skip to main content

Lousy Wordpress Hacking Attempts detected

Spotted in nginx error logs

published icon

My Dutch bread baking blog, redzuurdesem.be, was migrated from Wordpress to Hugo years ago. During the transition, I came up with a bunch of shoddy scripts that did the job adequately: copying over /wp-content/ to the /static/ directory in order to preserve relative image locations.

Wodpress-enabled sites are very easy to spot: just look for wp- anything in the source, or try out the location /wp-admin if you fancy a brute-force attack. Naturally, some pages of my site still comply to this rule, because of the archived image folder. Some Russian malicious IP, 45.146.165.157, that has been reported numerous times before at abuseipdb.com, tried the following today:

2021/03/29 09:57:47 [error] 162453#162453: *179870 open() "/var/www/html/404.html" failed (2: No such file or directory), client: 45.146.165.157, server: _, request: "POST /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1", host: "146.59.146.120:80"
2021/03/29 09:57:47 [error] 162453#162453: *179871 open() "/var/www/html/404.html" failed (2: No such file or directory), client: 45.146.165.157, server: _, request: "GET /solr/admin/info/system?wt=json HTTP/1.1", host: "146.59.146.120:80"
2021/03/29 09:57:47 [error] 162453#162453: *179872 open() "/var/www/html/404.html" failed (2: No such file or directory), client: 45.146.165.157, server: _, request: "GET /console/ HTTP/1.1", host: "146.59.146.120:80"
2021/03/29 09:57:47 [error] 162453#162453: *179873 open() "/var/www/html/404.html" failed (2: No such file or directory), client: 45.146.165.157, server: _, request: "POST /Autodiscover/Autodiscover.xml HTTP/1.1", host: "146.59.146.120:80"
2021/03/29 09:57:47 [error] 162453#162453: *179874 open() "/var/www/html/404.html" failed (2: No such file or directory), client: 45.146.165.157, server: _, request: "GET /wp-content/plugins/wp-file-manager/readme.txt HTTP/1.1", host: "146.59.146.120:80"
2021/03/29 09:57:47 [error] 162453#162453: *179875 open() "/var/www/html/404.html" failed (2: No such file or directory), client: 45.146.165.157, server: _, request: "GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1", host: "146.59.146.120:80"
2021/03/29 09:57:47 [error] 162453#162453: *179876 open() "/var/www/html/404.html" failed (2: No such file or directory), client: 45.146.165.157, server: _, request: "GET /?a=fetch&content=<php>die(@md5(HelloThinkCMF))</php> HTTP/1.1", host: "146.59.146.120:80"
2021/03/29 09:57:47 [error] 162453#162453: *179877 open() "/var/www/html/404.html" failed (2: No such file or directory), client: 45.146.165.157, server: _, request: "GET /index.php?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=HelloThinkPHP21 HTTP/1.1", host: "146.59.146.120:80"
2021/03/29 09:57:47 [error] 162453#162453: *179878 open() "/var/www/html/404.html" failed (2: No such file or directory), client: 45.146.165.157, server: _, request: "GET /?XDEBUG_SESSION_START=phpstorm HTTP/1.1", host: "146.59.146.120:80"
2021/03/29 09:57:48 [error] 162453#162453: *179879 open() "/var/www/html/404.html" failed (2: No such file or directory), client: 45.146.165.157, server: _, request: "POST /api/jsonws/invoke HTTP/1.1", host: "146.59.146.120:80"
2021/03/29 09:57:48 [error] 162453#162453: *179880 open() "/var/www/html/404.html" failed (2: No such file or directory), client: 45.146.165.157, server: _, request: "GET /_ignition/execute-solution HTTP/1.1", host: "146.59.146.120:80"

I mean, really? <?php>die(@md5(HelloThinkCMF))</php>? Are servers that badly managed that any GET parameter is dynamically evaluated on the server?

Other GET attempts included trying to reach:

  • /phpMyAdmin/scripts/setup.php
  • index.php?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=HelloThinkPHP21
  • /?XDEBUG_SESSION_START=phpstorm HTTP/1.1

Be sure to follow the “hardening my instance” installation instructions on your PHP engine (Such as Wordpress’s documentation) - it seems that you’ll need it.

Furthermore, you might notice a repeating pattern in the above log: when setting up the new server (the previous one got up in flames a couple of weeks ago), I forgot to add the classic 404 page - which results in an error entry in the nginx log. To be honest, I never check those logs. I happened to be looking for something else and got curious.

Now, what to do? Well, nothing. Smile. It’s all static. Still, it’s very sad to see these pathetic attempts, and it makes me angry because years ago, a Wordpress site of mine was effectively hacked because I did not upgrade the instance in due time. If those guys are any good at coding, their skills could have been used for good instead of bullying people.

If something like mutual trust existed in this world, servers wouldn’t need the annoyingly increasing amount of config maintenance in order to keep the bad guys out. If something like mutual trust existed, the whole crypto world would be gone - good riddance, crypto currencies. Have you read Robert Winter’s explanation of Blockchain’s environmental impact yet? How about a quick visit to extinction.fyi? What a depressive domain name…

In any case, time to test out the Fail2ban jail config… I guess I need to keep an eye out for malicious behavior in the future, ‘cause I do have some dynamic stuff running on there. Wait, no, let Fail2ban monitor your nginx error/access logs automatically and decide what to do with it!

Hope you Russians are reading this and saying вызов принят (challenge accepted)!

I'm Wouter Groeneveld, a level 35 Brain Baker, and I love the smell of freshly baked thoughts (and bread) in the morning. I sometimes convince others to bake their brain (and bread) too.

If you found this article amusing and/or helpful, you can buy me a coffee - although I'm more of a tea fan myself. I also like to hear your feedback via Mastodon or e-mail. Thanks!