Menu

OEMR.org brute force attack

2016-03-13
2016-04-09
  • Tony McCormick

    Tony McCormick - 2016-03-13

    The OEMR.org website has been under attack for days now. We have tools that are stopping it, but I find it interesting that the attacker is using actual user names. I'm inclined to flush all users and set up new ones as needed.

    I have included just what as been logged in the last few minutes as an example..

    Subject: Bruteforce Attack

    Login Info:
    Time: March 12, 2016 7:58 pm

    Website Info:
    Site: http://www.oemr.org
    IP Address: 192.166.219.45

    Notification:

    Username: yehster
    Password: froggy
    IP Address: 192.166.219.45
    Attempt Timestamp: 1457830681
    Attempt Date/Time: Sun, 13 Mar 2016 00:58:01 +0000

    Username: yehster
    Password: froggy
    IP Address: 192.166.219.45
    Attempt Timestamp: 1457830678
    Attempt Date/Time: Sun, 13 Mar 2016 00:57:58 +0000

    Username: Sara
    Password: froggy
    IP Address: 192.166.219.45
    Attempt Timestamp: 1457830672
    Attempt Date/Time: Sun, 13 Mar 2016 00:57:52 +0000

    Username: Sara
    Password: froggy
    IP Address: 192.166.219.45
    Attempt Timestamp: 1457830669
    Attempt Date/Time: Sun, 13 Mar 2016 00:57:49 +0000

    Username: Shameem
    Password: vincent
    IP Address: 192.166.219.45
    Attempt Timestamp: 1457829312
    Attempt Date/Time: Sun, 13 Mar 2016 00:35:12 +0000

    Username: Shameem
    Password: vincent
    IP Address: 192.166.219.45
    Attempt Timestamp: 1457829306
    Attempt Date/Time: Sun, 13 Mar 2016 00:35:06 +0000

    Username: Jack
    Password: vincent
    IP Address: 192.166.219.45
    Attempt Timestamp: 1457829300
    Attempt Date/Time: Sun, 13 Mar 2016 00:35:00 +0000

    Username: Jack
    Password: vincent
    IP Address: 192.166.219.45
    Attempt Timestamp: 1457829297
    Attempt Date/Time: Sun, 13 Mar 2016 00:34:57 +0000

    Username: yehster
    Password: vincent
    IP Address: 192.166.219.45
    Attempt Timestamp: 1457829296
    Attempt Date/Time: Sun, 13 Mar 2016 00:34:56 +0000

    Username: yehster
    Password: vincent
    IP Address: 192.166.219.45
    Attempt Timestamp: 1457829291
    Attempt Date/Time: Sun, 13 Mar 2016 00:34:51 +0000

    Username: Sara
    Password: vincent
    IP Address: 192.166.219.45
    Attempt Timestamp: 1457829289
    Attempt Date/Time: Sun, 13 Mar 2016 00:34:49 +0000

    Username: Sara
    Password: vincent
    IP Address: 192.166.219.45
    Attempt Timestamp: 1457829283
    Attempt Date/Time: Sun, 13 Mar 2016 00:34:43 +0000

    Username: uzeitlers@163.com
    Password: jvy6VFCOC81p
    IP Address: 208.180.251.57
    Attempt Timestamp: 1457829246
    Attempt Date/Time: Sun, 13 Mar 2016 00:34:06 +0000

    Username: nsrickeneven
    Password: jvy6VFCOC81p
    IP Address: 208.180.251.57
    Attempt Timestamp: 1457829244
    Attempt Date/Time: Sun, 13 Mar 2016 00:34:04 +0000

    Username: nsrickeneven
    Password: jvy6VFCOC81p
    IP Address: 208.180.251.57
    Attempt Timestamp: 1457829240
    Attempt Date/Time: Sun, 13 Mar 2016 00:34:00 +0000

    Username: uxlaverejuce@163.com
    Password: ll4rUJno6Ysb
    IP Address: 197.211.45.3
    Attempt Timestamp: 1457828393
    Attempt Date/Time: Sun, 13 Mar 2016 00:19:53 +0000

    Username: stevalegenrege
    Password: ll4rUJno6Ysb
    IP Address: 197.211.45.3
    Attempt Timestamp: 1457828388
    Attempt Date/Time: Sun, 13 Mar 2016 00:19:48 +0000

    Username: stevalegenrege
    Password: ll4rUJno6Ysb
    IP Address: 197.211.45.3
    Attempt Timestamp: 1457828379
    Attempt Date/Time: Sun, 13 Mar 2016 00:19:39 +0000

    Username: xfendlerg@163.com
    Password: 8J0n3HPMC5KW
    IP Address: 73.137.103.187
    Attempt Timestamp: 1457828046
    Attempt Date/Time: Sun, 13 Mar 2016 00:14:06 +0000

    Username: xfendlerg@163.com
    Password: 8J0n3HPMC5KW
    IP Address: 73.137.103.187
    Attempt Timestamp: 1457828037
    Attempt Date/Time: Sun, 13 Mar 2016 00:13:57 +0000

    Username: lfancyyaroya
    Password: 8J0n3HPMC5KW
    IP Address: 73.137.103.187
    Attempt Timestamp: 1457827954
    Attempt Date/Time: Sun, 13 Mar 2016 00:12:34 +0000

    Username: lfancyyaroya
    Password: 8J0n3HPMC5KW
    IP Address: 73.137.103.187
    Attempt Timestamp: 1457827909
    Attempt Date/Time: Sun, 13 Mar 2016 00:11:49 +0000

    Username: Shameem
    Password: jordyn
    IP Address: 192.166.219.45
    Attempt Timestamp: 1457827904
    Attempt Date/Time: Sun, 13 Mar 2016 00:11:44 +0000

    Username: Shameem
    Password: jordyn
    IP Address: 192.166.219.45
    Attempt Timestamp: 1457827902
    Attempt Date/Time: Sun, 13 Mar 2016 00:11:42 +0000

    Username: Jack
    Password: jordyn
    IP Address: 192.166.219.45
    Attempt Timestamp: 1457827900
    Attempt Date/Time: Sun, 13 Mar 2016 00:11:40 +0000

    Username: Jack
    Password: jordyn
    IP Address: 192.166.219.45
    Attempt Timestamp: 1457827894
    Attempt Date/Time: Sun, 13 Mar 2016 00:11:34 +0000

    Username: yehster
    Password: jordyn
    IP Address: 192.166.219.45
    Attempt Timestamp: 1457827891
    Attempt Date/Time: Sun, 13 Mar 2016 00:11:31 +0000

    Username: yehster
    Password: jordyn
    IP Address: 192.166.219.45
    Attempt Timestamp: 1457827888
    Attempt Date/Time: Sun, 13 Mar 2016 00:11:28 +0000

    Username: Sara
    Password: jordyn
    IP Address: 192.166.219.45
    Attempt Timestamp: 1457827886
    Attempt Date/Time: Sun, 13 Mar 2016 00:11:26 +0000

    Username: Sara
    Password:
    IP Address: 192.166.219.45
    Attempt Timestamp: 1457827884
    Attempt Date/Time: Sun, 13 Mar 2016 00:11:24 +0000

     
  • Tony McCormick

    Tony McCormick - 2016-03-13

    Wordpress sites are prime targets, which is one reason I wil not recommend using the wordpress based CMS portal to my customers.

     
  • Art Eaton

    Art Eaton - 2016-03-14

    I am not a big fan of big-box content management packages at all.

     
  • Tony McCormick

    Tony McCormick - 2016-03-18

    I run CloudFlare, Fail2Ban and Securi in front of all the websites I host. So we are as safe as can be made possible. As to the OEMR attacked I basically turn the screws very tight right after that post and blacklisted the IP that seemed to have shut it down.

    I do still think cleaning the users out and starting with users that actually want to work on the site would be a good thing ...

    Art: big box is the easiest to find people that can use the site, do something obsure and only us geeks can help and we are busy already ...

     
  • Robert Down

    Robert Down - 2016-03-18

    It is unsettling they were using actual usernames: I like the idea of flushing and resetting. This is a prime oppourtinity to acknowledge that passwords should be rotated at minimum annually.

    I agree that WP sites are prime targets, but I also agree that a CMS is the easiest thing for people to work on who are not technically inclined.

     
  • Tony McCormick

    Tony McCormick - 2016-03-18

    I would notte that, perhaps, CMS is too easily confused with Center for Medicare Services ... which is decidedly NOT easy to work with :-)

     
    • Robert Down

      Robert Down - 2016-03-23

      A duly noted, note!

       
  • Art Eaton

    Art Eaton - 2016-04-09

    Hm... I find that using custom software is the best solution for dealing with all three CMS flavors (third one being Classified Materials System)

     

Log in to post a comment.