OK, so it may not be the zombies you are thinking about. The zombies I am referring to are the computer kind. Yes, there are zombie computers. These computers are not dead like real zombies (if “real zombies” are a thing) nor do they attack humans. Rather, these computers have been hacked or been infected by a virus and are under control by an individual or another computer. This army of zombie computers can then do the dirty work of nefarious individuals with the power of many computers under their thumb, like performing a denial of service (DOS) attack to shutdown or render a website inaccessible.
So recently I was glancing at my web site log files and noticed one site’s log file was very large. Large web site logs can be a good thing if that means it is a popular web site, however, this site was one of the less popular sites that I manage. Looking at the log more closely I discovered my site was under a password brute force attack. Someone was trying to guess the password of a single account of the site. They tried 40,000 times to guess the password of the administrator account. They were unsuccessful, mostly because the default administrator account was removed from the system (highly recommended), so they never would have been able to log in.
The method of this attack is the reason I am writing this blog entry. This attack was not from one computer trying 40,000 times to guess the password, but rather the attack was from 13,000 computers, each trying just 3 times to guess the password. So why would someone use 13,000+ computers to guess one password from a single site, and why only 3 attempts from each computer? The short answer was to “fly under the radar”. There are web server programs available to block brute force password attacks (which are a good thing). Typically they will block a computer from further attempts after a certain number of unsuccessful tries. Site administrators want to avoid real people from being blocked, so they will allow a few bad password attempts and it is usually greater than 3. So this zombie army was flying under the radar in attempting to break into the web site by only trying 3 guesses per computer.
This was a coordinated attack by an army of zombie computers all focused on finding the password for a single account on my web site. So how can I tell? The attack lasted for 48 hours with specific start and end times. After 48 hours it stopped as quickly as it started. I was interested in finding out where these zombie computers were located (I had a hunch), so gathered a list of the 13,000+ IP addresses of the attack computers. I then checked the country of origin of each IP address using a script to check the whois country (whois is a method to find details on the network provider and country of origin of the IP address). This took several days since my whois provider limits the # of whois queries per day. Here is what I found:
As it turns out, over 90% of the zombie computers were located in Russia or former Soviet Union countries (hunch confirmed). There has been talk in the news about Russian government sponsored hacking. Now I am sure the Russian government has better sites to hack than mine, but hacking attempts from Russia and the former Soviet Union countries are very real. With an army of thousands of zombie computers under their control, any web site is prone to attack, including small sites like mine.