On Wed, Oct 21, 2015 at 04:15:24PM +0100, Ian wrote:
Earlier this month, a Greek IP address failed to login
to five WordPress
sites on two of my servers - not on BitFolk. One attempt each on four sites,
and seven on another spread over several days.
On Tuesday last week, it was blocked for 24 hours by both of them after five
failed attempts to login via ssh.
On Wednesday, it succeeded on one of them. Given the strength of the
password, the fact that it's not used (by me) anywhere else, and the chance
of doing this by random, I would quite like to know *how*.
Is the ssh password compromised the same in some wordpress user? If that is the
case, it might be done using this attack:
https://blog.cloudflare.com/a-look-at-the-new-wordpress-brute-force-amplifiā¦
I've disabled the XML-RPC API completely using a plugin. Wordpress has not
released any version fixing this.
On the plus side, this was the server that was first
in my queue to replace
with one running Debian Jessie, and it has been ten years since anything
like this has happened to me,* but grrr...
What was the server running? You may want to take Logjam attack into account
(
https://weakdh.org/sysadmin.html). I can't say it was that, but it *might* be a
possibility.
Thanks,
Rodrigo