New malware using curl to guess WordPress credentials

It appears we have a new script kiddie on the loose.

On 6/16 I saw 35 “POST /wp-login.php” attacks to guess WordPress account credentials with a user agent of “curl/…”. I saw another 37 attack on 6/17. I saw no such attacks going back to the start of the year (when I started tracking such things). After the attacks on those two days I didn’t see another one till today. In the past hour I’ve seen 14 such attacks. The only requests from the attacking addresses are the POST requests.

All of the attacks have been from servers owned by cloud, VPS, or web hosting providers. So I’m confident these requests really do represent the use of the curl command and are not artifacts of malware randomly selecting a user agent. Also, the requests are missing the expected “Referer” and “Cookie” headers that would be present if the requests were legitimate which is why they came to my attention. Here is the Apache rewrite rules I use to flag these types of attacks:

# Block bogus login post attempts. Most bots are stupid. They don't use a
# modern HTTP header, don't include the referer header, or don't include the
# WP cookie that would be included in a legitimate request.
#
# This is primarily so that the logs show a 400 rather than a 200 status
# (which is reported even for invalid credentionals). Thus allowing us to
# cheaply reject the request. It also makes it easier for our log monitoring
# program to notice the bogus attempt and blackhole the source.
RewriteCond %{REQUEST_METHOD} POST [NC]
RewriteCond %{REQUEST_URI} =/wp-login.php [NC]
RewriteCond %{HTTP_REFERER} !^https?:// [NC,OR]
RewriteCond %{HTTP_COOKIE} !wordpress_test_cookie=WP\+Cookie\+check [NC,OR]
RewriteCond %{THE_REQUEST} \sHTTP/(?:0\.9|1\.0)$ [NC]
RewriteRule ^ /blocked.php [END,E=error-notes:invalid-wp-login-post]

P.S., Yes, the number of attacks is quite tiny. But that’s not surprising given that my blog sees on average approximately 50 legitimate requests each day.