Httpd Access Log shows strange bingbot

Question

i have a server set up in the cloud (ec2) the hosts all of my WordPress sites.

i noticed today that the site were getting hit by a hack..

109.87.118.222 - - [16/Oct/2013:13:10:31 -0400] "POST /wp-login.php HTTP/1.0" 200 3954 "http://smartmoneystrategies.net/wp-login.php" "Mozilla/5.0 (Windows NT 6.1; rv:19.0) Gecko/20100101 Firefox/19.0" 5.15.198.184 - - [16/Oct/2013:13:10:31 -0400] "POST /wp-login.php HTTP/1.0" 200 3926 "http://smartmoneystrategies.net/wp-login.php" "Mozilla/5.0 (Windows NT 6.1; rv:19.0) Gecko/20100101 Firefox/19.0" 42.116.170.247 - - [16/Oct/2013:13:10:32 -0400] "POST /wp-login.php HTTP/1.0" 200 3954 "http://smartmoneystrategies.net/wp-login.php" "Mozilla/5.0 (Windows NT 6.1; rv:19.0) Gecko/20100101 Firefox/19.0" 93.78.138.185 - - [16/Oct/2013:13:10:33 -0400] "POST /wp-login.php HTTP/1.0" 200 3954 "http://smartmoneystrategies.net/wp-login.php" "Mozilla/5.0 (Windows NT 6.1; rv:19.0) Gecko/20100101 Firefox/19.0" 2.95.13.35 - - [16/Oct/2013:13:10:33 -0400] "POST /wp-login.php HTTP/1.0" 200 3940 "http://smartmoneystrategies.net/wp-login.php" "Mozilla/5.0 (Windows NT 6.1; rv:19.0) Gecko/20100101 Firefox/19.0" 93.80.123.137 - - [16/Oct/2013:13:10:34 -0400] "POST /wp-login.php HTTP/1.0" 200 3940 "http://smartmoneystrategies.net/wp-login.php" "Mozilla/5.0 (Windows NT 6.1; rv:19.0) Gecko/20100101 Firefox/19.0" 79.181.39.227 - - [16/Oct/2013:13:10:34 -0400] "POST /wp-login.php HTTP/1.0" 200 3933 "http://smartmoneystrategies.net/wp-login.php" "Mozilla/5.0 (Windows NT 6.1; rv:19.0) Gecko/20100101 Firefox/19.0"

i think i fixed the attack by adding a login lockdown to trap ip addresses.

but i also found a whole bunch of these in there as well...

157.56.92.164 - - [16/Oct/2013:09:57:12 -0400] "GET /search.php/?q=bethanny+franklin+haircut&ht=1 HTTP/1.1" 200 11475 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)" 157.56.92.164 - - [16/Oct/2013:09:57:13 -0400] "GET /search.php/?ht=1&q=address+label+coupon+codes HTTP/1.1" 200 11475 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)" 157.56.92.164 - - [16/Oct/2013:09:57:13 -0400] "GET /search.php/?q=Martell+Gay+Bryce&ht=1 HTTP/1.1" 200 11475 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)" 157.56.92.164 - - [16/Oct/2013:09:57:14 -0400] "GET /search.php/?ht=1&q=monterey+fashions+coat HTTP/1.1" 200 11475 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)" 157.56.92.164 - - [16/Oct/2013:09:57:14 -0400] "GET /search.php/?ht=1&q=SUPERPREP+ELITE+semi+pro+team HTTP/1.1" 200 11475 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)" 157.56.92.164 - - [16/Oct/2013:09:57:15 -0400] "GET /search.php/?ht=1&q=rines+para+jeep+cheroki HTTP/1.1" 200 11475 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)" 157.56.92.164 - - [16/Oct/2013:09:57:15 -0400] "GET /search.php/?ht=1&q=outdoor+pro+staff+opportunity HTTP/1.1" 200 11475 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

What are these?

Answer 1

Ran into these as well and they actually succeeded in essentially bringing down our webserver. Seems to be a botnet brute force password attack that's been going on since April targeting WordPress sites, though it seems to have picked up again lately. I added the following to our .htaccess file and that seems to have done the trick (obviously you'd need to change the domain and IP address (either single or range for your own use):

# BEGIN DDoS block
# Blocks "example.com/wp-login.php" referer without https?://
# And blocks all non-company addresses from wp-login.php
RewriteCond %{HTTP_REFERER} ^example\.com/wp-login\.php$
RewriteRule .* - [F]

<Files ~ "^wp-login.php">
<Limit POST>
    deny from all
    Allow from XXX.XXX.XXX.XXX
</Limit>
</Files>

<FilesMatch "^wp-login.php$">
Order Deny,Allow
    Allow from XXX.XXX.XXX.XXX
    Deny from all
</FilesMatch>