ABSPATH constant not defined errors – exploit probes?

  • I am seeing this across all of our wordpress websites recently:

    error_log:

    [05-Oct-2015 13:58:15 America/Chicago] PHP Warning:  require(ABSPATHwp-includes/load.php): failed to open stream: No such file or directory in /home/*account*/public_html/wp-settings.php on line 21
[05-Oct-2015 13:58:15 America/Chicago] PHP Warning:  require(ABSPATHwp-includes/load.php): failed to open stream: No such file or directory in /home/*account*/public_html/wp-settings.php on line 21
[05-Oct-2015 13:58:15 America/Chicago] PHP Fatal error:  require(): Failed opening required 'ABSPATHwp-includes/load.php' (include_path='.:/opt/php54/lib/php') in /home/*account*/public_html/wp-settings.php on line 21

    access_log:

    91.200.13.64 - - [05/Oct/2015:13:58:15 -0500] "POST /wp-settings.php HTTP/1.1" 200 233 "https://*domain*.com/" "Mozilla/5.0 (X11; Linux i686) AppleWebKit/534.30 (KHTML, like Gecko) Ubuntu/11.04 Chromium/12.0.742.112 Chrome/12.0.742.112 Safari/534.30"
91.200.13.64 - - [05/Oct/2015:13:58:15 -0500] "POST /wp-load.php HTTP/1.1" 200 20 "https://*domain*.com/" "Mozilla/5.0 (X11; Linux i686) AppleWebKit/534.30 (KHTML, like Gecko) Ubuntu/11.04 Chromium/12.0.742.112 Chrome/12.0.742.112 Safari/534.30"
91.200.13.64 - - [05/Oct/2015:13:58:15 -0500] "POST /xmlrpc.php HTTP/1.1" 200 206 "https://*domain*.com/" "Mozilla/5.0 (X11; Linux i686) AppleWebKit/534.30 (KHTML, like Gecko) Ubuntu/11.04 Chromium/12.0.742.112 Chrome/12.0.742.112 Safari/534.30"

    So far it seems to be the same Ukranian IP address every time.

    Can we fix up WordPress so this does not happen?

Viewing 2 replies - 1 through 2 (of 2 total)

  • I’ve been seeing a lot of these over the past week. Never before. I wonder if it’s some exploit that can only be used of a bad plugin is installed or something. So far on the 5 sites I manage I haven’t seen any sign of anything being exploited. I’ve been keeping an eye on file modification dates and database changes.

    From my understanding, Nothing should ever post directly to wp-settings.php or wp-load.php so I would think something in the .htaccess to block direct posting to those files should work.

    Thread Starter reidbusi

    (@reidbusi)

    I suspect this is what we are seeing:

    https://blog.sucuri.net/2015/10/brute-force-amplification-attacks-against-wordpress-xmlrpc.html

    The timeline and Ukranian origin seem to be common. I’m, just gonna block xmlrpc.php in .htaccess on all our sites (except those using jetpack).

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘ABSPATH constant not defined errors – exploit probes?’ is closed to new replies.