Help us understand the problem. What is going on with this article?

WordPress に不正アクセスしにくるので対処

More than 1 year has passed since last update.

2018/3/1

サイト「 ****** 」の新規ユーザー登録:

ユーザー名: aji*****co

メールアドレス: era****ye@asas.domailnew.com


サーバにログインして、apacheのアクセスログを調べる。

91.200.12.7 - - [01/Mar/2018:02:24:44 +0000] "GET /wp-login.php?action=rp HTTP/1.0" 200 4724 "http://**********/wp-login.php?action=rp" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 YaBrowser/17.10.0.2017 Yowser/2.5 Safari/537.36"
91.200.12.7 - - [01/Mar/2018:02:24:45 +0000] "POST /wp-login.php?action=resetpass HTTP/1.0" 200 1721 "http://**********/wp-login.php?action=rp" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 YaBrowser/17.10.0.2017 Yowser/2.5 Safari/537.36"
91.200.12.7 - - [01/Mar/2018:02:59:59 +0000] "POST /wp-login.php HTTP/1.0" 302 384 "http://**********/bbp-register/" "Mozilla/5.0 (Windows NT 7.0; WOW64; rv:33.1) Gecko/20100101 Firefox/33.1"
91.200.12.7 - - [01/Mar/2018:03:00:02 +0000] "POST /wp-login.php HTTP/1.0" 200 4049 "http://**********/bbp-register/?checkemail=registered" "Mozilla/5.0 (Windows NT 7.0; WOW64; rv:33.1) Gecko/20100101 Firefox/33.1"
91.200.12.7 - - [01/Mar/2018:03:16:01 +0000] "POST /wp-login.php HTTP/1.0" 302 384 "http://**********/bbp-register/" "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36"
91.200.12.7 - - [01/Mar/2018:03:16:03 +0000] "POST /wp-login.php HTTP/1.0" 200 4045 "http://**********/bbp-register/?checkemail=registered" "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36"

このアドレスのURLは?


nanbuwks@LATITUDE:~$ dig -x 91.200.12.7

; <<>> DiG 9.10.3-P4-Ubuntu <<>> -x 91.200.12.7
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4262
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;7.12.200.91.in-addr.arpa.  IN  PTR

;; ANSWER SECTION:
7.12.200.91.in-addr.arpa. 3600  IN  PTR dsystemip5.vhoster.org.

;; Query time: 192 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Mar 01 11:34:12 JST 2018
;; MSG SIZE  rcvd: 89

ということで、このアドレスをブラウザで開くと真っ赤っ赤。

image

時間があるときに、どんな攻撃コードが降ってくるか調べてみたいところです。

今回は、安直に該当アドレスをフィルタリングして様子見。

Why do not you register as a user and use Qiita more conveniently?
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away
Comments
Sign up for free and join this conversation.
If you already have a Qiita account
Why do not you register as a user and use Qiita more conveniently?
You need to log in to use this function. Qiita can be used more conveniently after logging in.
You seem to be reading articles frequently this month. Qiita can be used more conveniently after logging in.
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away