nginx-ultimate-bad-bot-blocker icon indicating copy to clipboard operation
nginx-ultimate-bad-bot-blocker copied to clipboard

Published 20 hours ago verified publisher icon mitchellkrogza

[User-Agent] Add botnet user-agent (brute force attacks)

Open CyberCr33p opened this issue 3 years ago • 3 comments

Paste the full User-Agent String here


Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36

Is this for Addition / Removal?

  • [x] Addition
  • [ ] Removal
  • [ ] Keep a watch on this one

Did the User-Agent request robots.txt first?

  • [ ] Yes
  • [X] No

Post Log Excerpt to show User-Agent behavior (10-20 lines is enough)


34.201.72.208 - - [27/Mar/2022:20:30:17 +0300] "POST /wp-login.php HTTP/1.1" 200 2335 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36" (8.929)
13.126.52.120 - - [27/Mar/2022:20:37:37 +0300] "POST /wp-login.php HTTP/1.1" 200 2335 "-" "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36" (7.875)
80.74.147.43 - - [27/Mar/2022:21:07:03 +0300] "POST /wp-login.php HTTP/1.1" 499 0 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36" (10.093)
85.214.225.219 - - [27/Mar/2022:21:14:19 +0300] "POST /wp-login.php HTTP/1.1" 200 2335 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36" (2.877)
52.57.79.245 - - [27/Mar/2022:21:28:27 +0300] "POST /wp-login.php HTTP/1.1" 200 2335 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36" (9.260)
69.163.186.158 - - [27/Mar/2022:21:35:16 +0300] "POST /wp-login.php HTTP/1.1" 200 2335 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36" (0.267)
188.166.225.235 - - [27/Mar/2022:21:55:42 +0300] "POST /wp-login.php HTTP/1.1" 200 2335 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.97 Safari/537.36" (1.655)
31.172.80.144 - - [27/Mar/2022:22:09:55 +0300] "POST /wp-login.php HTTP/1.1" 200 2335 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.109 Safari/537.36" (1.162)
20.64.155.18 - - [27/Mar/2022:22:16:47 +0300] "POST /wp-login.php HTTP/1.1" 200 2335 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36" (0.317)
18.192.115.42 - - [27/Mar/2022:22:23:53 +0300] "POST /wp-login.php HTTP/1.1" 200 2335 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36" (0.202)

Additional information

https://blog.paranoidpenguin.net/2019/03/a-digital-ocean-of-bots/

CyberCr33p avatar Mar 27 '22 19:03 CyberCr33p

No this user agent is used only by bots. I grep the access logs (many thousand of websites) on all my servers for several days and not used by normal browsers.

CyberCr33p avatar Apr 28 '22 07:04 CyberCr33p

You can set captcha in form wordpress login, this brute force attack for login.

zakirkun avatar Jun 27 '22 07:06 zakirkun