Question about unusual traffic in AWStats reports

  • Hi! I’m running WordPress 3.4.2 on a shared hosting server at Hostgator.com. WordPress runs great and I’ve taken measures to reduce, if not prevent, login attempts from unauthorized parties.

    I’ve noticed in the AWStats reports for the site a very high number of refering page to my site that appear to come from other WordPress installation.

    Here’s an example of what I’m seeing:

    https://somesite.com/wp-login.php
    https://someothersite.com/wp-login.php

    A refering page like these appear in the report and shows the number of times the link was “clicked” to access my site. Also, “wp-login.php” is the most viewed page on the site. ??

    My question is: do the above refering pages mean someone is trying to use ANOTHER WordPress installation to hack into my WordPress installation? My site is static HTML and the blog is WordPress. It just seems odd that a hacker would be able to use another WordPress login page to somehow hack into my blog.

    Any thoughts?

    Thanks in advance!

    Peace…

Viewing 7 replies - 1 through 7 (of 7 total)

  • It’s probably just a badly-configured bot trying to access your site’s admin. As long as you keep WordPress up to date and have a good, strong, password, you should be fine. Even if it eventually gets the url right.

    Thread Starter tomdkat

    (@tomdkat)

    Thanks. I do keep WordPress up to date, along with the plugins I have installed, and I have a very strong password in place. I was thinking maybe the refering page was being spoofed/forged by some bot to hide its tracks in the server logs but I wanted to make sure it wasn’t a case of them using a WordPress login.php script on some other site to try to hack into my blog.

    Thanks!

    Peace…

    I wanted to make sure it wasn’t a case of them using a WordPress login.php script on some other site to try to hack into my blog

    That would really be a question that is best handled by your hosts. Is the other url on the same server as your site? If it is, is it also using WordPress 3.4.2? Do the hosts sandbox sites to avoid cross-site hacks.

    Thread Starter tomdkat

    (@tomdkat)

    Great question! I’ll see what I can find out about the URLs I’m seeing in my log. If the referenced sites are on the same server as my site, I’ll contact Hostgator support.

    If they are not, what could that mean?

    Thanks!

    Peace…

    Then we’re just back to “badly configured hacker/bot” again. ??

    Thread Starter tomdkat

    (@tomdkat)

    Ok, I can deal with that. ??

    I looked at some of the URLs appearing in the AWStats report and they are all in the US but not on the same server as my site.

    Thanks!

    Peace…

    Thread Starter tomdkat

    (@tomdkat)

    Ok, just to make sure there isn’t any kind of obscure security issue at work here, I’m seeing entries like this in my raw Apache access log file:

    [IP.ADDR.IN.CHINA] – – [03/Dec/2012:20:59:58 -0600] “GET /blog/wp-login.php?action=register HTTP/1.1” 200 1161 “https://www.(adult-site).info/wp-login.php?action=register” “Mozilla/5.0 (Windows NT 6.1; rv:14.0) Gecko/20100101 Firefox/14.0.1”

    Is there any way to remotely login or register an account from one WordPress installation to another? Or would this be indicative of some kind of cross site scripting issue?

    Thanks!

    Happy New Year!

    Peace…

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘Question about unusual traffic in AWStats reports’ is closed to new replies.