[wp-hackers] attack on wp-admin/install.php
Roger Chen
developer at rogerhub.com
Wed Oct 9 06:53:45 UTC 2013
>From the response code (302), it looks like your visitors were stuck in a
redirect loop, which is why there are so many requests to install.php
grouped together. WordPress redirects to wp-admin/install.php when it
thinks your database hasn't been setup. It will preserve the existing
request path when it performs this redirect, since it's completely possible
that somebody actually wanted to set up wordpress in a subdirectory like
'/2013/10/..../'. It looks like you just botched your database
configuration somehow.
Roger
On Tue, Oct 8, 2013 at 11:39 PM, Konrad Karpieszuk <kkarpieszuk at gmail.com>wrote:
> two things:
>
> 1. my website is not so popular that in one second 20 person try to connect
>
> 2. as you can see in log, /wp-admin/install.php is added not always to main
> domain but sometimes to single post urls (ie
>
> /2013/10/wdrozenie-zakupionego-szablonu-wordpress/wp-admin/install.php
> ) This is not url which somebody type in address bar without reason
>
>
> --
> (en) regards / (pl) pozdrawiam
> Konrad Karpieszuk
> http://tradematik.pl wtyczka do WordPressa do tworzenia sklepów dla
> klientów z Polski
>
>
>
> On Tue, Oct 8, 2013 at 8:47 PM, Mika A Epstein <ipstenu at ipstenu.org>
> wrote:
>
> > I think causality is the other way around.
> >
> > People were hitting install.php so much because the wizard was showing.
> > Was your SQL server glitching?
> >
> > Konrad Karpieszuk <mailto:kkarpieszuk at gmail.com>
> >> October 8, 2013 9:56 AM
> >>
> >> hello
> >>
> >> today few people reported me that instead of main page of my wordpress
> >> site, they see installation wizard. after few minutes main website was
> ok,
> >> but every subpages had error 404.
> >>
> >> i went to dashborad > settings > permalink and refreshed structure of
> >> permalinks. after that all website was ok.
> >>
> >> but i see i logs that really somebody tried to get into install.php
> >> script,
> >> even few times per second, this is apache log from begging of attack:
> >>
> >> http://wklej.org/id/1145478/
> >>
> >> question: how it was possible that regular visitors saw installation
> >> script
> >> during this attack? and why affter attack permalinks was broken?
> >>
> >> at this domain i have two sites:
> >> dev.wpzlecenia.pl - everything is up to date
> >> wpzlecenia.pl - two plugins are in older versions
> >> - Google XML Sitemaps (i have 3.2.9) here is changelog
> >> http://www.arnebrachhold.de/**projects/wordpress-plugins/**
> >> google-xml-sitemaps-generator/**changelog/<
> http://www.arnebrachhold.de/projects/wordpress-plugins/google-xml-sitemaps-generator/changelog/
> >
> >> ,
> >> it looks that this plugin has no security issue in this version
> >> - WordPress SEO by Yoast - (i have version 1.4.15) here is changelog
> >> http://wordpress.org/plugins/**wordpress-seo/changelog/<
> http://wordpress.org/plugins/wordpress-seo/changelog/>, it looks that
> >> everything is ok in this older version
> >>
> >>
> >>
> >> --
> >> (en) regards / (pl) pozdrawiam
> >> Konrad Karpieszuk
> >> http://tradematik.pl wtyczka do WordPressa do tworzenia sklepów dla
> >> klientów z Polski
> >> ______________________________**_________________
> >> wp-hackers mailing list
> >> wp-hackers at lists.automattic.**com <wp-hackers at lists.automattic.com>
> >> http://lists.automattic.com/**mailman/listinfo/wp-hackers<
> http://lists.automattic.com/mailman/listinfo/wp-hackers>
> >>
> >
> > --
> > Mika A Epstein (aka Ipstenu)
> > http://ipstenu.org | http://halfelf.org
> >
> > ______________________________**_________________
> > wp-hackers mailing list
> > wp-hackers at lists.automattic.**com <wp-hackers at lists.automattic.com>
> > http://lists.automattic.com/**mailman/listinfo/wp-hackers<
> http://lists.automattic.com/mailman/listinfo/wp-hackers>
> >
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>
More information about the wp-hackers
mailing list