New attack vector

  • Resolved justwander

    (@justwander)


    5 years, 2 months ago

    Hello,

    As nice as you all are here I wish I was asking about something more pleasant.

    Over the past week I have had over 100 attemps against my website coming through login (my password is about 30 characters long), and xmlrpc.php (which is blocked because I don’t use it).

    Well, now sql is the thing:

    :80//backup/site.sql
:80//1/dump.sql
:80//1/1.sql
:80//1/b.sql
:80//1/123.sql
:80//1/sql.sql
:80//1/back.sql
:80//1/web.sql
:80//123/1.sql
:80//123/123.sql
:80//123/web.sql
:80//123/site.sql
:80//arx/1.sql
:80//arx/sql.sql
:80//arx/www.sql
:80//arx/web.sql
:80//arx/site.sql
:80//arch/dump.sql
:80//arch/1.sql
:80//arch/b.sql
:80//arch/sql.sql
:80//arch/back.sql
:80//arch/www.sql
:80//arch/web.sql
:80//db/dump.sql
:80//db/1.sql
:80//db/123.sql
:80//db/sql.sql
:80//db/back.sql
:80//db/www.sql
:80//db/web.sql

    While many are blocked because they are coming from IP’s that have an active block because of past activity, many are new from locations. And even though the locations are widely scattered I think this is one person. Right?

    What are they after and what is :80 ?

    Since so many attempts are coming in I’m afraid one of these days they will hit whatever they are looking for.

    Help…

    • This topic was modified 5 years, 2 months ago by justwander.
Viewing 4 replies - 1 through 4 (of 4 total)

  • Hey @justwander,

    The :80 is a port that MySQL uses. The attack is trying to gain access to your database. This is likely a bot versus an actual user. Usually, after X amount of time after not being successful, they’ll move on. If you’re using a strong password (which you mentioned you are) and Two-Factor I don’t believe there’s anything to worry about. There’s only so much we can do to prevent an attack, it’s more about making sure they aren’t successful, which it looks like Wordfence is helping with.

    Thanks,

    Gerroald

    Thread Starter justwander

    (@justwander)

    @wfgerald,

    Thanks for the help.

    Today the attacks are coming like this:

    wp2019.sql
wpmssql.sql

    Am I understanding this right to say that these attacks are trying to get into backups stored with program files and the :80 attacks are trying to get in through the database?

    If so how does a strong password help a :80 attack.

    I’m not trying to be obtuse. Just trying to learn as much as I can so that in the future I can recognize low level stuff and only bother you when things get really really hairy. ??

    Hey @justwander,

    You’re correct about the password.

    These are likely SQL Injection attempts. The Wordfence Firewall has rules to help prevent this. After that, one of the best things you can do is to use reputable and update plugins and themes. Vulnerabilities are still possible, but using well known and up to date software gives less opportunity for this to happen. And as I said, Wordfence has WAF rules in place for this that all users have, both Free and Premium.

    Thanks,

    Gerroald

    Hey @justwander,

    We haven’t heard back from you in a while, so I’ve gone ahead and marked this thread as resolved.

    Please feel free to open another thread if you’re still having issues with Wordfence.

    Thanks,

    Gerroald

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘New attack vector’ is closed to new replies.