|
Reader Robert came today with a very interesting situation. He noticed odd wordpress login patterns: T 31.47.254.62:51020 -> X.X.X.X:80 [AP] ---------------------------------- T 62.210.207.146:43322 -> X.X.X.X:80 [AP] ---------------------------------- T 109.199.82.5:46902 -> X.X.X.X:80 [AP]
In the sample he sent to us, there are three specific source IP address: 109.199.82.5, 62.210.207.146 and 31.47.254.62. All three IP address have good reputation (checked on TrustedSource, SenderBase and SANS Internet Storm Center). Looks like the client is trying to reach a script called tes1a0 and setting the WordPress test cookie so Wordpress can tell the client is accepting cookies and no error is rised. I checked for the string tes1a0 in the Wordpress 4.1 installation download and it's not part of the code. It's also clear this is a fake google bot. Please check the previous diary by Dr. Johannes Ullrich on how to check when google is not google. Have you seen this kind of wordpress attempts? If yes, let us know via Contact form. I will update the diary with the information gathered. Manuel Humberto Santander Peláez |
Manuel Humberto Santander Pelaacuteez 195 Posts ISC Handler Jan 15th 2015 |
| Thread locked Subscribe |
Jan 15th 2015 7 years ago |
Sign Up for Free or Log In to start participating in the conversation!
https://www.sans.edu
