WordPress.org

Ready to get started?Download WordPress

Forums

[resolved] Could this be a hack/injection attempt and should I do anything? (5 posts)

  1. nickathome
    Member
    Posted 5 years ago #

    Hi

    The statpress plugin threw up the below access to my site.

    Could it be an attempt at a hack and should I do anything or have anything to be concerned about?

    Within the string is an ip address, 87.118.91.73:777, which is completely different to the source ip address (85.140.66.16).

    There are also a couple of human-readable strings, including SOCKS, that make me wonder, especially as doing a google search for 87.118.91.73 brings up results that include 'socks' and look suspicious - eg bestproxies.biz/mariotxvcbx_socks90.php.

    I ran the string through http://www.simplelogic.com/Developer/URLDecode.asp but the result was meaningless to me.

    This is the full string in two parts (to prevent a clickable link):

    http://www.

    tillyochil.co.uk/?/devon-dollar-tillicoultry-tadpoles/%2B%2B%2BResult:%2B%25e8%25f1%25ef%25ee%25eb%25fc%25e7%25f3%25e5%25ec%2BSOCKS%2B87.118.91.73:777%253b%25e8%25f1%25ef%25ee%25eb%25fc%25e7%25ee%25e2%25e0%25ed%2B%25ed%25e8%25ea%25ed%25e5%25e9%25ec%2B%2522Rinkinnordirm%2522%253b%2522anal%2522%253b%25ef%25f0%25e8%25f1%25f3%25f2%25f1%25f2%25e2%25f3%25e5%25f2%2Bnofollow%253b%25f3%25f1%25ef%25e5%25f5%2B%28%25f1%2B%25ef%25e5%25f0%25e2%25ee%25e9%2B%25f1%25f2%25f0%25e0%25ed%25e8%25f6%25fb%29%253b%25f1%25ee%25ee%25e1%25f9%25e5%25ed%25e8%25e5%2B%25e4%25ee%25eb%25e6%25ed%25ee%2B%25ef%25f0%25ee%25e9%25f2%25e8%2B%25ec%25ee%25e4%25e5%25f0%25e0%25f6%25e8%25fe%253b/

    Thanks,
    Nick

  2. nickathome
    Member
    Posted 5 years ago #

    EDIT: I should look a bit more before posting - I can obviously now see how to edit a post. Shows how green I am!

    I didn't realise that quoting the string would result in a clickable link and can't see how to edit my post to change that.

    Please don't follow the link! Maybe it isn't harmful but I'm nervous that it might be!!!!

    Nick

  3. Could it be an attempt at a hack and should I do anything or have anything to be concerned about?

    You should only be concerned about it if it worked. Just by virtue of being on the Internet you will get lots of spam/hack/fooled-you-into-clicking-here attempts in your log.

    These attempts by themselves are to be expected. If you see anything on your blog that indicates you've been compromised then you should begin to worry and should start remediation of the hack.

    But again, only if you think you blog or workstation has been exploited or compromised.

    For some reading up take a look at

    http://codex.wordpress.org/Combating_Comment_Spam
    http://codex.wordpress.org/Hardening_WordPress

    And of course, regular backups with knowing how to restore them is always a good practice and can help you if you do get compromised.

    http://codex.wordpress.org/WordPress_Backups
    http://codex.wordpress.org/Backing_Up_Your_Database
    http://codex.wordpress.org/Restoring_Your_Database_From_Backup

  4. Mark / t31os
    Moderator
    Posted 5 years ago #

    I get almost daily attempts...

    As jdembowski rightly said, you only need to worry if they are able to exploit the site..

    An attempt is only an attempt until it succeeds...

    I find the frequency related to posting new entries, and the same with spam...

    I post a new blog entry, within a day or so the spammers arrive to spam comments and the access logs increase in access attempts... strange.... :)

    http://whois.domaintools.com/87.118.91.73
    http://whois.domaintools.com/85.140.66.16

    There could just be an exploited box on one of those IPs, some access attempts write the result to a text document on an exploited site.

    What i usually do if i can see this in the access attempt (quite often) is inform the host of that box. Firstly it gives that host a kick in the butt, and secondly it takes down storage space for the wannabe script kiddy using it. Not all hosts will respond, or fix the problem though...

  5. nickathome
    Member
    Posted 5 years ago #

    Thanks jdembowski and t31os_.

    I won't worry about it but will read through those links. I should also test a backup - better to find out I can't restore it now than when I've thousands of proper visitors a day! (I can but dream.)

Topic Closed

This topic has been closed to new replies.

About this Topic