[wp-hackers] attack on wp-admin/install.php

Mika A Epstein ipstenu at ipstenu.org
Wed Oct 9 16:39:50 UTC 2013 

It's not the next attack. It's your WP site not seeing it's installed. 
This means that the DB tables weren't accessible for some reason OR the 
wp-config.php was unreadable.

Konrad Karpieszuk wrote:
>
> hello Mika
>
> i dont know if i understand you. I saw you logs in first email. Also i
> asked server admin if something wrong was with server in time of this
> problem. He said that this was day like every other, only on my server 
> they
> saw huge amount of i/o operations, They know that from 3 months somebody
> attacks my wp-login.php and it looked like next attack (but this time on
> install.php)
>
>
> --
> (en) regards / (pl) pozdrawiam
> Konrad Karpieszuk
> http://tradematik.pl wtyczka do WordPressa do tworzenia sklepów dla
> klientów z Polski
>
>
>
> On Wed, Oct 9, 2013 at 3:29 PM, Mika Epstein<ipstenu at ipstenu.org> wrote:
>
>>
>> Block it in your htacess first, actually. That's way easier.
>>
>> Based on what info you gave us, we can't diagnosis anything. Check your
>> SERVER logs. Did a file get edited or go missing? The problem is not that
>> the file was being hit by millions of people, the problem is why did 
>> WP not
>> know it was installed? Check your logs to see if anything happened to the
>> DB. Was it unreadable? Did you add/remove a plugin recently? Did you
>> upgrade?
>>
>> Your mentioned changes to login and admin shouldn't cause anything like
>> this, it's purely WP no longer thinking it was installed. So what 
>> have you
>> done to diagnosis THAT? :)
>>
>>>
>>> On Oct 9, 2013, at 2:19 AM, Konrad Karpieszuk<kkarpieszuk at gmail.com>
>>
>> wrote:
>>>
>>> first of all i want to know *why*. :) i;ve got tens of wordpress sites
>>
>> and
>>>
>>> i will have more. i dont want to delete install.php every time (and 
>>> after
>>> every wordpress upgrade). also maybe we have totally new way to hack
>>> wordpress sites (as you can see it is somehow working, because intruded
>>> broke my site)
>>>
>>>
>>> --
>>> (en) regards / (pl) pozdrawiam
>>> Konrad Karpieszuk
>>> http://tradematik.pl wtyczka do WordPressa do tworzenia sklepów dla
>>> klientów z Polski
>>>
>>>
>>>
>>> On Wed, Oct 9, 2013 at 9:54 AM, Abdussamad Abdurrazzaq<
>>> abdussamad at abdussamad.com> wrote:
>>>
>>>>
>>>> If you are this worried you can always delete install.php.
>>>>
>>>>
>>>>>
>>>>> On 10/09/2013 12:35 PM, Konrad Karpieszuk wrote:
>>>>>
>>>>> ok, one more info which i thought isn't relative to this problem, but
>>>>> maybe.
>>>>>
>>>>> three months ago somebody start this famous ddos attack to
>>>>
>>>
>>
>> wp-login.php at
>>>
>>>>
>>>>>
>>>>> those websites. tens of times per second somebody tried to login into
>>>>> dashboard using random passwords. at beginning i resolved this in
>>>>> .htaccess
>>>>> by adding rules that nobody except from my ip address can acces to
>>>>> wp-login.php. but beacouse i have cowriter without permamnent IP
>>>>
>>>
>>
>> address,
>>>
>>>>
>>>>>
>>>>> this was not good solution
>>>>>
>>>>> so few days ago i changed in files:
>>>>> wp-login.php
>>>>> wp-admin/index.php
>>>>>
>>>>> first line from:
>>>>>
>>>>> <?php
>>>>>
>>>>> to
>>>>>
>>>>> <?php if ($_COOKIE["superauth"] != "yep") exit("dostep 
>>>>> zabroniony"); //
>>>>>
>>>>>
>>>>> it check if we got some 'secret' cookie and if cookie is absent it
>>>>> immadietly execute die().
>>>>>
>>>>> It looks like good solution: wordpress core isnt started at all,
>>>>
>>>
>>
>> server is
>>>
>>>>
>>>>>
>>>>> happy.
>>>>> Can it be somehow related to this attack on wp-admin/install.php? i
>>>>
>>>
>>
>> dont
>>>
>>>>
>>>>>
>>>>> belive that this kind of change has something common with install
>>>>
>>>
>>
>> script,
>>>
>>>>
>>>>>
>>>>> but maybe i dont know wordpress core very good. Or maybe this attacker
>>>>> when
>>>>> saw that wp-login.php and wp-admin/index.php are secured started new
>>>>
>>>
>>
>> way
>>>
>>>>
>>>>>
>>>>> to
>>>>> attack? )or he or she started this long time ago but htaccess 
>>>>> prevented
>>>>> from this)? all ip's from log are outside of Poland, but my regular
>>>>> visitors are almost only from Poland
>>>>>
>>>>>
>>>>> --
>>>>> (en) regards / (pl) pozdrawiam
>>>>> Konrad Karpieszuk
>>>>> http://tradematik.pl wtyczka do WordPressa do tworzenia sklepów dla
>>>>> klientów z Polski
>>>>>
>>>>>
>>>>>
>>>>> On Wed, Oct 9, 2013 at 8:55 AM, Bryan Petty<bryan at ibaku.net> wrote:
>>>>>
>>>>> On Wed, Oct 9, 2013 at 12:39 AM, Konrad Karpieszuk
>>>>>>
>>>>>> <kkarpieszuk at gmail.com> wrote:
>>>>>>
>>>>>>>
>>>>>>> two things:
>>>>>>>
>>>>>>> 1. my website is not so popular that in one second 20 person try to
>>>>>>
>>>>>> connect
>>>>>>
>>>>>>>
>>>>>>> 2. as you can see in log, /wp-admin/install.php is added not always
>>>>>>
>>>>>
>>>>
>>>
>>
>> to
>>>
>>>>
>>>>>
>>>>>>
>>>>>> main
>>>>>>
>>>>>>>
>>>>>>> domain but sometimes to single post urls (ie
>>>>>>>
>>>>>>> /2013/10/wdrozenie-**zakupionego-szablonu-**
>>>>>>> wordpress/wp-admin/install.php
>>>>>>> ) This is not url which somebody type in address bar without reason
>>>>>>
>>>>>> It's actually fairly likely that in the event that your DB has 
>>>>>> dropped
>>>>>> as Mika was suggesting, that one of your plugins or server
>>>>>> configuration was causing a redirect loop back to install.php itself
>>>>>> as well.
>>>>>>
>>>>>> Most hack attempts don't intentionally claim a user agent as
>>>>>> "Feedfetcher-Google" (which was also seeing that install.php redirect
>>>>>> loop).
>>>>>>
>>>>>> --
>>>>>> Regards,
>>>>>> Bryan Petty
>>>>>> ______________________________**_________________
>>>>>> wp-hackers mailing list
>>>>>> wp-hackers at lists.automattic.**com<wp-hackers at lists.automattic.com>
>>>>>> http://lists.automattic.com/**mailman/listinfo/wp-hackers<
>>>>>
>>>>
>>>
>>
>> http://lists.automattic.com/mailman/listinfo/wp-hackers>
>>>
>>>>
>>>>>
>>>>>>
>>>>>> ______________________________**_________________
>>>>>
>>>>> wp-hackers mailing list
>>>>> wp-hackers at lists.automattic.**com<wp-hackers at lists.automattic.com>
>>>>> http://lists.automattic.com/**mailman/listinfo/wp-hackers<
>>>>
>>>
>>
>> http://lists.automattic.com/mailman/listinfo/wp-hackers>
>>>
>>>>
>>>>>
>>>>> ______________________________**_________________
>>>>
>>>> wp-hackers mailing list
>>>> wp-hackers at lists.automattic.**com<wp-hackers at lists.automattic.com>
>>>> http://lists.automattic.com/**mailman/listinfo/wp-hackers<
>>>
>>
>> http://lists.automattic.com/mailman/listinfo/wp-hackers>
>>>
>>> _______________________________________________
>>> wp-hackers mailing list
>>> wp-hackers at lists.automattic.com
>>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>
>> _______________________________________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.com
>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>
>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers

More information about the wp-hackers mailing list