Odd new log entry – new hack attempt?

  • Just started noticing URLs in the Live Activity log having the form : thedomain.com/-/-/-/-/-/-/-/-/-/-/

    Haven’t seen this before the last couple of days – some sort of new attack vector being attempted?

    Here’s a sample from the log:

    Romania Orastie, Romania tried to access non-existent page https://nnnnn.com/-/-/-/-/-/-/-/-/-/-/
2016-12-13 11:38:16 AM (4 hours 12 mins ago)   IP: 84.117.189.183 [unblock]   Hostname: 84.117.189.183
Browser: Firefox version 0.0 running on Win7
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1

    (Note: I obscured the domain name)…

Viewing 4 replies - 1 through 4 (of 4 total)

  • I’ve had those myself, can’t quite recall what was going on but I think it was something to do with an attacker trying to iterate a URL that allowed them root access. I’ll bet the Wordfence folks know what this is exactly, looking forward to learning. Is the IP on blacklists? That’s always a clue. MTN

    Thread Starter bluebearmedia

    (@bluebearmedia)

    It’s coming back as mostly clean in blacklists, but it is flagged at SORBS… it was the odd URL string that caught my attention.

    Just block the referrer: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1 under advanced blocking. I have the same referrer trying to hack my site all the time…..

    Hi @bluebearmedia
    Following to your other thread here, this odd URL could be a modified version of “wp-login.php” URL that is caused by “WPS Hide Login” plugin which alters the REQUEST_URI, you can block users who hit this URL /-/-/-/-/-/-/-/-/-/-/ in Wordfence by adding it to “Immediately block IP’s that access these URLs“.

    Thanks.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Odd new log entry – new hack attempt?’ is closed to new replies.