Update: By popular request, we have created a tool that lets you check if your own home router is vulnerable to the problems discussed in this post. Visit this page to check if your home router has port 7547 open or if it’s running a vulnerable version of RomPager. Last week, while creating the Wordfence monthly attack report, we noticed that Algeria had moved from position 60 in our “Top Attacking Countries” list to position 24. That was a big jump and we were curious why Algeria had climbed the attack rankings so rapidly.
What we discovered on closer examination is that over 10,000 IP addresses in Algeria were attacking WordPress websites in March. Most IPs were only launching between 50 and 1000 attacks during the entire month.
The following chart is a histogram. It groups IP addresses by the number of times they attacked. As you can see by the spike on the left, the most common number of attacks was around 100 to 200 for an IP address. Few of the attacking IPs generated more than 2,000 attacks during the entire month of March, 2017.
A Botnet Using Burst Attacks
We extracted the list of Algerian attack IPs and we included the time of first attack logged and the