Fishing for Administrator Pages - A break in Attempt?

Posted by Hans de Ruiter

Scanning through the web-server's log this morning, one entry caught my eye:

87.118.124.3 - - [05/Aug/2008:10:36:11 -0400] "HEAD /technorati-vs-blogged-vs-zimbio-one-week-in/wp-admin/ HTTP/1.0" 200 0 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; DigExt)"

This appears to be another hacking attempt; the weakest one yet. "Wp-admin" is commonly a WordPress administration page, used to edit a blog. Thus, it appears that someone just tried to access the administration pages for this blog. 

Examining this HTTP server log entry, one can note that the server did return a page (the "200" indicates a successfulpage request). However, the page was the blog entry itself, not an administration page. If the person in question had bothered to even look at this website properly, he/she (assuming that it is not a bot disguised as an old version of Mozilla) would have realized that this website uses Silverstripe. 

If this blog did use WordPress, what effect would this have had? After all, the attacker would still need a password, right? Well, not exactly. This page by Reuben Yau discusses how one should protect the "Wp-admin" folder. There is a vulnerability in older versions of WordPress that a hacker could use to break in. The entry in this website's server log is probably just a probe to see if this site uses WordPress; the next step would have been to search for known vulnerabilities.

For me, this is another entry to the Website Hacking Attempts page. WordPress users,please check your installations! Security tips are available here and here.

Comments (0) | 5 August 2008