Warning: Parameter 1 to wp_default_scripts() expected to be a reference, value given in /var/www/html/shared/wordpress/wp-includes/plugin.php on line 601

Pardon the dust. WordPress got hacked, had to update

Posted on February 15th, 2014 Dan

Some hackers got were able to re-install (?) an admittedly out-of-date wordpress. No evidence they made it any further than the install process but that in itself is quite worrisome since it should have been disabled.  At any rate I updated the WordPress software and combed thru the logs, didn’t find evidence of anything more than a distributed attack on the WordPress installer coming from different hosts.  The one that managed to get to install “step 2” with a HTTP 200 ok code is in bold below.

Looks like some kind of botnet but Google and Microsoft too?  I thought robots.txt was supposed to keep their spiders from indexing the admin pages- and those aren’t their spiders, they’re just corporate addresses as far as I can tell.

This is a snippet from the log-


123.125.71.55 – – [10/Feb/2014:20:54:46 -0500] “GET /wp-admin/install.php HTTP/1.1” 302 -(China)
123.125.71.12 – – [10/Feb/2014:20:54:55 -0500] “GET /wp-admin/install.php HTTP/1.1” 302 -(China)
66.249.73.24 – – [10/Feb/2014:21:05:01 -0500] “GET /wp-admin/install.php HTTP/1.1” 302 -(Google Inc.)
66.249.73.24 – – [10/Feb/2014:21:05:01 -0500] “GET /wp-admin/install.php HTTP/1.1” 302 -(Google Inc.)
66.249.73.24 – – [10/Feb/2014:21:05:02 -0500] “GET /wp-admin/install.php HTTP/1.1” 302 -(Google Inc.)
66.249.73.24 – – [10/Feb/2014:21:05:02 -0500] “GET /wp-admin/install.php HTTP/1.1” 302 -(Google Inc.)
66.249.73.24 – – [10/Feb/2014:21:05:02 -0500] “GET /wp-admin/install.php HTTP/1.1” 302 – (Google Inc.)
157.55.32.62 – – [10/Feb/2014:21:30:57 -0500] “GET /wp-admin/install.php HTTP/1.1” 302 -(Microsoft Corp)
157.55.32.62 – – [10/Feb/2014:21:30:58 -0500] “GET /wp-admin/install.php HTTP/1.1” 302 -(Microsoft Corp)
199.30.20.20 – – [10/Feb/2014:21:37:33 -0500] “GET /wp-admin/install.php HTTP/1.1” 302 -(Microsoft Corp)
199.30.20.20 – – [10/Feb/2014:21:37:34 -0500] “GET /wp-admin/install.php HTTP/1.1” 302 -(Microsoft Corp)
199.30.20.20 – – [10/Feb/2014:21:37:34 -0500] “GET /wp-admin/install.php HTTP/1.1” 302 – (Microsoft Corp)
212.175.133.30 – – [10/Feb/2014:21:46:37 -0500] “GET /blog/wp-admin/install.php HTTP/1.1” 200 2046 (Turk)

These entries from a Turkish host come right at the time I get an email that “my wordpress blog has been installed”

212.175.133.30 – – [10/Feb/2014:21:46:59 -0500] “POST /blog/wp-admin/install.php?step=2 HTTP/1.1” 200 333171
212.175.133.30 – – [10/Feb/2014:21:47:22 -0500] “GET /blog/wp-admin/install.php?step=2 HTTP/1.1” 200 1547
212.175.133.30 – – [10/Feb/2014:21:48:06 -0500] “GET /blog/wp-admin/install.php HTTP/1.1” 200 2046 (Turk)
180.76.5.77 – – [10/Feb/2014:21:52:54 -0500] “GET /wp-admin/install.php HTTP/1.1” 302 – (China)
180.76.6.155 – – [10/Feb/2014:21:52:54 -0500] “GET /wp-admin/install.php HTTP/1.1” 302 – (China)
180.76.5.57 – – [10/Feb/2014:21:52:55 -0500] “GET /wp-admin/install.php HTTP/1.1” 302 -(China)
180.76.5.73 – – [10/Feb/2014:21:52:55 -0500] “GET /wp-admin/install.php HTTP/1.1” 302 -(China)
180.76.6.14 – – [10/Feb/2014:21:52:56 -0500] “GET /wp-admin/install.php HTTP/1.1” 302 -(China)
66.249.73.24 – – [10/Feb/2014:22:12:20 -0500] “GET /wp-admin/install.php HTTP/1.1” 302 – (Google Inc.)
66.249.73.24 – – [10/Feb/2014:22:12:24 -0500] “GET /wp-admin/install.php HTTP/1.1” 302 -(Google Inc.)
66.249.73.24 – – [10/Feb/2014:22:12:28 -0500] “GET /wp-admin/install.php HTTP/1.1” 302 -(Google Inc.)
66.249.73.24 – – [10/Feb/2014:22:12:32 -0500] “GET /wp-admin/install.php HTTP/1.1” 302 -(Google Inc.)
66.249.73.24 – – [10/Feb/2014:22:12:36 -0500] “GET /wp-admin/install.php HTTP/1.1” 302 -(Google Inc.)


Comments are closed.



Warning: Illegal string offset 'headers' in /var/www/html/shared/wordpress/wp-content/plugins/wp-super-cache/wp-cache-phase2.php on line 569

Fatal error: Uncaught Error: Cannot use string offset as an array in /var/www/html/shared/wordpress/wp-content/plugins/wp-super-cache/wp-cache-phase2.php:569 Stack trace: #0 /var/www/html/shared/wordpress/wp-content/plugins/wp-super-cache/wp-cache-phase2.php(315): wp_cache_get_ob('<!DOCTYPE html ...') #1 [internal function]: wp_cache_ob_callback('<!DOCTYPE html ...', 9) #2 /var/www/html/shared/wordpress/wp-includes/functions.php(3464): ob_end_flush() #3 /var/www/html/shared/wordpress/wp-includes/plugin.php(525): wp_ob_end_flush_all('') #4 /var/www/html/shared/wordpress/wp-includes/load.php(635): do_action('shutdown') #5 [internal function]: shutdown_action_hook() #6 {main} thrown in /var/www/html/shared/wordpress/wp-content/plugins/wp-super-cache/wp-cache-phase2.php on line 569