SitePoint Sponsor

User Tag List

Results 1 to 9 of 9
  1. #1
    SitePoint Zealot 2ndmouse's Avatar
    Join Date
    Jan 2007
    Location
    West London
    Posts
    196
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Suspicious URL being aimed at my site

    hi all

    my log files are showing attempts to load the following url by someone in the Ukraine. I don't think it's a harmful request as it simply gets a 'bad request' response from the browser. Just wondering if anyone here has seen this type of request before and whether I should block the ip.

    URL:

    mysite.com/change-log+++++++++++++++++++++++++++++Result:+%E8%F1%EF%EE%EB%FC%E7%EE%E2%E0%ED%FB+%E4%E0%ED%ED%FB%E5+x_fields.txt;+%E8%F1%

    Regards and happy new year
    Detect file changes remotely. SimpleSiteAudit is an early
    warning anti-hacker system which sends an alert on detection.

    PHP Find Orphan Files - Finds all the unreferenced files on your site.

  2. #2
    SitePoint Enthusiast
    Join Date
    Nov 2011
    Posts
    90
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    If you don't know what it is, I think you shoul block that IP (how do you do that?).
    Better safe than sorry.............

  3. #3
    SitePoint Zealot 2ndmouse's Avatar
    Join Date
    Jan 2007
    Location
    West London
    Posts
    196
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    yes, I've already put a temporary block on the IP. It's a wordpress site and I use wordfence plugin to block the IP. however, if you have access to the server, the IP can be blocked from there.
    Detect file changes remotely. SimpleSiteAudit is an early
    warning anti-hacker system which sends an alert on detection.

    PHP Find Orphan Files - Finds all the unreferenced files on your site.

  4. #4
    SitePoint Enthusiast
    Join Date
    Nov 2011
    Posts
    90
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    "wordfence plugin" thank you for the tip. My site is also a Wordpres

  5. #5
    SitePoint Wizard
    Join Date
    Oct 2005
    Posts
    1,774
    Mentioned
    5 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by 2ndmouse View Post
    Just wondering if anyone here has seen this type of request before and whether I should block the ip.

    URL:

    mysite.com/change-log+++++++++++++++++++++++++++++Result:+%E8%F1%EF%EE%EB%FC%E7%EE%E2%E0%ED%FB+%E4%E0%ED%ED%FB%E5+x_fields.txt;+%E8%F1%
    I get those types of requests all the time, usually from Russia, Ukraine, and China. I'm not sure what the intention is, but my guess is that some bot is probing for any type of security vulnerability it can find. If you block the IP then you can expect to block more IPs because it isn't hard for a hacker to find a new IP address.

  6. #6
    SitePoint Zealot 2ndmouse's Avatar
    Join Date
    Jan 2007
    Location
    West London
    Posts
    196
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks cheesedude

    I guess this type of request is not doing any harm. However, I have noticed an attempt to login (this time from USA) to my wordpress admin where the user name was entered as:

    "t|post[body]|post[message]|post_comment_root|post_comment_source|post_data[message]|post_message|postcomment|PostComment_ascx$tbComment|poster_"

    The login failed, but I'm a little worried by what they are trying to attempt here - any ideas anyone?

    Regards
    Detect file changes remotely. SimpleSiteAudit is an early
    warning anti-hacker system which sends an alert on detection.

    PHP Find Orphan Files - Finds all the unreferenced files on your site.

  7. #7
    SitePoint Enthusiast
    Join Date
    Nov 2011
    Posts
    90
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    The only thing you can do is to change (or remove) any user's name begining with 'admin'.
    The funny point here is that I got the same thing on my site and that leeds me to think of a bot doing "research";-)

  8. #8
    . shoooo... silver trophy logic_earth's Avatar
    Join Date
    Oct 2005
    Location
    CA
    Posts
    9,013
    Mentioned
    8 Post(s)
    Tagged
    0 Thread(s)
    Running a Wordpress site you are going to be scanned and probed, nothing you can do about that. Wordpress is filled with vulnerabilities, you need to keep it updated. This is why I don't use it for client sites, they always get too lazy and fail to update.
    Logic without the fatal effects.
    All code snippets are licensed under WTFPL.


  9. #9
    SitePoint Enthusiast
    Join Date
    Nov 2011
    Posts
    90
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    "t|post[body]|post[message]|post_comment_root|post_comment_source|post_data[message]|post_message|postcomment|PostComment_ascx$tbComment|poster_"
    You have nothing to worry about here.
    1. The user name is to long according to any standard.
    2. It contains characters parsed out by WordPress.
    3. The login failed...

    I am so greatfull to you for suggesting this plugin.
    Now I have 'friends' all over the world, some of them........


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •