Weird/Suspicious behaviour by blog user

  • Resolved purplewyvern

    (@purplewyvern)


    14 years, 10 months ago

    I’ve had a few visits by a web user on one of my blogs that I was a bit strange and suspicious.

    These are the access logs that I saw:

    85.92.222.254 - - [11/May/2010:07:44:26 +0100] "GET /wp-admin HTTP/1.1" 301 568 "-" "Mozilla/4.0"
85.92.222.254 - - [11/May/2010:07:44:34 +0100] "GET / HTTP/1.1" 200 80831 "-" "Mozilla/4.0"
85.92.222.254 - - [13/May/2010:07:50:43 +0100] "GET /wp-admin/load-scripts.php HTTP/1.1" 403 497 "-" "Mozilla/4.0"
85.92.222.254 - - [13/May/2010:07:50:43 +0100] "GET /wp-admin/load-styles.php HTTP/1.1" 403 497 "-" "Mozilla/4.0"
85.92.222.254 - - [17/May/2010:07:52:52 +0100] "GET /wp-admin HTTP/1.1" 403 497 "-" "Mozilla/4.0"
85.92.222.254 - - [17/May/2010:07:53:00 +0100] "GET /wp-admin/load-styles.php HTTP/1.1" 403 497 "-" "Mozilla/4.0"
85.92.222.254 - - [17/May/2010:07:53:00 +0100] "GET / HTTP/1.1" 403 5233 "-" "Mozilla/4.0"
85.92.222.254 - - [17/May/2010:07:53:00 +0100] "GET /wp-admin/load-scripts.php HTTP/1.1" 403 497 "-" "Mozilla/4.0"

    It looks like a robot of some kind – I can’t imagine a valid user accessing those pages. Does anyone know what they might be trying to achieve? or what they might of already achieved?

    I’ve now blocked the IP using the .htaccess and my host turns ftp off by default.

    Many Thanks.

Viewing 5 replies - 1 through 5 (of 5 total)
  • Moderator James Huff

    (@macmanx)

    It might be a bot. It would be a good idea to create a robots.txt file in your blog directory with the following content:

    User-agent: *
Disallow: /wp-admin/
Disallow: /wp-includes/
Disallow: /wp-login.php

    This will prevent all law-abiding robots from visiting anything within the /wp-admin/ and /wp-includes/ directories, and the wp-login.php file.

    Thread Starter purplewyvern

    (@purplewyvern)

    Thanks,

    this bot seems to be ignoring my current robots.txt, as that is currently set as:

    User-agent: *
Disallow: /

    It’s obviously not a smart bot as it’s still trying to grab pages although it now only gets 403’s in return.

    Moderator James Huff

    (@macmanx)

    Unfortunately, not all bots obey robots.txt files. If you are concerned, you could block its IP by adding the following to your .htaccess file:

    order allow,deny
deny from 85.92.222.254
allow from all
    Thread Starter purplewyvern

    (@purplewyvern)

    Yup, done that on the 12th May, like I said they have only been getting 403’s recently :).

    I don’t actually believe this is a badly behaved robot, I more suspect it is a robot looking for vulnerabilities.

    So I guess the question is; are there any known vulnerabilities relating to the load-styles.php and load-scripts.php pages?

    Moderator James Huff

    (@macmanx)

    No, there are no vulnerabilities that I’m aware of with those files, but you should upgrade to version 2.9.2 anyway.

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Weird/Suspicious behaviour by blog user’ is closed to new replies.