Trouble with script-based attacks not being caught.

  • doapydave

    (@doapydave)


    11 years, 7 months ago

    We seem to be having some problems with script-based attacks that are not being caught. We’ve attempted to add the directory names being attempted in the Options, Immediately block IP’s that access these URL’s

    /wp-admin, /wp-content, /admin/fckeditor/, /includes/fckeditor/, /fckeditor/

    But it doesn’t seem to have any effect. We don’t actually have this editor on our site, but it seems to be causing some problems. I’ve attached some of the log entries. Whether it’s these specific URL’s or something else they are attempting in their scripts, connections are not closed properly and the server loads begin to increase. Restarting apache brings them back down, but if their scripts continue running, the connections start to hang again. Ideally we’d like to block these connections as they are obviously not trying to browse our site or do anything kind. Is there any chance of getting this into the core? Or how can we ensure that anyone accessing these URL’s is blocked automatically?

    https://ww.wp.xz.cn/plugins/wordfence/

Viewing 2 replies - 1 through 2 (of 2 total)
  • Thread Starter doapydave

    (@doapydave)

    11 years, 7 months ago

    We certainly wouldn’t be trying to block users based on them attempting to hit the non-existent URL if it wasn’t happening repeatedly. Each time that this happens it could be 100 attempts from a single ip address. There have been numerous others as well, so there must be some hacker tool kit that has these scripts and several people seem to be trying it out on us.

    WFSupport

    (@wfsupport)

    11 years, 7 months ago

    Looks like my reply to you vanished into wordpress ether. I found some interesting reading on the fckeditor. It looks like they are just trying directories to see what they find open. Something that may help is to grab a plugin to rename your wp-admin url. We’re looking into adding this as a feature but I can’t say when, or if, it will be there. If these are a script at least it will block more than a few. Make sure an enable the firewall on the options page so the throttling, etc work.

    tim

Viewing 2 replies - 1 through 2 (of 2 total)

The topic ‘Trouble with script-based attacks not being caught.’ is closed to new replies.