So there's been some odd activity coming up in my visitor logs recently. I have an idea of what's going on, but I figured I'd post it here for anyone who has this problem. I'd also like to see what the wordpress gurus could tell me about it. Let me explain:
My logs show that an IP resolving as (ip-209-172-32-110.static.privatedns.com) tried to access the following pages:
* 05:38:23 ->/index.php?option=com_user&view=reset&layout=confirm
* 05:38:24 ->/?option=com_user&view=reset&layout=confirm
* 05:38:25 ->/index.php?option=com_user&task=confirmreset
* 05:38:26 ->/index.php?option=com_user&task=completereset
* 05:38:27 -> /administrator/index.php
Looking further into this, I discovered that this method of attack is very similar to exploiting a Joomla! 1.5 vulnerability. Essentially, this method is used to reset the admin password. As you can see, the attacker gets 404'd as /administrator/index.php doesn't exist, thus foiling the attack. No logs of the attacker logging in exist, so I doubt anything has happened.
Considering that the entries above were all accessed with 1 second intervals leads me to believe that this is a bot. But who knows. If anyone wants to elaborate on this, please do. I've done little research and I'm not too familiar with WordPress as much as most of you. So please, enlighten me if you so please.
Thanks in advance! I hope someone finds this useful.
(Quick reference to attack method: http://www.milw0rm.com/exploits/6234)