Attacks from around the world

  • Resolved justwander

    (@justwander)


    5 years, 6 months ago

    Hello,

    Right now I seem to be picking up hack attempts from around the world. But it definitely is not the work of a crowd of different people.

    1)
    All attempts have the same browser description:

    Browser: undefined
Mozilla/5.1 (Windows NT 6.0; WOW64) AppleWebKit/533.36 (KHTML, like Gecko) Chrome/46.0.2754.75 Safari/533.36

    2)
    Attempts today are zeroed in on one filename:

    media-admin.php

    3)
    But they are aimed at different folders:

    /wp-includes/SimplePie/media-admin.php
/wp-admin/css/colors/ocean/media-admin.php
/wp-content/uploads/2019/media-admin.php
/wp-includes/js/tinymce/plugins/wpautoresize/media-admin.php

    I have a couple of questions:

    1)
    What is up with media-admin.php? Is there some weakness associated with it?

    2)
    Will I break something if I add media-admin.php to the firewall block list?

Viewing 4 replies - 1 through 4 (of 4 total)

  • Hi @justwander,

    media-admin.php is the name of a backdoor called ZeroByte.ID PHP Backdoor V 1.4.

    If your website is infected with this backdoor, attackers can use it to control your site remotely.

    Nothing should break if you add media-admin.php to the firewall block list, and this will prevent attackers from trying different methods of exploiting your site.

    For example, once the bot tries the URL/media-admin.php – they get blocked, so they can’t try a different URL.

    Dave

    Thread Starter justwander

    (@justwander)

    @wfdave,

    The problem I am seeing is that it looks like the attacker is moving to a different computer. The same attack is coming from all over. So they don’t need to repeat from the same location.

    This is a pattern that seemes to have become popular lately.

    I will add media-admin.php to the firewall list. The name makes it appear that they are trying to get in through a real WordPress file.

    Hi again,

    Note that attacker commonly use multiple computers from different parts of the world to target sites. This makes it difficult to block these attacks, however adding that file media-admin.php is a good start.

    Dave

    Thread Starter justwander

    (@justwander)

    @wfdave,

    Thanks for the help.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Attacks from around the world’ is closed to new replies.