WordPress.org

Forums

Possible Attack Attempt? (2 posts)

  1. delata3
    Member
    Posted 5 years ago #

    Hey, all.

    So there's been some odd activity coming up in my visitor logs recently. I have an idea of what's going on, but I figured I'd post it here for anyone who has this problem. I'd also like to see what the wordpress gurus could tell me about it. Let me explain:

    My logs show that an IP resolving as (ip-209-172-32-110.static.privatedns.com) tried to access the following pages:

    * 05:38:23 ->/index.php?option=com_user&view=reset&layout=confirm
    * 05:38:24 ->/?option=com_user&view=reset&layout=confirm
    * 05:38:25 ->/index.php?option=com_user&task=confirmreset
    * 05:38:26 ->/index.php?option=com_user&task=completereset
    * 05:38:27 ->[404] /administrator/index.php

    Looking further into this, I discovered that this method of attack is very similar to exploiting a Joomla! 1.5 vulnerability. Essentially, this method is used to reset the admin password. As you can see, the attacker gets 404'd as /administrator/index.php doesn't exist, thus foiling the attack. No logs of the attacker logging in exist, so I doubt anything has happened.

    Considering that the entries above were all accessed with 1 second intervals leads me to believe that this is a bot. But who knows. If anyone wants to elaborate on this, please do. I've done little research and I'm not too familiar with WordPress as much as most of you. So please, enlighten me if you so please.

    Thanks in advance! I hope someone finds this useful.

    (Quick reference to attack method: http://www.milw0rm.com/exploits/6234)

  2. cubecolour
    ɹoʇɐɹǝpoɯ
    Posted 5 years ago #

    You can install lester chan's wp-ban plugin & put that IP address into it and any others that seem to be hack attempts.

Topic Closed

This topic has been closed to new replies.

About this Topic