Is this an inject attack? | ww.wp.xz.cn

Resolved justwander
(@justwander)

6 years, 10 months ago

Hello,

Today I found an attack through live traffic that I have not seen before. The main section looks like this (but there are several variations…)

"{${print(bunch of numbers here)}}"

Live traffic shows it came as a referral through Google once and then through the browser listing several times.

I did some searching and found that http://www.abuseipdb.com lists the IP address this comes from as having some 134 complaints since January.

Security.stackexchange.com says it appears to be trying to inject PHP code into log files.

How can I tell if they got in and what do I need to do in order to make sure they don’t come back?

ps
I looked at the HackerOne page tp report this but am too much of a noob to know what they are all talking about. Should this be posted there?

Viewing 2 replies - 1 through 2 (of 2 total)

WFGerroald
(@wfgerald)

6 years, 10 months ago

Hey @justwander,

I would permanently block the IP. I understand it’s alarming to see attacks like this, but it isn’t evidence of a compromise. There’s only so much we can do to prevent attacks; it’s more about making sure they aren’t successful, which it sounds like Wordfence is doing.

You can use the guide below to review the site for compromises.

https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/

Thanks,

Gerroald

Thread Starter justwander
(@justwander)

6 years, 10 months ago

@wfgerald,

I had the little varmint blocked before I posted. Just wanted to be sure there was not more that needed to be done.

Thank you for taking the time to respond. Much appreciated.

Viewing 2 replies - 1 through 2 (of 2 total)

The topic ‘Is this an inject attack?’ is closed to new replies.

2 replies
2 participants
Last reply from: justwander
Last activity: 6 years, 10 months ago
Status: resolved