[wp-hackers] attack on wp-admin/install.php

Abdussamad Abdurrazzaq abdussamad at abdussamad.com
Wed Oct 9 07:54:56 UTC 2013


If you are this worried you can always delete install.php.

On 10/09/2013 12:35 PM, Konrad Karpieszuk wrote:
> ok, one more  info which i thought isn't relative to this problem, but
> maybe.
>
> three months ago somebody start this famous ddos attack to wp-login.php at
> those websites. tens of times per second somebody tried to login into
> dashboard using random passwords. at beginning i resolved this in .htaccess
> by adding rules that nobody except from my ip address can acces to
> wp-login.php. but beacouse i have cowriter without permamnent IP address,
> this was not good solution
>
> so few days ago i changed in files:
> wp-login.php
> wp-admin/index.php
>
> first line from:
>
> <?php
>
> to
>
> <?php if ($_COOKIE["superauth"] != "yep") exit("dostep zabroniony"); //
>
>
> it check if we got some 'secret' cookie and if cookie is absent it
> immadietly execute die().
>
> It looks like good solution: wordpress core isnt started at all, server is
> happy.
> Can it be somehow related to this attack on wp-admin/install.php? i dont
> belive that this kind of change has something common with install script,
> but maybe i dont know wordpress core very good. Or maybe this attacker when
> saw that wp-login.php and wp-admin/index.php are secured started new way to
> attack? )or he or she started this long time ago but htaccess prevented
> from this)? all ip's from log are outside of Poland, but my regular
> visitors are almost only from Poland
>
>
> --
> (en) regards / (pl) pozdrawiam
> Konrad Karpieszuk
> http://tradematik.pl wtyczka do WordPressa do tworzenia sklepów dla
> klientów z Polski
>
>
>
> On Wed, Oct 9, 2013 at 8:55 AM, Bryan Petty <bryan at ibaku.net> wrote:
>
>> On Wed, Oct 9, 2013 at 12:39 AM, Konrad Karpieszuk
>> <kkarpieszuk at gmail.com> wrote:
>>> two things:
>>>
>>> 1. my website is not so popular that in one second 20 person try to
>> connect
>>>
>>> 2. as you can see in log, /wp-admin/install.php is added not always to
>> main
>>> domain but sometimes to single post urls (ie
>>>
>>> /2013/10/wdrozenie-zakupionego-szablonu-wordpress/wp-admin/install.php
>>> ) This is not url which somebody type in address bar without reason
>>
>> It's actually fairly likely that in the event that your DB has dropped
>> as Mika was suggesting, that one of your plugins or server
>> configuration was causing a redirect loop back to install.php itself
>> as well.
>>
>> Most hack attempts don't intentionally claim a user agent as
>> "Feedfetcher-Google" (which was also seeing that install.php redirect
>> loop).
>>
>> --
>> Regards,
>> Bryan Petty
>> _______________________________________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.com
>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>


More information about the wp-hackers mailing list