Confused wp-login.php hackers

Dima

A few days ago I’ve created a solution to block wp-login.php bruteforce attacks. After implementing it to the several sites the logs now are filled with a new phenomenon.

Confused hackers, knowing that site is on the WordPress platform, try to find if this wp-login.php file is moved somewhere. And they actually scan all possible combination of paths on the site. Luckily this doesn’t affect the server’s resource as hard as a brute-force attack. It’s much easier to return 404 than to process erroneous credentials, which requires touching the database server.

Here is a snippet from the log:

50.63.54.154 - - [22/May/2015:09:22:10 +0300] "GET /tag/therm-a-rest/wp-login.php HTTP/1.0" 404 24068 "-" "-"
50.63.54.154 - - [22/May/2015:09:22:11 +0300] "GET /tag/therm-a-rest/administrator/index.php HTTP/1.0" 301 532 "-" "-"
50.63.54.154 - - [22/May/2015:09:22:12 +0300] "GET /2015/02/winter-night-virginity/feed/wp-login.php HTTP/1.0" 404 24068 "-" "-"
50.63.54.154 - - [22/May/2015:09:22:13 +0300] "GET /2015/02/winter-night-virginity/feed/administrator/index.php HTTP/1.0" 301 551 "-" "-"
50.63.54.154 - - [22/May/2015:09:22:14 +0300] "GET /2015/02/two-nights/feed/wp-login.php HTTP/1.0" 404 24068 "-" "-"
50.63.54.154 - - [22/May/2015:09:22:15 +0300] "GET /2015/02/two-nights/feed/administrator/index.php HTTP/1.0" 301 539 "-" "-"
50.63.54.154 - - [22/May/2015:09:22:16 +0300] "GET /2015/01/no-ceiling/wp-login.php HTTP/1.0" 404 24068 "-" "-"
50.63.54.154 - - [22/May/2015:09:22:17 +0300] "GET /2015/01/no-ceiling/administrator/index.php HTTP/1.0" 301 534 "-" "-"
50.63.54.154 - - [22/May/2015:09:22:18 +0300] "GET /category/preparation/feed/wp-login.php HTTP/1.0" 404 24068 "-" "-"
50.63.54.154 - - [22/May/2015:09:22:19 +0300] "GET /category/preparation/feed/administrator/index.php HTTP/1.0" 301 541 "-" "-"
50.63.54.154 - - [22/May/2015:09:22:19 +0300] "GET /tag/two-nights/feed/wp-login.php HTTP/1.0" 404 24068 "-" "-"
50.63.54.154 - - [22/May/2015:09:22:20 +0300] "GET /tag/two-nights/feed/administrator/index.php HTTP/1.0" 301 535 "-" "-"
50.63.54.154 - - [22/May/2015:09:22:21 +0300] "GET /tag/kuopio/feed/wp-login.php HTTP/1.0" 404 24068 "-" "-"
50.63.54.154 - - [22/May/2015:09:22:22 +0300] "GET /tag/kuopio/feed/administrator/index.php HTTP/1.0" 301 531 "-" "-"
50.63.54.154 - - [22/May/2015:09:22:23 +0300] "GET /tag/nilsia/feed/wp-login.php HTTP/1.0" 404 24068 "-" "-"
50.63.54.154 - - [22/May/2015:09:22:24 +0300] "GET /tag/nilsia/feed/administrator/index.php HTTP/1.0" 301 531 "-" "-"
50.63.54.154 - - [22/May/2015:09:22:25 +0300] "GET /tag/mikkeli/feed/wp-login.php HTTP/1.0" 404 24068 "-" "-"
50.63.54.154 - - [22/May/2015:09:22:25 +0300] "GET /tag/mikkeli/feed/administrator/index.php HTTP/1.0" 301 532 "-" "-"
50.63.54.154 - - [22/May/2015:09:22:26 +0300] "GET /tag/jetboil/feed/wp-login.php HTTP/1.0" 404 24068 "-" "-"
50.63.54.154 - - [22/May/2015:09:22:27 +0300] "GET /tag/jetboil/feed/administrator/index.php HTTP/1.0" 301 532 "-" "-"
50.63.54.154 - - [22/May/2015:09:22:28 +0300] "GET /tag/stove/feed/wp-login.php HTTP/1.0" 404 24068 "-" "-"
50.63.54.154 - - [22/May/2015:09:22:29 +0300] "GET /tag/stove/feed/administrator/index.php HTTP/1.0" 301 530 "-" "-"

This doesn’t have a strong affection on the server’s memory usage, which swaps many times under the hard attacks. Disk usage is still the same because of logging. But I want to believe that hackers, after the unsuccessful searching, will remove my server from their lists to limit their resource wasting. Then these logs will also come to an end.

Hackers seem to have a script, that checks also for Joomla Administrator logins. The solution I wrote about in a previous post will work also for Joomla and other platforms, which have widely known paths to the logins.

Leave a Reply

Your email address will not be published. Required fields are marked *