HandsOnKB

Apparently some bot running from a server in Singapore is trying to get into people’s WordPress accounts by spamming the password reset option to find valid usernames.

Weirdly, they tried to get into a website that I’m still working on which isn’t public yet. I’m hoping to make “handsonkb.com” an instructional site where I share all the knowledge I’ve gained from the plethora of trainings and readings I’ve done in cybersecurity.

Apparently the bot’s been hitting typical WordPress admin pages for the past few days. Maybe they’re hoping to find valid WP-Admin login portals that they can attempt to brute force or stuff leaked credentials into.

From looking at the NTLM info you can see on Shodan, this is just some cloud Windows 10 VM from a small German VPS hosting company. The server’s either rented by whoever’s running the bot(s) themselves or they got into somebody else’s server to do this.

Hopefully it hits somebody’s honeypot and we can see what commands it runs after getting access. That would make things more interesting.