Hack attempt?

  • Resolved Roy

    (@gangleri)


    12 years, 11 months ago

    Last friday I got a notification of my host that “a PHP proces” on my website took down their server and the sent me “a yellow card”. Checking the access log of that day I see that from [16/Dec/2011:11:00:19 +0100 within a few seconds a few dozen of my book reviews were accessed from the same IP. Then follows one comment post line some more ‘get’s and ‘post’s. This stops at [16/Dec/2011:11:00:43 +0100]

    After this is goes over to the normal looking (to me) few lines per IP, but I noticed that at [16/Dec/2011:11:08:50 +0100] there is a call for a file of a theme that I do not use GET //wp-content/themes/antisocial/thumb.php?src=https://picasa etc.

    Is this something to worry about or did I just have the bad luck of a spam-scanner pumping through a few dozen (which doesn’t look all that much to me) posts to find comment fields when the server was already quite busy? (Or is it possible that other sites on the same server had the same access at the same time?)

Viewing 7 replies - 1 through 7 (of 7 total)

  • looks like an attempt to find timthumb.php which I assume you don’t have?
    or it’s updated?

    Thread Starter Roy

    (@gangleri)

    Ah, that hack of a few months ago? No, I have a stoneage theme without timthumb. But just wondering, about 100 gets in a few second, is that enough to take a server down?

    Moderator Ipstenu (Mika Epstein)

    (@ipstenu)

    ?????? Advisor and Activist

    within a few seconds a few dozen of my book reviews were accessed from the same IP

    Actually it could VERY well be the timthumb morons scanning your box for timthumb. I saw that and had to turn on DDOS protection on my firewall.

    See https://tech.ipstenu.org/2011/timthumb-pseudo-ddos-effect/

    Ask your host if they can turn on some (D)dos protection.

    Thread Starter Roy

    (@gangleri)

    Thanks Samuel and Mika. I’ve blocked the IP, but that’s only a patch of course. I’ll talk to my host.

    Thread Starter Roy

    (@gangleri)

    Mika, my host says they have all the usual protection on their server but they can’t prevent all such scans (the number of open requests is limited to 100 at once and apparently my ‘box’ was scanned with just blow 100 requests). They’ll look into it some more, I am going to look around a bit for a WP firewall or something and then I hope this was the first and last time that such a thing happened to me.

    Moderator Ipstenu (Mika Epstein)

    (@ipstenu)

    ?????? Advisor and Activist

    Yeah, that’s a fair comment :/ 100 is about as low as you want to go.

    Ugh. I hate that it’s ‘your’ fault for some jerk scanning the box.

    Thread Starter Roy

    (@gangleri)

    I’ve installed BBQ (Block Bad Queries). I hope it helps. That’s that, Bad Behavior, a couple of anti spam plugins and htaccess passwords for a couple of folders.

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘Hack attempt?’ is closed to new replies.