yet-to-be-discovered weaknesses.
The attack started early this morning and thus far we have received over 250,000 attempts from 3719 unique IP addresses, indicating a botnet is at work. To explain what that means, there are at least 3,719 users on the Internet whose computers have been hacked and are being used to attack others. We have their IP addresses, but we have learned long ago that there is no point in trying to get the owners of these IP addresses to take remedial action.
Thus far the attempts have been, we’re happy to say, unsuccessful. We are also pleased that the high traffic being generated does not seem to be adversly affecting the website’s performance. It does in fact make for quiet a good load test. It leaves us confident that our bandwidth will max-out before our servers are overloaded.
We do of course have active security measures that were in place before this attack began, but consider it impertinent to say what they are. They raise some alarms on our monitoring but initial investigations reveal that the only effect the attack is having is to pollute some logfiles, but as we do not use the logs they are hitting it isn’t a big problem. They’ll be deleted at the weekend when we bounce the servers.
The attack is an unsophisticated brute-force dictionary affair intended to guess a valid login/password. It tries a variety of common login names and simply loops through prepared lists of commonly used passwords and dictionary words. They’re up to ‘p’ at the moment. Nevertheless the botnet is effectively firing blanks at us since it is looking in the wrong place for something that doesn’t exist. It’s an annoyance, like having locusts flying into the panes of the greenhouse where you grow your stash.
Meanwhile, it’s business as usual:
— skankworks (@TheSkankworks) September 3, 2014