What is this? Is it a new hacking script?

  • I’m seeing this a lot in 403/security logs. Persons keep trying from various networks, same various networks for the past month. Denied while searching/attempting to access non-existent files:
    [siteurl]/register/%7B%7B=+data.profileurl+/
    /{{=
    /wp-config.php.@
    /wp-config.php.at
    /wp-config.php.se
    /wp-config.php.br
    /wp-config.php2020

    etc. etc.

    They never seem to give up. Yet there’s nothing personal, confidential nor financial hosted. So it’s clear their goal is to take over a site for their own content, which from cyber security experience, is typically for unlawful purposes and content. Majority of these attempts are from networks used for Tor Exits, such as 185(dot)220(dot)101(dot)144.

    So does anyone know what these folks are up to?

Viewing 2 replies - 1 through 2 (of 2 total)

  • bad bots are scanning the Internet all the time to find website vulnerabilities. you can block by IP addresses with many 404s (fail2ban or security plugin)

    Thread Starter tamramc

    (@tamramc)

    Thanks @lcf. I’ve been blocking IP addresses since 2004. These persons are getting more and more persistent. I’ve gone as far as blocking entire hacker haven countries, countries that none of us do any business with, but are locations of persons persistently running scripts.

    I’ve blocked wp-login.php file — restricted access to fingerprint only.
    I’ve blocked wp-admin — restricted access to specific IPs only.
    I’ve set correct file permissions — to allow just the plugins use from lawful front end interface.

    Nothing seems to deter these persons, hijack my elderly uncle’s historic US Navy website, which is just a text only site.

    And these persons are doing this all while being watched and reported to FBI immediately, because each of their attempts are recorded and submitted to law enforcement. At some point, they’re going to be caught.

    The concern is, what exactly are they trying to do w/ these scripts, and if WordPress or other site owners are aware, because in the past week, is the first time I’ve seen these particular scripts.

    1. [siteurl]/register/%7B%7B=+data.profileurl+/

    2. /{{=

    Luckily, they’re being denied at the gate, but for sites that do not have all of the blocking options we’ve set up, it’s scary to think what the results could be. ??

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘What is this? Is it a new hacking script?’ is closed to new replies.