Hiding – Mega Huge Log Files to get your teeth into, Hackers live here.
-
I’m posting this (report) come post in both “Limit Login Attempts Reloaded” and also “Webcraftic Hide login page”, all in the vain hope that someone out there might know what to do.
Both plugins are extraordinary by the way, but they are being circumvented.Below are my raw Apache Logs from the 31st, and gods honest true here: I’m having a little trouble reading them, but I’ve spread the logs out so’s to get a clearer course of events, and yes: it’s a bit long, but worth it, especially as it shows the sever-side login procedure.
Background:
My main site is b92mjs.co.uk
And I have a domain parked next to it called pigsoft.net
There’s nothing of value being shown here, and all pages are in the public domain.
From wp-login.php, my changed secret login page is now called b92login.php– And revealing that top-secret-information, is a rather moot point; as you’ll soon discover.
This particular Lock out by “Limit Login Attempts Reloaded”, got logged at nine, .. and the IP address was already in the Deny rules: yet they were still able to hit the server side of my site.
As always: the hackers start off with my parked site and then add the conventional wp-login.php string.
It must also be remembered, that the entire thing took seconds to complete.
Begin.[31/Aug/2020:09:56:02 +0100] "GET /wp-login.php HTTP/1.0" 404 69666 "http://pigsoft.net/wp-login.php" <<<<-------!!!!!! normal wp-login.php "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36 OPR/54.0.2952.51" 77.247.181.165 pigsoft.net 77.247.181.165 - - [31/Aug/2020:09:56:05 +0100] "GET / HTTP/1.1" 301 - "http://pigsoft.net/" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36 OPR/54.0.2952.51" 77.247.181.165 www.b92mjs.co.uk 77.247.181.165 - // They now switch their attention to my main site, .. - [31/Aug/2020:09:56:09 +0100] "GET / HTTP/1.1" 200 88022 "https://www.b92mjs.co.uk/" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36 OPR/54.0.2952.51" 77.247.181.165 www.b92mjs.co.uk 77.247.181.165 - - [31/Aug/2020:09:56:12 +0100] "GET /blog/ HTTP/1.1" 200 86551 "https://www.b92mjs.co.uk/blog/" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36 OPR/54.0.2952.51" 77.247.181.165 www.b92mjs.co.uk 77.247.181.165 - // This POST is interesting, but I can't see what it does, and yes: I do have contact-form 7 installed, .. // But how would they know? - [31/Aug/2020:09:56:14 +0100] "POST /wp-json/contact-form-7/v1/contact-forms/4450/feedback HTTP/1.1" 200 176 "https://www.b92mjs.co.uk/blog/" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36 OPR/54.0.2952.51" 77.247.181.165 www.b92mjs.co.uk 77.247.181.165 - // I had no idea why they kept hitting the 'Knickers' pages, .. // Then found this code below inside one of them on the Text Tab side of tinyMCE <div data-contents="true"> <div data-block="true" data-editor="4rjjj" data-offset-key="1ih5n-0-0"> </div> </div> // No clue how it got there, perhaps an old editor, but it's now been removed. // Yesterday the Hackers were targeting the Submit button on my Boxzilla pop-ups. // I've removed all of them bar one. // Continuing ever onwards in the Hackathone, .. - [31/Aug/2020:09:56:16 +0100] "GET /knickers/enter-the-void/ HTTP/1.1" 200 79919 "https://www.b92mjs.co.uk/knickers/enter-the-void/" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36 OPR/54.0.2952.51" 77.247.181.165 www.b92mjs.co.uk 77.247.181.165 - - [31/Aug/2020:09:56:19 +0100] "GET /knickers/enter-the-void/its-outa-this-world-or-it-oorta-be/ HTTP/1.1" 200 84411 "https://www.b92mjs.co.uk/knickers/enter-the-void/its-outa-this-world-or-it-oorta-be/" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36 OPR/54.0.2952.51" 77.247.181.165 www.b92mjs.co.uk 77.247.181.165 - // =============== (( HERE IT IS ))============= // From the above, then my hidden login has been found, .. but how? // It can only be WordPress that's revealing it, .. - [31/Aug/2020:09:56:21 +0100] "GET /b92login/ HTTP/1.1" 200 9570 <<<<<<<<<<<<<<<< how are they doing it? "https://www.b92mjs.co.uk/b92login/" <<<<<<<<<<<<<<<< how are they doing it? "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36 OPR/54.0.2952.51" 77.247.181.165 www.b92mjs.co.uk 77.247.181.165 - - [31/Aug/2020:09:56:23 +0100] "POST /b92login/ HTTP/1.1" 200 9812 "https://www.b92mjs.co.uk/b92login/" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36 OPR/54.0.2952.51" 77.247.181.165 pigsoft.net 77.247.181.165 - // Kicked out by "Limit Login Attempts Reloaded", so they start yet again with my parked pigsoft.net domain, .. - [31/Aug/2020:09:56:25 +0100] "GET /wp-login.php HTTP/1.0" 404 69652 "http://pigsoft.net/wp-login.php" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36 OPR/54.0.2952.51" 77.247.181.165 www.b92mjs.co.uk 77.247.181.165 - - [31/Aug/2020:09:56:26 +0100] "GET /index.php HTTP/1.1" 301 - "http://www.b92mjs.co.uk/index.php" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36 OPR/54.0.2952.51" 77.247.181.165 www.b92mjs.co.uk 77.247.181.165 - - [31/Aug/2020:09:56:29 +0100] "GET /index.php HTTP/1.1" 301 - "http://www.b92mjs.co.uk/index.php" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36 OPR/54.0.2952.51" 77.247.181.165 www.b92mjs.co.uk 77.247.181.165 - - [31/Aug/2020:09:56:30 +0100] "GET /index.php HTTP/1.1" 301 - "http://www.b92mjs.co.uk/index.php" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36 OPR/54.0.2952.51" 77.247.181.165 pigsoft.net 77.247.181.162 - - [31/Aug/2020:09:58:55 +0100] "GET /wp-login.php HTTP/1.0" 404 69677 "http://pigsoft.net/wp-login.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36" 77.247.181.162 pigsoft.net 77.247.181.162 - - [31/Aug/2020:09:58:56 +0100] "GET / HTTP/1.1" 301 - "http://pigsoft.net/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36" 77.247.181.162 www.b92mjs.co.uk 77.247.181.162 - - [31/Aug/2020:09:58:59 +0100] / HTTP/1.1" 200 88026 "https://www.b92mjs.co.uk/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36" 77.247.181.162 www.b92mjs.co.uk 77.120.113.64 - - [31/Aug/2020:09:59:03 +0100] "GET /blog/ HTTP/1.1" 200 86546 "https://www.b92mjs.co.uk/blog/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36" 77.120.113.64 www.b92mjs.co.uk 77.120.113.64 - - [31/Aug/2020:09:59:06 +0100] "POST /wp-json/contact-form-7/v1/contact-forms/4450/feedback HTTP/1.1" 200 176 // Yet again, the Hacking Script has detected a weakness somewhere. "https://www.b92mjs.co.uk/blog/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36" 77.120.113.64 www.b92mjs.co.uk 77.120.113.64 - - [31/Aug/2020:09:59:08 +0100] "GET /knickers/enter-the-void/ HTTP/1.1" 200 79949 "https://www.b92mjs.co.uk/knickers/enter-the-void/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36" 77.120.113.64 www.b92mjs.co.uk 77.120.113.64 - - [31/Aug/2020:09:59:10 +0100] "GET /knickers/enter-the-void/its-outa-this-world-or-it-oorta-be/ HTTP/1.1" 200 84415 "https://www.b92mjs.co.uk/knickers/enter-the-void/its-outa-this-world-or-it-oorta-be/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36" 77.120.113.64 www.b92mjs.co.uk 77.120.113.64 - // From the above, then my hidden login below has been found yet again! // As I say: it can only be WordPress itself that's revealing the new login file name. - [31/Aug/2020:09:59:13 +0100] "GET /b92login/ HTTP/1.1" 200 9570 "https://www.b92mjs.co.uk/b92login/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36" 77.120.113.64 www.b92mjs.co.uk 104.244.78.231 - - [31/Aug/2020:09:59:15 +0100] "POST /b92login/ HTTP/1.1" 200 9812 "https://www.b92mjs.co.uk/b92login/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36" 104.244.78.231 pigsoft.net 104.244.78.231 - // Kicked out for the second time, by "Limit Login Attempts Reloaded". - [31/Aug/2020:09:59:16 +0100] "GET /wp-login.php HTTP/1.0" 404 69681 "http://pigsoft.net/wp-login.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36" 104.244.78.231 www.b92mjs.co.uk 104.244.78.231 - - [31/Aug/2020:09:59:21 +0100] "GET /index.php HTTP/1.1" 301 - "http://www.b92mjs.co.uk/index.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36" 104.244.78.231 www.b92mjs.co.uk 185.220.101.195 - - [31/Aug/2020:09:59:23 +0100] "GET /index.php HTTP/1.1" 301 - "http://www.b92mjs.co.uk/index.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36" 185.220.101.195 www.b92mjs.co.uk 185.220.101.195 - - [31/Aug/2020:09:59:25 +0100] "GET /index.php HTTP/1.1" 301 - "http://www.b92mjs.co.uk/index.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36" 185.220.101.195 b92mjs.co.uk 114.119.167.156 - - [31/Aug/2020:10:01:31 +0100] "GET /wordpress-problems/how-too-add-a-vertical-menu-bar-separator HTTP/1.1" 301 - "-" "Mozilla/5.0 (Linux; Android 7.0;) AppleWebKit/537.36 (KHTML, like Gecko) Mobile Safari/537.36 (compatible; PetalBot;+http://aspiegel.com/petalbot)" 114.119.167.156 www.b92mjs.co.uk 114.119.167.156 - - [31/Aug/2020:10:01:35 +0100] "GET /myoutings/how-too-add-a-vertical-menu-bar-separator/ HTTP/1.1" 200 77752 "-" "Mozilla/5.0 (Linux; Android 7.0;) AppleWebKit/537.36 (KHTML, like Gecko) Mobile Safari/537.36 (compatible; PetalBot;+http://aspiegel.com/petalbot)" 114.119.167.156 pigsoft.net 185.220.102.8 - - [31/Aug/2020:10:06:45 +0100] "GET /wp-login.php HTTP/1.0" 404 69661 "http://pigsoft.net/wp-login.php" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.79 Safari/537.36" 185.220.102.8 pigsoft.net 185.220.102.8 - - [31/Aug/2020:10:06:49 +0100] "GET / HTTP/1.1" 301 - "http://pigsoft.net/" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.79 Safari/537.36" 185.220.102.8 www.b92mjs.co.uk 185.220.102.8 - - [31/Aug/2020:10:06:52 +0100] "GET / HTTP/1.1" 200 88043 "https://www.b92mjs.co.uk/" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.79 Safari/537.36" 185.220.102.8 www.b92mjs.co.uk 185.220.100.253 - - [31/Aug/2020:10:06:55 +0100] "GET /blog/ HTTP/1.1" 200 86559 "https://www.b92mjs.co.uk/blog/" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.79 Safari/537.36" 185.220.100.253 www.b92mjs.co.uk 185.220.100.253 - - [31/Aug/2020:10:06:58 +0100] "POST /wp-json/contact-form-7/v1/contact-forms/4450/feedback HTTP/1.1" 200 176 "https://www.b92mjs.co.uk/blog/" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.79 Safari/537.36" 185.220.100.253 www.b92mjs.co.uk 185.220.100.253 - - [31/Aug/2020:10:07:00 +0100] "GET /knickers/enter-the-void/ HTTP/1.1" 200 79930 "https://www.b92mjs.co.uk/knickers/enter-the-void/" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.79 Safari/537.36" 185.220.100.253 www.b92mjs.co.uk 185.220.100.253 - - [31/Aug/2020:10:07:02 +0100] "GET /knickers/enter-the-void/its-outa-this-world-or-it-oorta-be/ HTTP/1.1" 200 84421 "https://www.b92mjs.co.uk/knickers/enter-the-void/its-outa-this-world-or-it-oorta-be/" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.79 Safari/537.36" 185.220.100.253 www.b92mjs.co.uk 185.220.100.253 - <<<<<<<<<<<<<<<<<< IN YET AGAIN AFTER THAT HUGE STRING. - [31/Aug/2020:10:07:03 +0100] "GET /b92login/ HTTP/1.1" 200 9570 "https://www.b92mjs.co.uk/b92login/" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.79 Safari/537.36" 185.220.100.253 www.b92mjs.co.uk 51.75.64.187 - - [31/Aug/2020:10:07:05 +0100] "POST /b92login/ HTTP/1.1" 200 9812 "https://www.b92mjs.co.uk/b92login/" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.79 Safari/537.36" 51.75.64.187 pigsoft.net 51.75.64.187 - // And yet again the Hackers have been bounced out by "Limit Login Attempts Reloaded", .. // So they start yet again on my parked domain, .. - [31/Aug/2020:10:07:06 +0100] "GET /wp-login.php HTTP/1.0" 404 69679 "http://pigsoft.net/wp-login.php" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.79 Safari/537.36" 51.75.64.187 www.b92mjs.co.uk 51.75.64.187 - - [31/Aug/2020:10:07:08 +0100] "GET /index.php HTTP/1.1" 301 - "http://www.b92mjs.co.uk/index.php" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.79 Safari/537.36" 51.75.64.187 www.b92mjs.co.uk 51.75.64.187 - - [31/Aug/2020:10:07:10 +0100] "GET /index.php HTTP/1.1" 301 - "http://www.b92mjs.co.uk/index.php" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.79 Safari/537.36" 51.75.64.187 www.b92mjs.co.uk 51.75.64.187 - - [31/Aug/2020:10:07:11 +0100] "GET /index.php HTTP/1.1" 301 - "http://www.b92mjs.co.uk/index.php" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.79 Safari/537.36" 51.75.64.187 www.b92mjs.co.uk 114.119.165.74And so it goes on and on and on, ..
Even even doing all that housekeeping on the internal pages, they’re still getting at my secret login link page, but by now hitting submit button buried deep inside my site.I do hope that you’ve kept up at the back, now sit to attention!
So, .. anyone got any pointers as to what’s happening?
Catch you (Laters) my lovely Hackers.
The page I need help with: [log in to see the link]
Viewing 3 replies - 1 through 3 (of 3 total)
Viewing 3 replies - 1 through 3 (of 3 total)
- You must be logged in to reply to this topic.
