djbaxter

Administrator
Administrator
Moderator
Joined
Jun 28, 2012
Messages
3,515
Reaction score
1,661
The NoneNone Brute Force Attacks: Even Hackers Need QA
by Ram Gall, Wordfence.com
Dec 17, 2020

For the last few weeks we’ve seen and blocked an increase in brute-force, credential stuffing, and dictionary attacks targeting the WordPress xmlrpc.php endpoint, on some days exceeding 150 million attacks against 1.9 million sites in a 24-hour period. These attacks attempt to guess the password of an authorized user on a site, and some of our users have noticed an odd phenomenon: brute force attacks with the username and password set to “None” or “NoneNone”. Since these requests are targeted against xmlrpc.php, changing the admin URL won’t prevent attackers from sending these requests.

What’s going on?​

Because these attacks are attempting to login with unusual credentials, we’ve had curious site owners reach out to ask what might be happening. We’ve determined that the attackers are generating lists of domains to attack complete with credentials to attempt and that there is likely a flaw in the code of this target generation program.
In addition to reviewing our own attack data, we were able to find logs and domain lists that appear to have been used by the scripts performing these attacks.
nonenonelog.png

These domain lists appear to have been generated programmatically and include a target to attack, a username to attempt, and a password to attempt. In the domain lists we found, “NoneNone” was frequently used as a username in cases where a real username was unknown to the attacker. In some lists, this was paired with a nonsense password such as “qwe123”, while in others the password would also be set to “NoneNone”.
domainlist.png

It’s likely that the script used to generate these domain lists are written in Python, a language that has a “None” type that is equivalent to “Null” in other languages, and which is printed out as “None” when cast to a string. As such, a script to generate domain lists to attack could have set the username and password variables to default values of None (or concatenated multiple default values, resulting in “NoneNone”) when provided with incomplete information.

What should I do?​

If you’re using Wordfence, our built-in brute force protection will protect your site against XML-RPC attacks. This is important because some of these attacks will be trying real usernames and passwords from credential breaches rather than invalid values. Additionally, sites running Wordfence Premium will automatically block any requests from IP addresses that have been attacking other sites in our network thanks to our real-time IP blocklist.
For an extra layer of protection, both free and premium users can disable attempts to authenticate via xmlrpc.php requests entirely by going to Wordfence->Login Security->Settings and clicking Disable XML-RPC authentication.
disablexmlrpc-1024x210.png

Please note that this can prevent certain plugins that rely on xmlrpc.php, such as Jetpack, from functioning properly.

Conclusion​

Although we’ve seen a very large number of these attacks, the vast majority of them are unlikely to threaten sites unless the site administrator is using credentials that have been compromised. Nonetheless, this goes to show that scripts used for hacking can have bugs and unexpected behavior just like any other software.
Sites running the free version of Wordfence are protected by our built-in brute force protection, and sites running Wordfence Premium are additionally protected by the real-time IP blocklist. Both free and premium Wordfence users can disable XML-RPC authentication for full protection against attacks against this endpoint.


Read more...
 
Similar threads
Thread starter Title Forum Replies Date
rich_marlatt What Wordpress plugins do you recommend for SEO and Schema Markup? Ask a LocalU Expert [PRIVATE] (LocalU) 4
djbaxter WordPress: Contact Form 7 File Upload Vulnerability Websites, Software, and Security 0
djbaxter New features in WordPress 5.6 Websites, Software, and Security 0
djbaxter PHP 8: What WordPress Users Need to Know Websites, Software, and Security 0
djbaxter Speed Test for WordPress sites Websites, Software, and Security 1
djbaxter New WordPress Toolkit from cPanel Websites, Software, and Security 0
djbaxter Facebook & Instagram embeds on WordPress will break soon Websites, Software, and Security 1
djbaxter WordPress 5.5 update breaks plugins: Here’s the fix Websites, Software, and Security 6
Andrew Scherer Hacking QDF with WordPress Plugins Local Content 2
djbaxter Bing URL Submissions Plugin For WordPress Websites, Software, and Security 2
A What Wordpress Website Builder & Theme do you use? (Page speed in mind) Organic SEO 4
A What Wordpress Speed Optimizing Plugins do you use? Websites, Software, and Security 7
djbaxter WordPress Sites Targeted in Large-Scale Attacks Websites, Software, and Security 0
C Don’t we all want to develop fast websites? WordPress fastest page speeds using background images <srcset>, <img>, <picture>, @media, @2x retina Websites, Software, and Security 0
djbaxter Ninja Forms WordPress Plugin: High Severity Vulnerability Patched Websites, Software, and Security 0
djbaxter Test your Contact Form 7 on WordPress sites! Recycle Bin 4
djbaxter Critical security flaw in WordPress Jetpack plugin Websites, Software, and Security 0
djbaxter Site Kit by Google WordPress plugin Websites, Software, and Security 11
djbaxter WordPress Rich Reviews Plugin Under Active Attack Websites, Software, and Security 1
djbaxter Malicious WordPress Redirect Campaign Attacking Several Plugins Websites, Software, and Security 1
P New wordpress website Websites, Software, and Security 5
Chris Ratchford Anyone familiar w/ Advanced Custom Fields (for WordPress)? Consultant's Corner 6
brettmandoes Speed Plugin for WordPress sites Websites, Software, and Security 19
Jo Shaer Auto publishing from Wordpress blog to GMB post Google My Business & Google Maps 5
D Google Reviews Widget for WordPress Recycle Bin 0
djbaxter Security vulnerability in WordPress Slick Popup Plugin Websites, Software, and Security 1
djbaxter Stay current with the latest WordPress and Plugins Security Issues with this newsletter Websites, Software, and Security 0
djbaxter Urgent! Serious Security Threat Found in WordPress Plugin Yuzo Related Posts Websites, Software, and Security 1
djbaxter Grammarly Adds Junk Code to WordPress Posts and Pages Websites, Software, and Security 4
djbaxter Vulnerabilities in Two WordPress Plugins Websites, Software, and Security 2
djbaxter WordPress 5.1.1 Patches Critical Vulnerability: Update now Websites, Software, and Security 0
R Free Webinar: Wix, Weebly, Squarespace and WordPress - Which Is Best? Events 0
JoyHawkins Who is Switching to Wordpress 5.0? Websites, Software, and Security 13
djbaxter Google WordPress Plugin to Integrate Analytics, Search Console, AdSense, PageSpeed Websites, Software, and Security 4
Dan Foland Has anyone else been experiencing a rise in Brute Force attacks on WordPress recently? Websites, Software, and Security 4
djbaxter WordPress Alert: PHP 5.6 and 7.0 reach EOL December 2018 Websites, Software, and Security 2
Josh Gill New Wordpress Plugin to Manage GMB Posts Google My Business & Google Maps 12
P Broadband provider blocks wordpress site: Effect on SEO / local search? Local Search 2
P Guide/suggestions for improving my GMB local listing? wordpress plugins? Local Search 14
djbaxter Google Reviews Widget for WordPress Websites, Software, and Security 8
djbaxter WordPress 4.9.8 Released, May Need to Install the Classic Editor Websites, Software, and Security 8
djbaxter WordPress vulnerability, all versions: Check your Author and higher role permissions Websites, Software, and Security 0
djbaxter How to Disable Gutenberg in WordPress Websites, Software, and Security 3
Caroline Google My Business Website PLUS a WordPress one Local Search 8
P Wordpress template for business company Local Search 7
djbaxter WordPress 4.9.4 Fixes Critical Auto Update Bug in 4.9.3 Websites, Software, and Security 0
djbaxter Check your WordPress plugins! Organic SEO 0
dannanelli WordPress Footer Section as a Page Organic SEO 7
djbaxter Marked jump in brute force attacks against WordPress sites Organic SEO 0
G Are any wordpress themes better for local SEO? Local Search 5

Similar threads

Login / Register

Already a member?   LOG IN
Not a member yet?   REGISTER

Most UpVoted Answers

Trending: Most Viewed

LocalU Podcasts

  Promoted Posts

New advertising option: A review of your product or service posted by a Sterling Sky employee. This will also be shared on the Sterling Sky & LSF Twitter accounts, our Facebook group, LinkedIn, and both newsletters. More...
Google Product Exert


Top Bottom