Why do you consider this a "hack attempt"?

It looks pretty tame to me.

I agree with KeyP; plenty of signals in that snippet to indicate a hacker's fingerprints.

Let's be gracious and consider what scenarios may have precipitated this "accident"?

For example;
MS employee spoofing as a hacker to investigate typical server responses.

Another example is that the links were deliberately placed for a spider to follow. There's been numerous reports of this technique and I'm not sure how savvy Bing is at avoiding them. I kinda agree with Incredibill though, no GET var injection and not obviously malicious.

True, no injection attempts but definitely malicious IMO.

I use the term "hack" because out of the 60 or so hits like this (all for documents that don't exist on my server, all at the same time stamp) most were the common probes to see if I used PHP or WordPress. Lots of "admin", "login", etc.

Hmmm... last couple statements vanished. I'll post again.

Basically I said that I'm now convinced the hacker is Russian and was using a M$ proxy. Now seeing same UA, same hack probes and the same sequence coming from a Russian broadband range.

Looks like it's Microsoft Hosting:
[whatismyipaddress.com...]

@MickeyRoush - Ahhh thanks. Looking further it looks like M$ Hosting Hong Kong:

168.61.0.0 - 168.63.255.255
168.61.0.0/16
168.62.0.0/15

Since I see the same hits from other ranges, it may be a botnet.

I block the complete 168.61.0.0 - 168.63.255.255 range.

Some time ago I made a note about 168.63.0.0/16: "hundreds of hits in minutes" and blocked it in the firewall - something I rarely do.

Probably not a botnet as such, just an ill-mannered lout who has rented space on an MS server.

Same UA requesting same sequence of same files (all blocked.) Here's the botnet:

168.63.20.162
59.52.95.118
62.76.40.80
62.157.51.138
84.135.124.15
88.75.60.97
92.231.197.5
110.78.152.162
121.52.71.23
193.34.81.39
208.96.227.68
212.107.116.234
77.12.172.229

In a recent access log check on one site I had two varieties of this rapid fire vulnerability check, some from one single IP, one like this with multiple hits in sequence from IPs all over the place.

Two of the first type each had different UAs, the second type as shown here had a different UA, but all IPs had the same UA.

The multi IP hits came in sequence with the same UA over the course of a minute:
37.45.176.81
46.53.193.35
46.118.107.17
91.197.6.143
109.200.137.148
119.147.146.189
119.147.207.158
147.30.76.182
159.224.57.168
178.121.179.169
178.124.206.26
185.24.218.20
212.66.57.155

UA: "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:22.0) Gecko/20100101 Firefox/22.0"

165.132.100.76
(72 requests under a minute)
"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)"

183.60.244.29
(68 requests in less than 10 seconds)
"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"

I consider these all "hacking attempts" because they are requesting (or POSTing) to means to upload or edit files. Examples (none of these plugins or editors or themes are on this site):
POST /wp-content/plugins/wpstorecart/php/upload.php
POST /wp-content/plugins/thecartpress/checkout/CheckoutEditor.php
HEAD /editor/filemanager/connectors/uploadtest.html
POST /wp-content/plugins/wp-mailinglist/vendors/uploadify/upload.php
HEAD /editors/fckeditor/editor/filemanager/upload/test.html
POST /wp-content/themes/clockstone/theme/functions/upload.php
/wp-content/plugins/zingiri-web-shop/fws/ajax/init.inc.php
and on and on.

My point in adding this is just that in my experience it is not an isolated IP or UA that is running this program and I've seen it increasing in frequency.

@not2easy I agree.

I suspect there are venues where you can buy a list of infected machines to use.


Also, I've noticed "google.com/humans.txt" appended to a huge amount of hack attempts.

EXAMPLE: 67.222.18.49 - - [08/Mar/2014:14:34:40 -0800] "GET /wp-content/plugins/wordtube/wordtube-button.php?wpPATH=http://www.google.com/humans.txt? HTTP/1.0" 403 649 "-" "-"

Bingo!

My experience dealing with MS's legal bods, requesting them to remove/shut-down 100's of copyright infringers, indicates that MS are far more efficient, and responsive, than Google.

So it may well be worth reporting this server abuse to MS hosting bods in Seattle and HK.

For example;
MS employee spoofing as a hacker to investigate typical server responses.

That employee is a very, very fast typist, if so.

Opera 10? Really? With freestanding browsers (that is, not OS-linked like Safari and MSIE) you hardly ever see antiquated versions.

Why a robot thinks it will have better luck pretending to be a Russian human is just one of those abiding mysteries.

keyplyr - it's possible to buy botnets of various sizes for varying prices, but small ones are apperently quite cheap. Botnets come with a "control panel" so any idiot (ie most botnet drivers) can manage them. Botnets are a commodity nowadays.

Angonasec - MS have a long history of legal wrangles and appear to have learnt from them. Certainly more so than G, who are still in the denial phase.

Opera 10? Really? With freestanding browsers (that is, not OS-linked like Safari and MSIE) you hardly ever see antiquated versions.

Why a robot thinks it will have better luck pretending to be a Russian human is just one of those abiding mysteries.

_{Emphases added by me.}


Believe or not, Russians do like Opera, a lot. :) Just ask some of us. You should hear us singing when the Bot Actually starts running on a hacked account! :)

As far as 'wp-../../.php'

1. If one does not run one(wp) >> we serve 400(16 bytes), put the IP on quarantine.
2. If one does, was it accessed from an allowed IP? if no >> GOBACK to 1.
3. Blame the ... dude in a funny pants.

@keyplyr, were the headers OK?

@blend27

I send myself an email when headers are malformed. However in this case the hits were 403 blocked for at least two other reasons which I saw immediately, so I never viewed the headers for those attempts (deleted now.) And no, I do not use ANY out of the box software... especially WP!

Russians do like Opera, a lot.

They're also said to be traditionalists at heart, which would explain why you see so many Opera <= 8 and "Bork-edition" floating around ;)

I don't have anything that's attractive to Russian humans, so I really have no idea what they typically look like. In, ahem, site logs. Real life is another matter.

However in this case the hits were 403 blocked for at least two other reasons

Once in a blue moon I fine-tooth-comb my logs and take a closer look at the 403s. I like to make sure their originating IPs are also blocked whenever possible; things like UA and referer tests are just insurance.

For the last 3 months, after changing hosts, I "fine-tooth-comb my logs" all day long, slowly looking for anything abnormal. I've caught quite a few things I've either changed my mind about, or discovered the culprit has developed a work-around to my initial defenses.

Opera user agent strings are very common for probe bots, in my experience. Particularly from Russia and the Ukraine.

And if these hits are coming from MS hosting IP space, that means there's a 0.01% chance someone has rented an Azure server to run their probe, and a 99.99% chance that someone's Azure-hosted webserver has been compromised and is now being used to run probes.