[ Date Index ]
[ Thread Index ]
[ <= Previous by date /
thread ]
[ Next by date /
thread => ]
Re: [LUG] An observation on wordpress and scripted attacks
- To: list@xxxxxxxxxxxxx
- Subject: Re: [LUG] An observation on wordpress and scripted attacks
- From: Simon Avery <digdilem@xxxxxxxxx>
- Date: Fri, 8 Feb 2013 17:09:18 +0000
- Delivered-to: dclug@xxxxxxxxxxxxxxxxxxxxx
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:content-type; bh=a0AqjFPNK5TiWvS7YS62lSWs2MI/kiAvLtoJZJGgTg0=; b=udcxlfgCFR7pPSFruaqgl+JbYNi+s2/uoSv6hpEosPiqOci97G8XcJJthkCVb9tR6F hEuf07REl+zNWDKRXDHx1RcAxFcFvcv7z+kW0EbZxvKaI1lhMb+b1YkQfAjHFupmJtbq pwY1v3TmIMF7PUlFFbs8QF+Ufx/JFIXnNsyyWqtWPQ53jhN+CDY2vEU9n+spW6CqYQwL YiRl0UrcAApJSQsyPi3ZgYV+AQiG4H1aXnZB3lBPoPPuQkvoLR2UHcs3k2kCsURsQv0n RYsQ2rTHQ3fSOBlwv5TJ7lxKJD/e/G7GZWpu6v01Vki9lMPQmQu4KgjOX5MzzeSjyYik n4Og==
Further to this, I spent ten minutes amending wp-login.php so that it
logs attempts on this domain.
Following are less than a day's attempts to log into what is
essentially a parked wordpress site with no real traffic. I see a lot
of phishing attempts which have wp paths, this is one of the ways they
get in. I imagine the automation would extend to posting a fake bank
login page and then firing off a bunch of emails from the compromised
site too.
Some interesting patterns in here.
http://dpaste.com/915913/
--
The Mailing List for the Devon & Cornwall LUG
http://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/listfaq
