On Wed, Oct 21, 2015 at 04:15:24PM +0100, Ian wrote:
> Earlier this month, a Greek IP address failed to login to five WordPress
> sites on two of my servers - not on BitFolk. One attempt each on four sites,
> and seven on another spread over several days.
>
> On Tuesday last week, it was blocked for 24 hours by both of them after five
> failed attempts to login via ssh.
>
> On Wednesday, it succeeded on one of them. Given the strength of the
> password, the fact that it's not used (by me) anywhere else, and the chance
> of doing this by random, I would quite like to know *how*.
Is the ssh password compromised the same in some wordpress user? If that is the
case, it might be done using this attack:
https://blog.cloudflare.com/a-look-at-the-new-wordpress-brute-force-amplification-attack/
I've disabled the XML-RPC API completely using a plugin. Wordpress has not
released any version fixing this.
> On the plus side, this was the server that was first in my queue to replace
> with one running Debian Jessie, and it has been ten years since anything
> like this has happened to me,* but grrr...
What was the server running? You may want to take Logjam attack into account
(
https://weakdh.org/sysadmin.html). I can't say it was that, but it *might* be a
possibility.
Thanks,
Rodrigo
