Forums

WordPress › Support » Miscellaneous

Connection Attempt from 1.234.20.87 After Using Auto Update (5 posts)

  1. DamienWilson
    Member
    Posted 4 months ago #

    Hello there,

    I'm currently developing our companies new site. WordPress as always is our choice of CMS.

    The site at present is located on a development cloud but isn't available from SE indexes.

    I attempted to configure the AutoUpdates in WP using FTPS however, I had this confused with SFTP (SSH File Transfer Protocol) at first and failed with supplied credentials. I had server log files checked before attempting again and found the following:

    Jan 20 09:10:50 TeamDev sshd[11541]: subsystem request for sftp
Jan 20 10:03:27 TeamDev sshd[17225]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=1.234.20.87  user=root
Jan 20 10:03:29 TeamDev sshd[17225]: Failed password for root from 1.234.20.87 port 48785 ssh2

    I have the following plug-ins installed:

    akismet
    configure-smpt
    jetpack
    nivo-slider

    Before I investigate this further, can anyone shed any light on this instance? Has this IP address been seen before?

    Thank you

    Damien

  2. Ipstenu
    Half-Elf Support Rogue & Mod
    Posted 4 months ago #

    Did you attempt to do a whois for that IP?

    It's from Seoul. It's just a garden variety hacker/spammer trying to access your system. Welcome to the crap that is webhosting.

    Use a firewall like CFD to auto-block those attempts.

  3. DamienWilson
    Member
    Posted 4 months ago #

    Hello,

    Thanks you for this... why do you think this happened after I used AutoUpdate?

    Could one of the above plugins be passing my information on?

  4. Ipstenu
    Half-Elf Support Rogue & Mod
    Posted 4 months ago #

    I think it's a coincidence.

    Almost every server has an account named 'root'

  5. turtl3
    Member
    Posted 3 months ago #

    I had the same IP try and log in through my SSH application using root as well. I constantly get weird IP's trying to gain access with standard log in information like "root" and "host". I enabled the IP filter and only allowed the IP's I'm using and let the program block the rest. Interesting note, I've never had more than 2 attempts from the same IP address; makes me think they are using some sort of auto IP program to ping open SSH clients trying to gain access with default values.

Reply

You must log in to post.

About this Topic

Tags