The Linux Page

Hacker looking to crack a WordPress Website?

As I was checking some logs, I found the laundry list of a robot checking out one of my websites: 54 hits. As we can see, it checks many paths, some of which it checked 2 or 3 times (the first number in my list is a count).

3 /apple-app-site-association
1 /cache/iph.php
1 /dbss.php
1 /ecss.php
1 /function-sync.php
1 /inlos.php
1 /sph.php
1 /tip.php
3 /.well-known/apple-app-site-association
3 /.well-known/assetlinks.json
1 /wp-content/plugins/another-wordpress-classifieds-plugin/AWPCP.po
1 /wp-content/plugins/auto-attachments/a-a.css
1 /wp-content/plugins/category-grid-view-gallery/cat_grid.php
1 /wp-content/plugins/cimy-user-extra-fields/README_OFFICIAL.txt
1 /wp-content/plugins/custom-content-type-manager/index.html
1 /wp-content/plugins/fcchat/default.png
1 /wp-content/plugins/font-uploader/font-uploader-free.php
2 /wp-content/plugins/front-end-upload/destination.php
1 /wp-content/plugins/gallery-plugin/gallery-plugin.php
1 /wp-content/plugins/hello.php
1 /wp-content/plugins/mac-dock-gallery/bugslist.txt
1 /wp-content/plugins/magic-fields/MF_Constant.php
1 /wp-content/plugins/nextgen-gallery/changelog.txt
1 /wp-content/plugins/ninja-forms/ninja_forms.php
1 /wp-content/plugins/nmedia-user-file-uploader/readme.txt
1 /wp-content/plugins/resume-submissions-job-postings/installer.php
1 /wp-content/plugins/simple-dropbox-upload-form/
1 /wp-content/plugins/user-avatar/readme.txt
1 /wp-content/plugins/user-meta/readme.txt
1 /wp-content/plugins/user-photo/admin.css
1 /wp-content/plugins/wp-e-commerce/license.txt
1 /wp-content/plugins/wp-editor/readme.txt
1 /wp-content/plugins/wp-filemanager/fm.php
1 /wp-content/plugins/wp-homepage-slideshow/functions.php
1 /wp-content/plugins/wp-image-news-slider/functions.php
1 /wp-content/plugins/wp-login-att-log/db.php
2 /wp-content/plugins/wpmarketplace/readme.txt
1 /wp-content/plugins/wp-property/action_hooks.php
1 /wp-content/plugins/wpstorecart/lgpl.txt
1 /wp-content/plugins/zingiri-web-shop/admin.css
1 /wp-content/themes/maxbusiness/db.php
1 /wp-content/themes/sketch/404.php
1 /wp-help.php
1 /wp-post.php
1 /xml.php

The files are all well defined to check whether certain things exist. Here all the attempts that resulted in a 404 Page Not Found.

I have some plugins installed and those gave a 200 OK response instead.

I can't speak for all of the files checked and resulting in a 404, but I can see that the 200 included a check for the Contact Form Version 7: - - [08/Feb/2018:21:11:20 +0000] "GET /wp-content/plugins/contact-form-7/license.txt HTTP/1.1" 200 10571 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_4) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.65 Safari/535.11"

There is another one that gives us a 301 instead: - - [08/Feb/2018:21:11:29 +0000] "GET /wp-content/plugins/simple-dropbox-upload-form/index.php HTTP/1.1" 301 344 "-" "Mozilla/5.0 (X11; CrOS i686 1660.57.0) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.46 Safari/535.19"

And strangely enough, the next hit is the URL in the Location of that 301. So that robot did follow the 301 instructions. There is no such form, so it gets a 404 after that.

The next one is an attempt is checking whether I have the ckeditor installed. This one results in a 403 (I don't have ckeditor installed.) - - [08/Feb/2018:21:11:33 +0000] "GET /wp-content/plugins/ckeditor-for-wordpress/ckeditor.config.js HTTP/1.1" 403 488 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.66 Safari/535.11"

Again, my point of view is that this robot was just checking me out. Once it knows of a hack on one of those plugins it will happily come back and take over my WordPress website if I had not upgraded it quickly enough (or no upgrade is available because the hack is not even known by the plugin author or anyone else than hackers, if that matter.)

So is the Internet. One way in an attempt to protect yourself is to count the number of 404 and if a process generates too many in a row, block their IP address.

Looking for some of these files, I found a PHP.txt file that includes many of the files found in that probe and which should probably be forbidden on your websites:

That website is actually for hackers. It has many tools and files such as this PHP.txt dictionary that one can use to search for hackable websites. You can browse the entire set of files by going up in the path (i.e. delete "PHP.txt" from the URL) and clicking on the other files/folders.

As a side note, the .well-known/* files are expected to be checked and return a 404 if not defined. That's the normal behavior. Also the apple-app-site-association is a similar file checked by robots and if you don't support that sort of application association, it is normal that you get a 404 for that one too. Actually, GoogleBot accesses those three files as well. All the other files, though, as far as I know, are being probed for hacks and not because a robot wants to know what is installed on what website, just for fun.