?

Log in

No account? Create an account

[icon] I'm not dumb enough to use these passwords - Patti
View:Recent Entries.
View:Archive.
View:Friends.
View:Profile.
View:Website (pattib.org).

Security:
Subject:I'm not dumb enough to use these passwords
Time:11:23 pm
As you may or may not know, there's currently a large botnet attack on WordPress sites. I have one self-hosted WordPress site, PattiB Photography. It may not look like a blog, but it uses WordPress.

I decided to start logging failed password attempts on that site, just to see what the hackers are up to. I'm only getting hit to the tune of 30-40 attempts per hour, which isn't all that bad. Here are the passwords that have been tried for my admin account:

0
0000
1
111111
121212
123
123123
123123123
123321
1234
12345
123456
1234567
12345678
123456789
1234567890
123qwe
12qwaszx
1qazxsw2
@dm1n
@dmin
654321
a123456789
abc123
adm
admin
Admin
ADMIN
admin1
Admin1
admin111
admin12
admin123
admin!
admin!@#
admin@123
adminadmin
administrator
adminn
adminpass
adminpassword
anubis
babyphat1
ballin1
baseball
bitch2
blog
blog123
blogpass
cameron
charlie
cheapproductshop
cheese
chicken
chocolate
computer
corvette
czarina
daniel
diamond
dragon
ferrari
freaks
freedom
fuckyou
gamecube
gandalf
gggggg
ghetto1
ginuwine
google
greece
husband
iloveyou
jackson
jennifer
jessica
jesus
killer
letmein
master
matthew
maverick
michael
michelle
monkey
motorevue
motoverte
neng
neon
neptune
nermal
nero
nestle
nettie
netscape
nickcarter
nicole
niggas
P@55w0rd
p@ssw0rd
P@ssw0rd
P@ssword
p@ttibphoto
p@ttibphoto.com
pa$$word
pass
pass1234
passw0rd
passwd
password
Password
password1
password!
patrick
pattibphoto
pattibphoto1
pattibphoto111
pattibphoto12
pattibphoto123
pattibphoto!
pattibphoto!@#
pattibphoto.com
pattibphoto.com1
pattibphoto.com111
pattibphoto.com12
pattibphoto.com123
pattibphoto.com!
pattibphoto.com!@#
pattibphoto.com@123
pattibphoto.compass
pattibphoto@123
pattibphotopass
phoenix
power
princess
q1w2e3
q2global123
qazwsx
qwe123
qweasd
qweasdzxc
qweqwe
qwerty
rainbows
rainer
raining
rainman
rainyday
raistlin
root
sapito
shadow
soccer
soleil
sonysony
sooner
sooners
sooners1
sophie1
soprano
sunshine
superman
system
test
tomcat
trustno1
vasquez
voyager1
voyeur
vsegda
vulcan
vulva
vvvv
welcome
whatever
william
wordpress
Wordpress
wpadmin
www.p@ttibphoto.com
www.pattibphoto.com
www.pattibphoto.com1
www.pattibphoto.com111
www.pattibphoto.com12
www.pattibphoto.com123
www.pattibphoto.com!
www.pattibphoto.com!@#
www.pattibphoto.com@123
www.pattibphoto.compass
yahoo

comments: Leave a comment Previous Entry Share Next Entry


frankbrabec
Subject:My password is not on that list
Link:(Link)
Time:2013-04-13 07:29 am (UTC)
Did I just give away too much info?
(Reply) (Thread)


adbjupe
Link:(Link)
Time:2013-04-13 11:18 am (UTC)
Yep,
I am seeing similar things, although I am not logging the passwords itself. It's twice the fun looking at it, if your admin account isn't named 'admin'. There hasn't been a single attempt on the real admin account, even though a human wouldn't have to much trouble finding out what the account is.

My provider actually had wp-login's disabled for a while.
(Reply) (Thread)


dd_b
Link:(Link)
Time:2013-04-13 05:55 pm (UTC)
Hmmm; my access log for today is twice as big as yesterday's, but I can't actually find anything that seems to be a failed blog login in it.

Okay, played around some, and the passwords are NOT flowing through my log file, and there's nothing really obvious indicating a login failure (I deliberately logged in with the wrong password myself, and neither the account or the password I used appear in the log file).

If I could, I think I would have selected digest authentication, but I'm not actually finding that for the blog portion of my site.

Can I ask what exactly you see in your logs from one of these bot login attempts?
(Reply) (Thread)


whipartist
Link:(Link)
Time:2013-04-13 07:12 pm (UTC)
This is what the access log looks like:

94.242.237.111 - - [13/Apr/2013:15:01:16 -0400] "GET /wp-login.php HTTP/1.1" 200 2075
94.242.237.111 - - [13/Apr/2013:15:01:17 -0400] "POST /wp-login.php HTTP/1.1" 200 2285

I jumped through some apache configuration hoops to log the postdata.

Edited at 2013-04-13 07:13 pm (UTC)
(Reply) (Parent) (Thread)


dd_b
Link:(Link)
Time:2013-04-14 02:15 am (UTC)
Thanks. Okay, I was reading it right then. Maybe I'll take a whack at the more data, but at the moment I'm configuring backup schemes for various hosting locations for work.
(Reply) (Parent) (Thread)


adbjupe
Link:(Link)
Time:2013-04-13 10:25 pm (UTC)
I am using the wordfence plugin for wordpress. Shows failed attempts and compares your wordpress install and plugins against a repository and checks non repository software for changes.
(Reply) (Parent) (Thread)


andrewhime
Link:(Link)
Time:2013-04-16 03:25 am (UTC)
I feel much better about not checking up on my multiple Wordpress installs.

Also, I'm mildly surprised you didn't use "vulva".

Edited at 2013-04-16 03:27 am (UTC)
(Reply) (Thread)


whipartist
Link:(Link)
Time:2013-04-16 03:33 am (UTC)
Phbhbhttt. I've been a *nix sysadmin for nearly three decades... good password hygiene comes first.

It's entirely possible that a variation on the word vulva appears somewhere in the fairly long password that I use. Does that make you feel better?
(Reply) (Parent) (Thread)

[icon] I'm not dumb enough to use these passwords - Patti
View:Recent Entries.
View:Archive.
View:Friends.
View:Profile.
View:Website (pattib.org).