Support » Plugin: Hide login page, Hide wp admin - stop attack on login page » Hiding – Mega Huge Log Files to get your teeth into, Hackers live here.

  • Resolved MrsJessicaSimpson

    (@mrsjessicasimpson)


    I’m posting this (report) come post in both “Limit Login Attempts Reloaded” and also “Webcraftic Hide login page”, all in the vain hope that someone out there might know what to do.
    Both plugins are extraordinary by the way, but they are being circumvented.

    Below are my raw Apache Logs from the 31st, and gods honest true here: I’m having a little trouble reading them, but I’ve spread the logs out so’s to get a clearer course of events, and yes: it’s a bit long, but worth it, especially as it shows the sever-side login procedure.

    Background:

    My main site is b92mjs.co.uk
    And I have a domain parked next to it called pigsoft.net
    There’s nothing of value being shown here, and all pages are in the public domain.
    From wp-login.php, my changed secret login page is now called b92login.php

    – And revealing that top-secret-information, is a rather moot point; as you’ll soon discover.

    This particular Lock out by “Limit Login Attempts Reloaded”, got logged at nine, .. and the IP address was already in the Deny rules: yet they were still able to hit the server side of my site.
    As always: the hackers start off with my parked site and then add the conventional wp-login.php string.
    It must also be remembered, that the entire thing took seconds to complete.
    Begin.

    [31/Aug/2020:09:56:02 +0100]
    "GET /wp-login.php HTTP/1.0" 404 69666 
    "http://pigsoft.net/wp-login.php" <<<<-------!!!!!! normal wp-login.php
    "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36 OPR/54.0.2952.51"
    77.247.181.165
    pigsoft.net 77.247.181.165 - 
    
    - [31/Aug/2020:09:56:05 +0100]
    "GET / HTTP/1.1" 301 - "http://pigsoft.net/" 
    "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36 OPR/54.0.2952.51"
     77.247.181.165
    www.b92mjs.co.uk 77.247.181.165 - 
    
    // They now switch their attention to my main site, ..
    
    - [31/Aug/2020:09:56:09 +0100] 
    "GET  / HTTP/1.1" 200 88022 
    "https://www.b92mjs.co.uk/" 
    "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36 OPR/54.0.2952.51" 
    77.247.181.165
    www.b92mjs.co.uk 77.247.181.165 - 
    
    - [31/Aug/2020:09:56:12 +0100]
    "GET /blog/ HTTP/1.1" 200 86551 
    "https://www.b92mjs.co.uk/blog/" 
    "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36 OPR/54.0.2952.51" 
    77.247.181.165
    www.b92mjs.co.uk 77.247.181.165 - 
    
    // This POST is interesting, but I can't see what it does, and yes: I do have contact-form 7 installed, ..
    // But how would they know?
    
    - [31/Aug/2020:09:56:14 +0100] 
        "POST /wp-json/contact-form-7/v1/contact-forms/4450/feedback HTTP/1.1" 200 176 
    "https://www.b92mjs.co.uk/blog/" 
    "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36 OPR/54.0.2952.51" 
    77.247.181.165
    www.b92mjs.co.uk 77.247.181.165 - 
    
    // I had no idea why they kept hitting the 'Knickers' pages, ..
    // Then found this code below inside one of them on the Text Tab side of tinyMCE 
    
    <div data-contents="true">
    <div data-block="true" data-editor="4rjjj" data-offset-key="1ih5n-0-0"> </div>
    </div>
    
    // No clue how it got there, perhaps an old editor, but it's now been removed.
    // Yesterday the Hackers were targeting the Submit button on my Boxzilla pop-ups. 
    // I've removed all of them bar one.
    
    // Continuing ever onwards in the Hackathone, ..
    
    - [31/Aug/2020:09:56:16 +0100]
    "GET /knickers/enter-the-void/ HTTP/1.1" 200 79919 
    "https://www.b92mjs.co.uk/knickers/enter-the-void/" 
    "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36 OPR/54.0.2952.51" 
    77.247.181.165
    www.b92mjs.co.uk 77.247.181.165 - 
    
    - [31/Aug/2020:09:56:19 +0100]
    "GET /knickers/enter-the-void/its-outa-this-world-or-it-oorta-be/ HTTP/1.1" 200 84411 "https://www.b92mjs.co.uk/knickers/enter-the-void/its-outa-this-world-or-it-oorta-be/" 
    "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36 OPR/54.0.2952.51" 
    77.247.181.165
    www.b92mjs.co.uk 77.247.181.165 - 
    
    // =============== ((     HERE IT IS    ))=============
    // From the above, then my hidden login has been found, .. but how?
    // It can only be WordPress that's revealing it, ..
    
    - [31/Aug/2020:09:56:21 +0100]
    "GET /b92login/ HTTP/1.1" 200 9570 	<<<<<<<<<<<<<<<< how are they doing it?
    "https://www.b92mjs.co.uk/b92login/" 	<<<<<<<<<<<<<<<< how are they doing it?
    
    "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36 OPR/54.0.2952.51" 
    77.247.181.165
    www.b92mjs.co.uk 77.247.181.165 - 
    
    - [31/Aug/2020:09:56:23 +0100] 
        "POST /b92login/ HTTP/1.1" 200 9812 "https://www.b92mjs.co.uk/b92login/" 
    "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36 OPR/54.0.2952.51" 
    77.247.181.165
    pigsoft.net 77.247.181.165 - 
    
    // Kicked out by "Limit Login Attempts Reloaded", so they start yet again with my parked pigsoft.net domain, ..
    
    - [31/Aug/2020:09:56:25 +0100]
    "GET /wp-login.php HTTP/1.0" 404 69652 
    "http://pigsoft.net/wp-login.php" 
    "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36 OPR/54.0.2952.51" 
    77.247.181.165
    www.b92mjs.co.uk 77.247.181.165 - 
    
    - [31/Aug/2020:09:56:26 +0100]
    "GET /index.php HTTP/1.1" 301 - 
    "http://www.b92mjs.co.uk/index.php" 
    "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36 OPR/54.0.2952.51" 
    77.247.181.165
    www.b92mjs.co.uk 77.247.181.165 - 
    
    - [31/Aug/2020:09:56:29 +0100]
    "GET /index.php HTTP/1.1" 301 - 
    "http://www.b92mjs.co.uk/index.php" 
    "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36 OPR/54.0.2952.51" 
    77.247.181.165
    www.b92mjs.co.uk 77.247.181.165 - 
    
    - [31/Aug/2020:09:56:30 +0100]
    "GET /index.php HTTP/1.1" 301 - 
    "http://www.b92mjs.co.uk/index.php" 
    "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36 OPR/54.0.2952.51" 
    77.247.181.165
    pigsoft.net 77.247.181.162 -
    
    - [31/Aug/2020:09:58:55 +0100]
    "GET /wp-login.php HTTP/1.0" 404 69677 
    "http://pigsoft.net/wp-login.php" 
    "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36" 
    77.247.181.162
    pigsoft.net 77.247.181.162 - 
    
    - [31/Aug/2020:09:58:56 +0100]
    "GET / HTTP/1.1" 301 - 
    "http://pigsoft.net/" 
    "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36"
     77.247.181.162
    www.b92mjs.co.uk 77.247.181.162 - 
    
    - [31/Aug/2020:09:58:59 +0100] 
     / HTTP/1.1" 200 88026 "https://www.b92mjs.co.uk/" 
    "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36" 77.247.181.162
    www.b92mjs.co.uk 77.120.113.64 - 
    
    - [31/Aug/2020:09:59:03 +0100]
    "GET /blog/ HTTP/1.1" 200 86546 "https://www.b92mjs.co.uk/blog/" 
    "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36" 77.120.113.64
    www.b92mjs.co.uk 77.120.113.64 - 
    
    - [31/Aug/2020:09:59:06 +0100] 
        "POST /wp-json/contact-form-7/v1/contact-forms/4450/feedback HTTP/1.1" 200 176 
        // Yet again, the Hacking Script has detected a weakness somewhere.
    		
    "https://www.b92mjs.co.uk/blog/" 
    "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36" 
    77.120.113.64
    www.b92mjs.co.uk 77.120.113.64 - 
    
    - [31/Aug/2020:09:59:08 +0100]
    "GET /knickers/enter-the-void/ HTTP/1.1" 200 79949 
    "https://www.b92mjs.co.uk/knickers/enter-the-void/" 
    "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36" 
    77.120.113.64
    www.b92mjs.co.uk 77.120.113.64 - 
    
    - [31/Aug/2020:09:59:10 +0100]
    "GET /knickers/enter-the-void/its-outa-this-world-or-it-oorta-be/ HTTP/1.1" 200 84415 
    "https://www.b92mjs.co.uk/knickers/enter-the-void/its-outa-this-world-or-it-oorta-be/" 
    "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36" 77.120.113.64
    www.b92mjs.co.uk 77.120.113.64 - 
    
    // From the above, then my hidden login below has been found yet again! 
    // As I say: it can only be WordPress itself that's revealing the new login file name.
    
    - [31/Aug/2020:09:59:13 +0100]
    "GET /b92login/ HTTP/1.1" 200 9570 
    "https://www.b92mjs.co.uk/b92login/" 
    "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36" 
    77.120.113.64
    www.b92mjs.co.uk 104.244.78.231 - 
    
    - [31/Aug/2020:09:59:15 +0100] 
        "POST /b92login/ HTTP/1.1" 200 9812 
    "https://www.b92mjs.co.uk/b92login/" 
    "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36" 
    104.244.78.231
    pigsoft.net 104.244.78.231 - 
    
    // Kicked out for the second time, by "Limit Login Attempts Reloaded".
    
    - [31/Aug/2020:09:59:16 +0100]
    "GET /wp-login.php HTTP/1.0" 404 69681 
    "http://pigsoft.net/wp-login.php" 
    "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36" 104.244.78.231
    www.b92mjs.co.uk 104.244.78.231 - 
    
    - [31/Aug/2020:09:59:21 +0100]
    
    "GET /index.php HTTP/1.1" 301 - "http://www.b92mjs.co.uk/index.php" 
    "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36" 104.244.78.231
    www.b92mjs.co.uk 185.220.101.195 - 
    
    - [31/Aug/2020:09:59:23 +0100]
    "GET /index.php HTTP/1.1" 301 - "http://www.b92mjs.co.uk/index.php" 
    "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36" 185.220.101.195
    www.b92mjs.co.uk 185.220.101.195 - 
    
    - [31/Aug/2020:09:59:25 +0100]
    "GET /index.php HTTP/1.1" 301 - "http://www.b92mjs.co.uk/index.php" 
    "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36" 185.220.101.195
    b92mjs.co.uk 114.119.167.156 - 
    
    - [31/Aug/2020:10:01:31 +0100]
    "GET /wordpress-problems/how-too-add-a-vertical-menu-bar-separator HTTP/1.1" 301 - "-" 
    "Mozilla/5.0 (Linux; Android 7.0;) AppleWebKit/537.36 (KHTML, like Gecko) Mobile Safari/537.36 (compatible; PetalBot;+http://aspiegel.com/petalbot)" 114.119.167.156
    www.b92mjs.co.uk 114.119.167.156 - 
    
    - [31/Aug/2020:10:01:35 +0100]
    "GET /myoutings/how-too-add-a-vertical-menu-bar-separator/ HTTP/1.1" 200 77752 "-" 
    "Mozilla/5.0 (Linux; Android 7.0;) AppleWebKit/537.36 (KHTML, like Gecko) Mobile Safari/537.36 (compatible; PetalBot;+http://aspiegel.com/petalbot)" 114.119.167.156
    pigsoft.net 185.220.102.8 - 
    
    - [31/Aug/2020:10:06:45 +0100]
    "GET /wp-login.php HTTP/1.0" 404 69661 
    "http://pigsoft.net/wp-login.php" 
    "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.79 Safari/537.36" 185.220.102.8
    pigsoft.net 185.220.102.8 - 
    
    - [31/Aug/2020:10:06:49 +0100]
    "GET / HTTP/1.1" 301 - "http://pigsoft.net/" 
    "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.79 Safari/537.36"
    185.220.102.8
    www.b92mjs.co.uk 185.220.102.8 - 
    
    - [31/Aug/2020:10:06:52 +0100] 
    "GET / HTTP/1.1" 200 88043 
    "https://www.b92mjs.co.uk/" 
    "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.79 Safari/537.36" 
    185.220.102.8
    www.b92mjs.co.uk 185.220.100.253 - 
    
    - [31/Aug/2020:10:06:55 +0100]
    "GET /blog/ HTTP/1.1" 200 86559 "https://www.b92mjs.co.uk/blog/" 
    "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.79 Safari/537.36"
    185.220.100.253
    www.b92mjs.co.uk 185.220.100.253 - 
    
    - [31/Aug/2020:10:06:58 +0100] 
        "POST /wp-json/contact-form-7/v1/contact-forms/4450/feedback HTTP/1.1" 200 176 
    "https://www.b92mjs.co.uk/blog/" 
    "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.79 Safari/537.36"
    185.220.100.253
    www.b92mjs.co.uk 185.220.100.253 - 
    
    - [31/Aug/2020:10:07:00 +0100]
    "GET /knickers/enter-the-void/ HTTP/1.1" 200 79930 
    "https://www.b92mjs.co.uk/knickers/enter-the-void/" 
    "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.79 Safari/537.36"
    185.220.100.253
    www.b92mjs.co.uk 185.220.100.253 - 
    
    - [31/Aug/2020:10:07:02 +0100]
    "GET /knickers/enter-the-void/its-outa-this-world-or-it-oorta-be/ HTTP/1.1" 200 84421 "https://www.b92mjs.co.uk/knickers/enter-the-void/its-outa-this-world-or-it-oorta-be/" 
    "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.79 Safari/537.36"
    185.220.100.253
    www.b92mjs.co.uk 185.220.100.253 - 
    
    <<<<<<<<<<<<<<<<<< IN YET AGAIN AFTER THAT HUGE STRING.
    
    - [31/Aug/2020:10:07:03 +0100]
    "GET /b92login/ HTTP/1.1" 200 9570
    "https://www.b92mjs.co.uk/b92login/" 
    "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.79 Safari/537.36" 
    185.220.100.253
    www.b92mjs.co.uk 51.75.64.187 - 
    
    - [31/Aug/2020:10:07:05 +0100] 
        "POST /b92login/ HTTP/1.1" 200 9812 
    "https://www.b92mjs.co.uk/b92login/" 
    "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.79 Safari/537.36"
    51.75.64.187
    pigsoft.net 51.75.64.187 - 
    
    // And yet again the Hackers have been bounced out by "Limit Login Attempts Reloaded", ..
    // So they start yet again on my parked domain, ..
    
    - [31/Aug/2020:10:07:06 +0100]
    "GET /wp-login.php HTTP/1.0" 404 69679 
    "http://pigsoft.net/wp-login.php" 
    "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.79 Safari/537.36" 
    51.75.64.187
    www.b92mjs.co.uk 51.75.64.187 - 
    
    - [31/Aug/2020:10:07:08 +0100]
    "GET /index.php HTTP/1.1" 301 - "http://www.b92mjs.co.uk/index.php" 
    "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.79 Safari/537.36"
    51.75.64.187
    www.b92mjs.co.uk 51.75.64.187 - 
    
    - [31/Aug/2020:10:07:10 +0100]
    "GET /index.php HTTP/1.1" 301 - "http://www.b92mjs.co.uk/index.php" 
    "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.79 Safari/537.36" 
    51.75.64.187
    www.b92mjs.co.uk 51.75.64.187 - 
    
    - [31/Aug/2020:10:07:11 +0100]
    "GET /index.php HTTP/1.1" 301 - "http://www.b92mjs.co.uk/index.php" 
    "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.79 Safari/537.36" 51.75.64.187
    www.b92mjs.co.uk 114.119.165.74 

    And so it goes on and on and on, ..
    Even even doing all that housekeeping on the internal pages, they’re still getting at my secret login link page, but by now hitting submit button buried deep inside my site.

    I do hope that you’ve kept up at the back, now sit to attention!

    So, .. anyone got any pointers as to what’s happening?

    Catch you (Laters) my lovely Hackers.

    The page I need help with: [log in to see the link]

Viewing 3 replies - 1 through 3 (of 3 total)
  • Thread Starter MrsJessicaSimpson

    (@mrsjessicasimpson)

    Thankyou moderator, Steven: I forgot about the silly links in that log.

    Many thanks for boxing it all up for me.

    Thread Starter MrsJessicaSimpson

    (@mrsjessicasimpson)

    OK Chaps, this is a mitigated disaster ..

    I have been digging deep into the underbelly of the web, and found an article on WordPress . (org) about this issue of hackers getting at your login.php file in respect of brute force attacks.

    https://wordpress.org/support/topic/the-hidden-url-can-be-bypassed-in-firefox/

    I’ve hiding the link so it shouldn’t be flagged up, which also means that you can copy it for yourselves if you so wish.

    Conversationally in the article, and using a special string: Firefox alone, out of all the other browsers out there,.. is able to reveal your special hidden WordPress link.

    You have to use this string /%77%70%2D%6C%6F%67%69%6E.%70%68%70 in front of your web site when using the Firefox browser.

    As in:-
    http://www.mysite.com/%77%70%2D%6C%6F%67%69%6E.%70%68%70

    And this will display the hidden URL login page.

    I simple don’t know why the hackers are hammering my site, it’s nothing special and is only there or my entertainment only, but the one thing I’ve taken away from this episode of trying to stop them, is the fact that this plugin: like all the others that supposedly hide your wp-login.php file, do not work.

    BTW, that article appeared on the WordPress . (org) site 4 years ago, and the Firefox issues has still not been sorted.

    Hope it helps, .. Jessica.

    I just wanted to say thank you for sharing your experience. Now I know why I was still getting brute-force attacks on my website with this plugin. I removed it for an unrelated issue, but at least I am clear on why it’s not worth my time to try any other plugins of this type. Really appreciate it!

Viewing 3 replies - 1 through 3 (of 3 total)
  • You must be logged in to reply to this topic.