Are zombie bots getting smarter?

This morning I woke to the usual bunch of emails: the latest results from the NHL, some voucher deals and a notification that someone had tried to log into this website. Only this morning there was something different. They’d actually found my username.

Anyone who has been to a WPScotland meetup will know that I like to harp on about security and the dangers so-called “zombie bots” pose if you still have the default admin username on your site. Before WordPress version 3 you didn’t have any choice in this, you’d have to change the admin username in the database which is beyond the capabilities of most day to day users out there.

The bots would scour the internet, looking for WordPress sites, and then brute-force attack the login page. Because a very large percentage of users would never change the admin username it massively improved the chances of success, even if they are still fairly remote.

Using the rather awesome Limit Login Attempts plugin from the WordPress repository I can see that in the last month there have been 63 attempts to log into this website by this method.

This morning’s email scared the hell out of me because rather than trying the default admin, as in every other case, it was trying with my actual username.

My daily email, with a difference.


I’ve had a quick look through the logfiles and this is what I found from the IP address – – [23/May/2012:08:26:41 +0100] “GET //?author=1 HTTP/1.1” 301 315 “-” “-” – – [23/May/2012:08:26:43 +0100] “GET /author/xxxxxx/ HTTP/1.1” 200 35578 “-” “-” – – [23/May/2012:08:26:43 +0100] “GET //?author=2 HTTP/1.1” 301 457 “-” “-” – – [23/May/2012:08:26:44 +0100] “GET /?author=2 HTTP/1.1” 404 15545 “-” “-” – – [23/May/2012:08:26:44 +0100] “GET /?author=2 HTTP/1.1” 404 15545 “-” “-” – – [23/May/2012:08:26:45 +0100] “POST /wp-login.php HTTP/1.1” 200 3955 “-” “User-Agent=Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0” – – [23/May/2012:08:26:46 +0100] “POST /wp-login.php HTTP/1.1” 200 3954 “-” “User-Agent=Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0” – – [23/May/2012:08:26:47 +0100] “POST /wp-login.php HTTP/1.1” 200 4004 “-” “User-Agent=Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0”

There’s nothing particularly complex going on here, it’s just not something I’d seen before.

The first few lines are using the default PHP permalink to find usernames (I only have one account on this site so ?author=2 failed to resolve) and the last three are the login attempts they managed before Limit Login Attempts blocked them.

I can’t tell if this is a zombie bot with better logic written into it or if it’s someone manually having a go at hacking the site, but it’s a worrying development all the same. If anyone sees a similar attack I’d be really interested to hear from you, especially if you’d be willing to share some info to see if we can determine if it is human or not.

Be safe people!