[wp-hackers] attack on wp-admin/install.php

Mika A Epstein ipstenu at ipstenu.org
Wed Oct 9 17:35:47 UTC 2013

People tried to access the file because WordPress defaults to that file 
when it thinks it's not installed.

Does that make sense? WP couldn't tell it was installed, and thus 
assumed it was NOT and people who visted wanted to install. That's the 
only logical explanation for the URLs you gave us. Like ttrss pulling 
the install.php? That logically happens when it's actually trying to get 
a feed, but WP says "Oh hai! I'm not installed!"

This is 100% expected behavior :)

I'm very certain it's not a hack (nb I deal with hacked sites for WP at 
my company every single day, it's my job, I'm pretty familiar with how 
hacked WP behaves). Or rather, if it IS a hack, it's not that people are 
attacking install.php, it's that they somehow made your wp-config.php go 
away, or the DB tables.

Honestly though, what we need to know (and what you don't know) is what 
did the install.php page say when you hit it? Did it say "no DB" or 
"There's no config file..." If you go to /wp-admin/install.php now, 
you'll see 'Hai! Already installed!' And I think that was NOT what 
people saw. If it was? Then MAYBE you have a brute force attempt (which 
is not a hack BTW). But I think not.

I don't think your server admin is wrong, but I do think that you don't 
clearly understand how WP handles this sort of thing, so there's some 
confusion in explanations to the admin :/

> Konrad Karpieszuk <mailto:kkarpieszuk at gmail.com>
> October 9, 2013 9:58 AM
> ok, but why? server admin told me (and i have to trust him) that 
> everything
> was ok with connection to DB. or even if it wasnt... why somebody tried to
> connect to file /wp-admin/install.php (i still belive that this was not
> accident).
> what do i think.
> i think that somebody in purpose made ddos attack because somehow 
> (maybe he
> tested this before) he knewed that during huge ddos attack wordpress will
> 'lost its mind'. during huge ddos attack server as hardware stops to play
> correctly and sometimes for php command like "if
> (!file_exists('wp-config.php'))" will not be able to check if file really
> exists, will return true (there is now file wp-config.php) and php will
> delegate chain of command to installation file. and then hacker will be
> able to reinstall my wordpress with his credential
> --
> (en) regards / (pl) pozdrawiam
> Konrad Karpieszuk
> http://tradematik.pl wtyczka do WordPressa do tworzenia sklepów dla
> klientów z Polski
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
> Mika A Epstein <mailto:ipstenu at ipstenu.org>
> October 9, 2013 9:39 AM
> It's not the next attack. It's your WP site not seeing it's installed. 
> This means that the DB tables weren't accessible for some reason OR 
> the wp-config.php was unreadable.
> Konrad Karpieszuk wrote:
> Mika Epstein <mailto:ipstenu at ipstenu.org>
> October 9, 2013 6:29 AM
> Block it in your htacess first, actually. That's way easier.
> Based on what info you gave us, we can't diagnosis anything. Check 
> your SERVER logs. Did a file get edited or go missing? The problem is 
> not that the file was being hit by millions of people, the problem is 
> why did WP not know it was installed? Check your logs to see if 
> anything happened to the DB. Was it unreadable? Did you add/remove a 
> plugin recently? Did you upgrade?
> Your mentioned changes to login and admin shouldn't cause anything 
> like this, it's purely WP no longer thinking it was installed. So what 
> have you done to diagnosis THAT? :)
> Mika A Epstein <mailto:ipstenu at ipstenu.org>
> October 8, 2013 11:47 AM
> I think causality is the other way around.
> People were hitting install.php so much because the wizard was 
> showing. Was your SQL server glitching?

Mika A Epstein (aka Ipstenu)
http://ipstenu.org | http://halfelf.org

More information about the wp-hackers mailing list