New malware guessing credentials via “POST /xmlrpc.php” attacks with odd User-agent values

• September 7, 2015
• technology  
• hackers  
• security  
• wordpress  

One week ago I started seeing password guessing attacks using “POST /xmlrpc.php” requests. Yes, that type of attack has been happening since WordPress was first released to the public. What made the recent attacks unique is that they include a “User-agent” header. Something that is exceedingly rare. Even more interesting is that the user-agent values are all from this list:

Poster
Windows Live Writer
WordPress
wp-windowsphone
wp-iphone
wp-android

Those are the literal values. They do not include any other prefix or suffix strings. I saw the first attack from this new vector on 2015-08-28T21:50:03 UTC. Looking at my logs (which go back six months) there has never been a single request with those user-agent values prior to 2015-08-28. So I’ve added those to my list of blacklisted user-agent values.

All of the sources appear to be from cloud/VPS/hosting providers which tells us that this malware targets server apps for infection rather than personal computer apps.