Support » Fixing WordPress » blog being attacked!? plz help

  • Hi All,

    I use WordPress Firewall plugin on my site and the last two days I seem to be getting hit a few times per minute with some sort of attack. 1000s of alerts and growing!

    I think, I’m not too sure on these messages, most are easy to tell what is going on but I’m lost with these.

    Can anyone else clue me in here? Am I being attacked, or is there some sort of misconfig causing this?

    Sample alerts
    ——————-
    Web Page: http://www.ThisIsMyBlogDomain.com/ (hidden for privacy)
    Warning: URL may contain dangerous content!
    Offending IP: 206.207.80.165 [ Get IP location ]
    Offending Parameter: PHPSESSID = cd425be27def1acbe77d2e1bd4bdc4bc, wp_ozh_wsa_visits=1, wp_ozh_wsa_visit_lasttime=1264066592, alpha=178502cc412b00001a6d594b35610800783e0000, CFID=35069126, CFMAGIC=35069126:92000169, CFTOKEN=92000169
    ——————-
    Web Page: http://www.ThisIsMyBlogDomain.com/ (hidden for privacy)
    Warning: URL may contain dangerous content!
    Offending IP: 216.145.24.240 [ Get IP location ]
    Offending Parameter: PHPSESSID = 91f59f87191e99c3529a2766c2e9f4b3, wp_ozh_wsa_visits=1, wp_ozh_wsa_visit_lasttime=1264153003, alpha=26d56bd181130000faca594b1f160700e3120000, XTCsid=6c5d5732586af445d192a89ecbb70870, CFID=20592936, CFTOKEN=79796267, SPC_LQ=|
    ——————–

    So looking at the above:

    I see ‘ozh’ which makes me think this has something to do with the Who Sees Ads plugin (made by Ozh), which it could be, but I also see CFID and CFTOKEN etc and that is Coldfusion which I don’t use on my site. The offending ips are also not mine.

    If anyone has a clue here I’d really appreciate any help you can provide as it makes me very nervous to be getting so many alerts like this!

    Thanks!

Viewing 3 replies - 1 through 3 (of 3 total)
  • You’re just seeing the cookies (named wp_ozh_wsa_XXX) that are being set. Nothing related to my plugin.

    Thread Starter pickled

    (@pickled)

    thank a lot for the reply Ozh!

    so someone/thing is hitting my site with a coldfusion script and setting off WSAs cookies?

    Just had the same thing happen to me.

    Does this mean that someone did try and hack their way in?

    Thank

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘blog being attacked!? plz help’ is closed to new replies.