[wp-hackers] attack on wp-admin/install.php

Konrad Karpieszuk kkarpieszuk at gmail.com
Wed Oct 9 07:35:56 UTC 2013


ok, one more  info which i thought isn't relative to this problem, but
maybe.

three months ago somebody start this famous ddos attack to wp-login.php at
those websites. tens of times per second somebody tried to login into
dashboard using random passwords. at beginning i resolved this in .htaccess
by adding rules that nobody except from my ip address can acces to
wp-login.php. but beacouse i have cowriter without permamnent IP address,
this was not good solution

so few days ago i changed in files:
wp-login.php
wp-admin/index.php

first line from:

<?php

to

<?php if ($_COOKIE["superauth"] != "yep") exit("dostep zabroniony"); //


it check if we got some 'secret' cookie and if cookie is absent it
immadietly execute die().

It looks like good solution: wordpress core isnt started at all, server is
happy.
Can it be somehow related to this attack on wp-admin/install.php? i dont
belive that this kind of change has something common with install script,
but maybe i dont know wordpress core very good. Or maybe this attacker when
saw that wp-login.php and wp-admin/index.php are secured started new way to
attack? )or he or she started this long time ago but htaccess prevented
from this)? all ip's from log are outside of Poland, but my regular
visitors are almost only from Poland


--
(en) regards / (pl) pozdrawiam
Konrad Karpieszuk
http://tradematik.pl wtyczka do WordPressa do tworzenia sklepów dla
klientów z Polski



On Wed, Oct 9, 2013 at 8:55 AM, Bryan Petty <bryan at ibaku.net> wrote:

> On Wed, Oct 9, 2013 at 12:39 AM, Konrad Karpieszuk
> <kkarpieszuk at gmail.com> wrote:
> > two things:
> >
> > 1. my website is not so popular that in one second 20 person try to
> connect
> >
> > 2. as you can see in log, /wp-admin/install.php is added not always to
> main
> > domain but sometimes to single post urls (ie
> >
> > /2013/10/wdrozenie-zakupionego-szablonu-wordpress/wp-admin/install.php
> > ) This is not url which somebody type in address bar without reason
>
> It's actually fairly likely that in the event that your DB has dropped
> as Mika was suggesting, that one of your plugins or server
> configuration was causing a redirect loop back to install.php itself
> as well.
>
> Most hack attempts don't intentionally claim a user agent as
> "Feedfetcher-Google" (which was also seeing that install.php redirect
> loop).
>
> --
> Regards,
> Bryan Petty
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>


More information about the wp-hackers mailing list