Hackers looking for a folder /-/-/-/-/-/-/-/-/-/-/ ?

I have noticed this also I wrote posted about it a day ago and just saw your post,.. no answer back for me yet either.

hey greyhares I think i just figured it out.. I also use rename wp-login on my site and i decided to test going to the usual default login urls to make sure they are all forwarding to the 404 or denying access which they were when i was done i checked the wordfence page not founds and it showed them all.. but also showed my IP with the same weird url with the -/-/-/-/-/-/-/-/ etc in it. SO i think it is just wordpress forwarding the user the the 404 page is when we see the url in question

try it out for yourself

thought id like confirmation for an expert ??

@motorskillz – thanks for the suggestion but I can’t replicate this and anyway it seems an odd way of handling a page not found ?!?

Actually, I use the “rename wp-plugin” too AND I’ve noticed, just in the last two days after several months of peace, that the hackers seem to have hacked that too (or at least they’ve found a way of hitting wp-login.php directly) and I’m now getting the same old steady steam of attempted logins to the ‘admin’ user.

I’ve set up Wordfence to block their IP for a while (hardly a deterrent) and of course, deleted the admin user, but I guess I’ll just revert to renaming wp-login.php to some random string and hope that it puts them off for a while. Some hope!

I believe what they are trying to do is access the server and use ssh commands to jump up directories to get to the files your server user accounts and hashed password are in. For instance, if I am ssh’ed into a server, I can issue the command cd ../../.. to go up three levels in the file structure. So if I was in /home/folder1/folder2/folder3 issuing that command would take me to the /home directory. I usually see these in my access logs on the server, when it’s attempted.
Blocking ip’s is an appropriate response.

Does that help?

Thanks!

tim

I still doth think thats it,.. Like i say I was able to produce that error myself my simply trying to goto the the register wordpress address which i have renamed via rename wp-login.. it then shows me that same error.. and Usually whenever i see that error it is accompanied with the 404 error that they tried to visit the register page first.

also i don’t know if shell commands are different but the path is not ./ its a hyphen -/

oh. Sorry I missed it was a dash and not .. You’re probably correct but it’s still not something I’ve seen in my experience.

So, to be clear what would your question for Wordfence at this point be? I just want to be able to get it right so I can help better. ??

tim

Hi Tim – my purpopse in asking my original question here was to find out whether the Wordfence community knew anything about a vulnerability in WordPress (or elsewhere) that somebody might be attempting to exploit by browsing to -/-/-/-/-/-/-/-/….

I haven’t been able to replicate motorskillz explanation, though as I too use the Rename WP-login plugin, and the ‘hacking’ has apparently stopped since I disabled it, it does sound plausible!

In any case, do we think its a Wordfence issue or more related to the wp-login renamer plugin issue? ??

tim