Pardon the dust. WordPress got hacked, had to update

Posted on February 15th, 2014 Dan

Some hackers got were able to re-install (?) an admittedly out-of-date wordpress. No evidence they made it any further than the install process but that in itself is quite worrisome since it should have been disabled.  At any rate I updated the WordPress software and combed thru the logs, didn’t find evidence of anything more than a distributed attack on the WordPress installer coming from different hosts.  The one that managed to get to install “step 2” with a HTTP 200 ok code is in bold below.

Looks like some kind of botnet but Google and Microsoft too?  I thought robots.txt was supposed to keep their spiders from indexing the admin pages- and those aren’t their spiders, they’re just corporate addresses as far as I can tell.

This is a snippet from the log-


123.125.71.55 – – [10/Feb/2014:20:54:46 -0500] “GET /wp-admin/install.php HTTP/1.1” 302 -(China)
123.125.71.12 – – [10/Feb/2014:20:54:55 -0500] “GET /wp-admin/install.php HTTP/1.1” 302 -(China)
66.249.73.24 – – [10/Feb/2014:21:05:01 -0500] “GET /wp-admin/install.php HTTP/1.1” 302 -(Google Inc.)
66.249.73.24 – – [10/Feb/2014:21:05:01 -0500] “GET /wp-admin/install.php HTTP/1.1” 302 -(Google Inc.)
66.249.73.24 – – [10/Feb/2014:21:05:02 -0500] “GET /wp-admin/install.php HTTP/1.1” 302 -(Google Inc.)
66.249.73.24 – – [10/Feb/2014:21:05:02 -0500] “GET /wp-admin/install.php HTTP/1.1” 302 -(Google Inc.)
66.249.73.24 – – [10/Feb/2014:21:05:02 -0500] “GET /wp-admin/install.php HTTP/1.1” 302 – (Google Inc.)
157.55.32.62 – – [10/Feb/2014:21:30:57 -0500] “GET /wp-admin/install.php HTTP/1.1” 302 -(Microsoft Corp)
157.55.32.62 – – [10/Feb/2014:21:30:58 -0500] “GET /wp-admin/install.php HTTP/1.1” 302 -(Microsoft Corp)
199.30.20.20 – – [10/Feb/2014:21:37:33 -0500] “GET /wp-admin/install.php HTTP/1.1” 302 -(Microsoft Corp)
199.30.20.20 – – [10/Feb/2014:21:37:34 -0500] “GET /wp-admin/install.php HTTP/1.1” 302 -(Microsoft Corp)
199.30.20.20 – – [10/Feb/2014:21:37:34 -0500] “GET /wp-admin/install.php HTTP/1.1” 302 – (Microsoft Corp)
212.175.133.30 – – [10/Feb/2014:21:46:37 -0500] “GET /blog/wp-admin/install.php HTTP/1.1” 200 2046 (Turk)

These entries from a Turkish host come right at the time I get an email that “my wordpress blog has been installed”

212.175.133.30 – – [10/Feb/2014:21:46:59 -0500] “POST /blog/wp-admin/install.php?step=2 HTTP/1.1” 200 333171
212.175.133.30 – – [10/Feb/2014:21:47:22 -0500] “GET /blog/wp-admin/install.php?step=2 HTTP/1.1” 200 1547
212.175.133.30 – – [10/Feb/2014:21:48:06 -0500] “GET /blog/wp-admin/install.php HTTP/1.1” 200 2046 (Turk)
180.76.5.77 – – [10/Feb/2014:21:52:54 -0500] “GET /wp-admin/install.php HTTP/1.1” 302 – (China)
180.76.6.155 – – [10/Feb/2014:21:52:54 -0500] “GET /wp-admin/install.php HTTP/1.1” 302 – (China)
180.76.5.57 – – [10/Feb/2014:21:52:55 -0500] “GET /wp-admin/install.php HTTP/1.1” 302 -(China)
180.76.5.73 – – [10/Feb/2014:21:52:55 -0500] “GET /wp-admin/install.php HTTP/1.1” 302 -(China)
180.76.6.14 – – [10/Feb/2014:21:52:56 -0500] “GET /wp-admin/install.php HTTP/1.1” 302 -(China)
66.249.73.24 – – [10/Feb/2014:22:12:20 -0500] “GET /wp-admin/install.php HTTP/1.1” 302 – (Google Inc.)
66.249.73.24 – – [10/Feb/2014:22:12:24 -0500] “GET /wp-admin/install.php HTTP/1.1” 302 -(Google Inc.)
66.249.73.24 – – [10/Feb/2014:22:12:28 -0500] “GET /wp-admin/install.php HTTP/1.1” 302 -(Google Inc.)
66.249.73.24 – – [10/Feb/2014:22:12:32 -0500] “GET /wp-admin/install.php HTTP/1.1” 302 -(Google Inc.)
66.249.73.24 – – [10/Feb/2014:22:12:36 -0500] “GET /wp-admin/install.php HTTP/1.1” 302 -(Google Inc.)


Comments are closed.