[wp-hackers] attack on wp-admin/install.php

Konrad Karpieszuk kkarpieszuk at gmail.com
Wed Oct 9 18:54:38 UTC 2013


ok, thank you for those explanations :)


--
(en) regards / (pl) pozdrawiam
Konrad Karpieszuk
http://tradematik.pl wtyczka do WordPressa do tworzenia sklepów dla
klientów z Polski



On Wed, Oct 9, 2013 at 7:35 PM, Mika A Epstein <ipstenu at ipstenu.org> wrote:

> People tried to access the file because WordPress defaults to that file
> when it thinks it's not installed.
>
> Does that make sense? WP couldn't tell it was installed, and thus assumed
> it was NOT and people who visted wanted to install. That's the only logical
> explanation for the URLs you gave us. Like ttrss pulling the install.php?
> That logically happens when it's actually trying to get a feed, but WP says
> "Oh hai! I'm not installed!"
>
> This is 100% expected behavior :)
>
> I'm very certain it's not a hack (nb I deal with hacked sites for WP at my
> company every single day, it's my job, I'm pretty familiar with how hacked
> WP behaves). Or rather, if it IS a hack, it's not that people are attacking
> install.php, it's that they somehow made your wp-config.php go away, or the
> DB tables.
>
> Honestly though, what we need to know (and what you don't know) is what
> did the install.php page say when you hit it? Did it say "no DB" or
> "There's no config file..." If you go to /wp-admin/install.php now, you'll
> see 'Hai! Already installed!' And I think that was NOT what people saw. If
> it was? Then MAYBE you have a brute force attempt (which is not a hack
> BTW). But I think not.
>
> I don't think your server admin is wrong, but I do think that you don't
> clearly understand how WP handles this sort of thing, so there's some
> confusion in explanations to the admin :/
>
>  Konrad Karpieszuk <mailto:kkarpieszuk at gmail.com>
>> October 9, 2013 9:58 AM
>>
>> ok, but why? server admin told me (and i have to trust him) that
>> everything
>> was ok with connection to DB. or even if it wasnt... why somebody tried to
>> connect to file /wp-admin/install.php (i still belive that this was not
>> accident).
>>
>> what do i think.
>>
>> i think that somebody in purpose made ddos attack because somehow (maybe
>> he
>> tested this before) he knewed that during huge ddos attack wordpress will
>> 'lost its mind'. during huge ddos attack server as hardware stops to play
>> correctly and sometimes for php command like "if
>> (!file_exists('wp-config.php')**)" will not be able to check if file
>> really
>> exists, will return true (there is now file wp-config.php) and php will
>> delegate chain of command to installation file. and then hacker will be
>> able to reinstall my wordpress with his credential
>>
>>
>>
>> --
>> (en) regards / (pl) pozdrawiam
>> Konrad Karpieszuk
>> http://tradematik.pl wtyczka do WordPressa do tworzenia sklepów dla
>> klientów z Polski
>>
>>
>>
>> ______________________________**_________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.**com <wp-hackers at lists.automattic.com>
>> http://lists.automattic.com/**mailman/listinfo/wp-hackers<http://lists.automattic.com/mailman/listinfo/wp-hackers>
>> Mika A Epstein <mailto:ipstenu at ipstenu.org>
>> October 9, 2013 9:39 AM
>>
>> It's not the next attack. It's your WP site not seeing it's installed.
>> This means that the DB tables weren't accessible for some reason OR the
>> wp-config.php was unreadable.
>>
>> Konrad Karpieszuk wrote:
>> Mika Epstein <mailto:ipstenu at ipstenu.org>
>> October 9, 2013 6:29 AM
>>
>> Block it in your htacess first, actually. That's way easier.
>>
>> Based on what info you gave us, we can't diagnosis anything. Check your
>> SERVER logs. Did a file get edited or go missing? The problem is not that
>> the file was being hit by millions of people, the problem is why did WP not
>> know it was installed? Check your logs to see if anything happened to the
>> DB. Was it unreadable? Did you add/remove a plugin recently? Did you
>> upgrade?
>>
>> Your mentioned changes to login and admin shouldn't cause anything like
>> this, it's purely WP no longer thinking it was installed. So what have you
>> done to diagnosis THAT? :)
>>
>> Mika A Epstein <mailto:ipstenu at ipstenu.org>
>> October 8, 2013 11:47 AM
>>
>> I think causality is the other way around.
>>
>> People were hitting install.php so much because the wizard was showing.
>> Was your SQL server glitching?
>>
>>
>>
> --
> Mika A Epstein (aka Ipstenu)
> http://ipstenu.org | http://halfelf.org
>
> ______________________________**_________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.**com <wp-hackers at lists.automattic.com>
> http://lists.automattic.com/**mailman/listinfo/wp-hackers<http://lists.automattic.com/mailman/listinfo/wp-hackers>
>


More information about the wp-hackers mailing list