Threat Hunting WordPress with Bash
Incident handling and Response is often a tiring task when you are not equipped with the right tools. I often use ELK for tactical analysis for crunching data but at times; all you might have access is to a terminal.
The plan here is to quickly identify IOCs for Threat Hunting.
Analyzing logs at /var/logs/{nginx or apache}First is first, copy the logs to your box for analysis
scp -r root@remoteserver:/var/log/nginx ~/home/myuser/logsIf you want to zip the content; you may do so as well.
We would have access.log and several .gz files compressed.
Looking for Brute-Force Attacks
When it comes to wordpress; this is a common tactic and often the weakest accounts get compromised.
cat *.log | zcat *.gz | grep -i "xmlrpc.php" | cut -d "-" -f1 >> IP.txtNow you will have a beautiful list of IP’s to hunt through and look for anything above < 50 as targeted attacks. Often, xmlrpc is mass scanned by online scanners over the internet.
Getting the brute-force IP addresses
cat IP.txt | uniq | wc -l
667 (results showed up on mine)if you need a count of requests based on IP
cat IP.txt | sort | uniq -c | uniq | sort -n {higher count suggests targeted attack}
Now all these attackers might not be successful and maybe just a few manage to access the admin portal, you could quickly check which managed to access the wordpress admin. Also you may add additional as response code 200 to see successful attempts.
Save as brute.shcat IP.txt | while read line; do zcat *.gz | grep -i "$line" | grep -i ".php" | sed -e '/xmlrpc/d' -e '/wp-admin/d' >> maliciousreqs.txt
done./brute.sh#note: To exclude a results, use sed '/wordtomatch/d'
So what we are looking for now is IP’s who have tried fuzzing along while trying to brute-force the WP user / passwords. These are actually juicy IOCs who have a motive to wreck the website by all means necessary. There is a high chance you will find an IP which has compromised the WordPress website by following this methodology in less than 10 minutes.
Regardless of whether the attacker changed the header of the scanning tools; it should be pretty much be able to point the attacker.
Now, lets do a count to see who are most interested. :)
cat maliciousreqs.txt | cut -d '-' -f1 | uniq -c | sort -n#Results may look like below and you could easily filter the ones with the high count to drill more.2 113.118.184.248
2 13.72.101.136
47 13.82.139.145
170 144.202.93.2
The 144.202.93.2 rather looks juicy with more hits.
Now lets take a look how many of these guys actually managing to compromise the admin panel.
Save code to scan.shcat IP.txt | while read line; do zcat *.gz | grep -i "$line" | grep -i ".php" | sed -e '/xmlrpc/d' -e '/wp-login/d' | grep -i "wp-admin" >> wpadminhacks.txt
done./scan.shcat wpadminhacks.txt | grep 200 {view the results}
You should be able to pin-point how many was able to actually get access to the wp-admin dashboard.
I will quickly analyze the IP with the highest number of hitscat wpadminhacks.txt | cut -d '-' -f1 | uniq -c
