OEMR.org brute force attack

system · March 13, 2016, 4:22am

tmccormi wrote on Sunday, March 13, 2016:

The OEMR.org website has been under attack for days now. We have tools that are stopping it, but I find it interesting that the attacker is using actual user names. I’m inclined to flush all users and set up new ones as needed.

I have included just what as been logged in the last few minutes as an example…

Subject: Bruteforce Attack

Login Info:
Time: March 12, 2016 7:58 pm

Website Info:
Site: http://www.oemr.org
IP Address: 192.166.219.45

Notification:

Username: yehster
Password: froggy
IP Address: 192.166.219.45
Attempt Timestamp: 1457830681
Attempt Date/Time: Sun, 13 Mar 2016 00:58:01 +0000

Username: yehster
Password: froggy
IP Address: 192.166.219.45
Attempt Timestamp: 1457830678
Attempt Date/Time: Sun, 13 Mar 2016 00:57:58 +0000

Username: Sara
Password: froggy
IP Address: 192.166.219.45
Attempt Timestamp: 1457830672
Attempt Date/Time: Sun, 13 Mar 2016 00:57:52 +0000

Username: Sara
Password: froggy
IP Address: 192.166.219.45
Attempt Timestamp: 1457830669
Attempt Date/Time: Sun, 13 Mar 2016 00:57:49 +0000

Username: Shameem
Password: vincent
IP Address: 192.166.219.45
Attempt Timestamp: 1457829312
Attempt Date/Time: Sun, 13 Mar 2016 00:35:12 +0000

Username: Shameem
Password: vincent
IP Address: 192.166.219.45
Attempt Timestamp: 1457829306
Attempt Date/Time: Sun, 13 Mar 2016 00:35:06 +0000

Username: Jack
Password: vincent
IP Address: 192.166.219.45
Attempt Timestamp: 1457829300
Attempt Date/Time: Sun, 13 Mar 2016 00:35:00 +0000

Username: Jack
Password: vincent
IP Address: 192.166.219.45
Attempt Timestamp: 1457829297
Attempt Date/Time: Sun, 13 Mar 2016 00:34:57 +0000

Username: yehster
Password: vincent
IP Address: 192.166.219.45
Attempt Timestamp: 1457829296
Attempt Date/Time: Sun, 13 Mar 2016 00:34:56 +0000

Username: yehster
Password: vincent
IP Address: 192.166.219.45
Attempt Timestamp: 1457829291
Attempt Date/Time: Sun, 13 Mar 2016 00:34:51 +0000

Username: Sara
Password: vincent
IP Address: 192.166.219.45
Attempt Timestamp: 1457829289
Attempt Date/Time: Sun, 13 Mar 2016 00:34:49 +0000

Username: Sara
Password: vincent
IP Address: 192.166.219.45
Attempt Timestamp: 1457829283
Attempt Date/Time: Sun, 13 Mar 2016 00:34:43 +0000

Username: uzeitlers@163.com
Password: jvy6VFCOC81p
IP Address: 208.180.251.57
Attempt Timestamp: 1457829246
Attempt Date/Time: Sun, 13 Mar 2016 00:34:06 +0000

Username: nsrickeneven
Password: jvy6VFCOC81p
IP Address: 208.180.251.57
Attempt Timestamp: 1457829244
Attempt Date/Time: Sun, 13 Mar 2016 00:34:04 +0000

Username: nsrickeneven
Password: jvy6VFCOC81p
IP Address: 208.180.251.57
Attempt Timestamp: 1457829240
Attempt Date/Time: Sun, 13 Mar 2016 00:34:00 +0000

Username: uxlaverejuce@163.com
Password: ll4rUJno6Ysb
IP Address: 197.211.45.3
Attempt Timestamp: 1457828393
Attempt Date/Time: Sun, 13 Mar 2016 00:19:53 +0000

Username: stevalegenrege
Password: ll4rUJno6Ysb
IP Address: 197.211.45.3
Attempt Timestamp: 1457828388
Attempt Date/Time: Sun, 13 Mar 2016 00:19:48 +0000

Username: stevalegenrege
Password: ll4rUJno6Ysb
IP Address: 197.211.45.3
Attempt Timestamp: 1457828379
Attempt Date/Time: Sun, 13 Mar 2016 00:19:39 +0000

Username: xfendlerg@163.com
Password: 8J0n3HPMC5KW
IP Address: 73.137.103.187
Attempt Timestamp: 1457828046
Attempt Date/Time: Sun, 13 Mar 2016 00:14:06 +0000

Username: xfendlerg@163.com
Password: 8J0n3HPMC5KW
IP Address: 73.137.103.187
Attempt Timestamp: 1457828037
Attempt Date/Time: Sun, 13 Mar 2016 00:13:57 +0000

Username: lfancyyaroya
Password: 8J0n3HPMC5KW
IP Address: 73.137.103.187
Attempt Timestamp: 1457827954
Attempt Date/Time: Sun, 13 Mar 2016 00:12:34 +0000

Username: lfancyyaroya
Password: 8J0n3HPMC5KW
IP Address: 73.137.103.187
Attempt Timestamp: 1457827909
Attempt Date/Time: Sun, 13 Mar 2016 00:11:49 +0000

Username: Shameem
Password: jordyn
IP Address: 192.166.219.45
Attempt Timestamp: 1457827904
Attempt Date/Time: Sun, 13 Mar 2016 00:11:44 +0000

Username: Shameem
Password: jordyn
IP Address: 192.166.219.45
Attempt Timestamp: 1457827902
Attempt Date/Time: Sun, 13 Mar 2016 00:11:42 +0000

Username: Jack
Password: jordyn
IP Address: 192.166.219.45
Attempt Timestamp: 1457827900
Attempt Date/Time: Sun, 13 Mar 2016 00:11:40 +0000

Username: Jack
Password: jordyn
IP Address: 192.166.219.45
Attempt Timestamp: 1457827894
Attempt Date/Time: Sun, 13 Mar 2016 00:11:34 +0000

Username: yehster
Password: jordyn
IP Address: 192.166.219.45
Attempt Timestamp: 1457827891
Attempt Date/Time: Sun, 13 Mar 2016 00:11:31 +0000

Username: yehster
Password: jordyn
IP Address: 192.166.219.45
Attempt Timestamp: 1457827888
Attempt Date/Time: Sun, 13 Mar 2016 00:11:28 +0000

Username: Sara
Password: jordyn
IP Address: 192.166.219.45
Attempt Timestamp: 1457827886
Attempt Date/Time: Sun, 13 Mar 2016 00:11:26 +0000

Username: Sara
Password:
IP Address: 192.166.219.45
Attempt Timestamp: 1457827884
Attempt Date/Time: Sun, 13 Mar 2016 00:11:24 +0000

system · March 13, 2016, 4:23am

tmccormi wrote on Sunday, March 13, 2016:

Wordpress sites are prime targets, which is one reason I wil not recommend using the wordpress based CMS portal to my customers.

system · March 13, 2016, 5:23am

sunsetsystems wrote on Sunday, March 13, 2016:

What’s disturbing is they have real login names. Perhaps this would apply?

http://www.tech-evangelist.com/2013/02/19/simple-wordpress-hack-reveals-admin-login-name/

I just tried that but got “Forbidden” so perhaps you already did something about it?

Also see:

http://codex.wordpress.org/Hardening_WordPress
http://codex.wordpress.org/Brute_Force_Attacks

Rod

system · March 14, 2016, 9:24pm

aethelwulffe wrote on Monday, March 14, 2016:

I am not a big fan of big-box content management packages at all.

system · March 18, 2016, 2:14am

tmccormi wrote on Friday, March 18, 2016:

I run CloudFlare, Fail2Ban and Securi in front of all the websites I host. So we are as safe as can be made possible. As to the OEMR attacked I basically turn the screws very tight right after that post and blacklisted the IP that seemed to have shut it down.

I do still think cleaning the users out and starting with users that actually want to work on the site would be a good thing …

Art: big box is the easiest to find people that can use the site, do something obsure and only us geeks can help and we are busy already …

system · March 18, 2016, 5:59pm

robertdown wrote on Friday, March 18, 2016:

It is unsettling they were using actual usernames: I like the idea of flushing and resetting. This is a prime oppourtinity to acknowledge that passwords should be rotated at minimum annually.

I agree that WP sites are prime targets, but I also agree that a CMS is the easiest thing for people to work on who are not technically inclined.

system · March 18, 2016, 6:34pm

tmccormi wrote on Friday, March 18, 2016:

I would notte that, perhaps, CMS is too easily confused with Center for Medicare Services … which is decidedly NOT easy to work with

system · March 23, 2016, 1:35pm

robertdown wrote on Wednesday, March 23, 2016:

A duly noted, note!

system · April 9, 2016, 10:31am

aethelwulffe wrote on Saturday, April 09, 2016:

Hm… I find that using custom software is the best solution for dealing with all three CMS flavors (third one being Classified Materials System)