Atari-Frosch

OK, one thing was still wrong: I deleted the webfinger file and then found out that the permissions for .well-known were set to root:www-data rwxr-xr-x. Now they are www-data:www-data rwxr-sr-x. That did the trick. May I present: @[email protected] ??

I tried Patricia’s solution, but it still does not work for me ??

Installed is ClassicPress 2.2 with nginx 1.22.1 and PHP 8.2 on Devuan GNU/Linux. I inserted the given nginx location block for the site, wrote the json code in the file ./well-known/webfinger, let nginx reload and published a new blog article. The given account still cannot be found from my Mastodon account, and the access.log gives a 404 on the file. Same after I changed the ownership for that file to www-data:www-data.

Did I get that wrong and webfinger should not be a file but a folder? And if, what should the name of the file be? I really feel as, as we say in German, I’m standing on the network cable.

Well … now the old values have been deleted, but the new ones are not better. In my main blog which gets attacked all the time I see only two of the several user names WordFence tells me about, and both are counted only once:

{login} 1
blog 1

It seems the problem is not yet really solved.

Greets, Frosch

Same here. And not only in the report sent by mail, but also in the Dashboard. I just came here to report this, too. Applies to 4 blogs I’m administrating.

I just found the same issue on one of my WordPress blogs (3.8.1), using WordFence 4.0.3. The WordFence messages look like this (x’ing by me, it is not necessary to publish the hosts IP and name):

A user with IP address 89.xxx.xxx.xxx has been locked out from the signing in or using the password recovery form for the following reason: Used an invalid username ” to try to sign in.
User IP: 89.xxx.xxx.xxx
User hostname: xxxx.xxxxx-xxxxxxxx.com

Yes, right, the username field is empty!

The according log entries in the access.log look like this:

89.xxx.xxx.xxx – – [29/Mar/2014:00:20:48 +0100] “POST /xmlrpc.php HTTP/1.1” 200 1466 “-” “Mozilla/5.0 (Window
s NT 6.2; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0″

(Nothing in the error_log!)

So this was not exactly a login attempt as WordFence tells me, but an attempt to replace the xmlrcp.php file. It seems that WordFence is not prepared for an attack like this. It sends out the e-mail about a blocking, but does not actually block the attempts (this host made about 2,000 attempts within 30 minutes, then the attacks stopped).

@esmi: No, it is in fact the same problem. Just with the difference that my password has not been guessed right, so that the attackers weren’t able to enter the dashboard and to change any files. From that I came to the weak passwords, because if it were a vulnerability in WP, my site would have been hacked by now, too.

They tried it on my blog, too:

109.120.159.169 – – [12/Nov/2012:01:28:10 +0100] “POST /wp-login.php HTTP/1.0” 200 3753 “https://blog.atari-frosch.de/wp-login.php” “Mozilla/5.0 (X11; U; Linux i686; en-GB; rv:1.7.6) Gecko/20050405 Epiphany/1.6.1 (Ubuntu) (Ubuntu package 1.0.2)”

109.120.159.169 – – [12/Nov/2012:08:35:20 +0100] “POST /wp-login.php HTTP/1.0” 200 3753 “https://blog.atari-frosch.de/wp-login.php” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.452) Gecko/20041027 Mnenhy/0.6.0.104”

109.120.142.20 – – [12/Nov/2012:13:14:33 +0100] “POST /wp-login.php HTTP/1.0” 200 3753 “https://blog.atari-frosch.de/wp-login.php” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; MathPlayer2.0)”

109.120.159.91 – – [12/Nov/2012:13:14:34 +0100] “POST /wp-login.php HTTP/1.0” 200 3753 “https://blog.atari-frosch.de/wp-login.php” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.19 (KHTML, like Gecko) Chrome/0.2.153.1 Safari/525.19”

WordPress (3.4.2) files have not been changed as far as I can see. Is it possible that they entered the website with admin account and a weak password?