• caglararli@hotmail.com
  • 05386281520

How bot(s) have guessed my wordpress login page?

Çağlar Arlı      -    12 Views
11May

How bot(s) have guessed my wordpress login page?

I have a wordpress site (fully patched) that used to receive many attempts to log in based on dictionary attacks. I changed my admin user to something uncommon and use a really strong password.

Apart of that I changed my login page using rename wp-login.php plugin. I changed my login url to something like http://foo.com/blog/?pencil. For years the bots failed to guess my login page (still having many 404s).

For the second time in a month. First time I had a failed attempt and changed url to http://foo.com/blog/?paper and didn't think much about it. Second time happened today. Exact events:

19th April

  • Successful login from my employer office (via proxy) to http://foo.com/blog/?pencil at 18:00 from my company laptop.
  • 2 failed attempts from 70.32.73.128 (report about the IP ), a IP from California, at 02:54am GMT (The server seems to be reported as hacked) using admin username (that btw doesn't exist in my wordpress)
  • I changed password and url to http://foo.com/blog/?paper
  • I enabled capturing of incoming passwords in log.

Now

  • Yesterday (11:10 am) I accessed to blog to correct an entry from my employer network (same proxy).
  • Today at 11:55 1 failed attempt from 213.248.63.27 (Virus Total report about the IP), a russian IP with suspicious sites like vrn.sauna.ru (probably NSFW url). It used oscarfoley as username with no password (my username is not oscarfoley or similar)

I feel pretty secure as the bot has to guess the login page, the admin user and the pass. However, by reading this site I am a little bit paranoid. So my main question is:

How the bot has "guessed" the paper or pencil login page?

  • Could be my employer proxy/network be compromised? (Like a hacker having access to proxy logs...)
  • Could it be a broad dictionary attack (something like a boot scanning all wordpress servers in the internet to see if the login page is pencil)?.. or a exploit in wordpress?
  • Is there anything more I should do to protect myself?
  • Could it be a personal attack using public information on internet? Or a bot that uses public information for broad attacks?
  • Why the empty password?
  • How can I be sure I am not hacked? (Forget about this as it is pretty good answered in this question)
  • Could be my laptop or my pc at home be hacked and got the url from it? My guess is no because otherwise they would have my password...

EDIT: To be more clear, attacker hit the login url directly with NO failed attempts on other similar urls. Check here last 404 errors: 404 screenshot

Mayıs 2016
P S Ç P C C P
 1
2345678
9101112131415
16171819202122
23242526272829
3031  

Son Yazılar

Son Yorumlar