Question about raw acces log

  • Resolved ms100

    (@ms100)


    1 year, 4 months ago

    Hi everyone,

    In the cPanel raw acces log I found this line:

    BadreputationIP – – [20/Jan/2025:16:44:24 +0100] “GET /wp-admin/maint/wp-login.php HTTP/1.1” 200 990 “-” “Mozilla/5.0 (Linux; Android 7.0; SM-G892A Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Mobile Safari/537.36”

    I looked up the IP and found it to be an bad IP (I replaced it above with ‘BadreputationIP’).

    But my question is, how can it get a 200 response?
    When I search in cPanel Filemanager I can not find a wp-login.php file in the /maint/ folder.
    Also not as a hidden file.

    The only file I found in the maint folder is repair.php.

    Please, please help me understand.

    Thanks in advance 🙏

Viewing 2 replies - 1 through 2 (of 2 total)
  • George Appiah

    (@gappiah)

    1 year, 4 months ago

    I looked up the IP and found it to be an bad IP (I replaced it above with ‘BadreputationIP’).

    This just happens to be an IP on someone’s curated list of what they consider “bad” IPs. There are dozens, if not hundreds of these databases out there… and an IP on one may not necessarily be in others.

    Whether or not to block IPs in any one of these databases of “bad” IPs is your personal choice.

    As to why the HTTP response of 200 was returned, it’s really impossible for someone here to say. Does your website/webserver return 200 for situations when it should return 404? Do you have a firewall or webserver config to return some dummy/blank page with 200 in certain situations? Do you have something else on your site doing this?

    It’s really impossible to tell from the outside.

    Thread Starter ms100

    (@ms100)

    1 year, 4 months ago

    Hi @gappiah thank you for the reply.

    Given the other requests from the same IP, I am quite sure it was a hacker.
    I was a bit scared he had gotten in, and later removed the /wp-login.php file, so that the hacker does not leave a trace behind.

    But I think it is more likely that indeed the web server (cPanel) or any other server setting served a 200 (probably just a blank page).

    Thanks again George.

Viewing 2 replies - 1 through 2 (of 2 total)

The topic ‘Question about raw acces log’ is closed to new replies.