1. Home
  2. Forums Index
  3. General SEO Issues / Crawler, Spider, and User Agent ID 12:04 pm May 4, 2026

Forum Moderators: open

Message Too Old, No Replies

hacking probes from hacked IPs

         

dstiles

9:05 am on May 31, 2022 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



This is not new; I'm very familiar with hacked IPs trying it on but this particular facet is puzzling me.

I get criminal probes to all of my sites from time to time but one site in particular gets very heavy hits every few days. This morning there were about 100 hits to non-existant services such as mysql, phpadmin, wp etc. I seldom see this many hits to any other site, although they do get similar try-it-on requests from time to time.

What is puzzling me is why this one site get so much attention. It's been around for several years and was always intended to be an experiment. The domain begins with a zero and it has only a home page and a contact page. The idea was to see if it could pre-empt scrapers etc from hitting real domains by being first in the alpha-numberic list of domains.

I wonder if this is actually working after all. I have a kill switch for IPs that request content using certain keywords - eg wp, mysql etc. Sadly the code takes too long to add the IP to iptables, hence the 100 or so hits; the IP gets added to iptables for every bad hit and I have to periodically clean out the duplicates from iptables.

But is this kill switch actually preventing the same IP from hitting my other domains? I doubt it - if the baddie is visiting sites alphabetically there are millions before mine and a new IP would be in use by the time it got around to me again. Unless it harried by target IP, which I'm inclined to doubt.

Can anyone suggest reasons for this?

TorontoBoy

12:30 pm on May 31, 2022 (gmt 0)

5+ Year Member Top Contributors Of The Month



Random crawler, doddling through the interweb. There's no rhyme or reason.

You might want to search iptables before you add a new banned IP. There could be hundreds of bot hits per day. That table will get huge and very slow. The addition of a search before addition might provide you with more protection.

dstiles

1:54 pm on May 31, 2022 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



Thanks, but there must be more to it. It's been going on for at least five years and I would have expected the perpetrator to have got bored by now and tried something useful.

In theory iptables should block any IPs it has so should not acquire duplicates. It only acquires dups in this case because the submission mechanism is too slow compared with the input. Adding a search would slow down the entries even further.

More details of what I did at [webmasterworld.com...]

Brett_Tabke

2:45 pm on May 31, 2022 (gmt 0)

WebmasterWorld Administrator 10+ Year Member Top Contributors Of The Month



>What is puzzling me is why this one site get so much attention.

You made it onto a hackers list at some point. It id'd something vulnerable about your site at some point and added you to the 'check back' later list.

I have several parked domains that at some point I put wordpress on. To this day (5-8 yrs later), those domains still get requests for wordpress logins etc.

lucy24

3:39 pm on May 31, 2022 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



To this day (5-8 yrs later), those domains still get requests for wordpress logins etc.
Do there exist sites that do not get requests for wp logins, whether or not the site has ever had wp? I find them in the tens of thousands--even on a brand-new site that has no real content and was just created on a whim last month.

dstiles

3:53 pm on May 31, 2022 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



Brett_Tabke - It's always been as secure as all my other sites. The other sites DO get similar hits but nowhere near as many.

Jonesy

3:05 pm on Jun 11, 2022 (gmt 0)

10+ Year Member Top Contributors Of The Month



Do there exist sites that do not get requests for wp logins, whether or not the site has ever had wp?
But, yes! Ihave several sites that have never been touched by WordPress and they are constantly probed for misc. wp claptrap in various, non-existant directories. wplogin and wlwmanifest being the most often requests.

Furthermore, from among my various sites, each one will spend some time in the box as the crackers' Favorite Of The Week; while the others stay relatively quiet.

I've often thought to create a wplogin PHP page as a honey pot to gather ip's for further processing. But, I've yet to find a round tuit.

Brett_Tabke

1:46 pm on Jul 12, 2022 (gmt 0)

WebmasterWorld Administrator 10+ Year Member Top Contributors Of The Month



>do not get requests for wp logins,

Ya, that is true, but there seems to be a level of difference. If some bot thinks you have wordpress on there, they go well beyond the admin/login checks.

not2easy

2:00 pm on Jul 12, 2022 (gmt 0)

WebmasterWorld Administrator 10+ Year Member Top Contributors Of The Month



I use wp-login.php requests to block bots on non-WP sites. They are not coming in to visit. They have a harder time to check further and WP vulnerabilities is not the only thing they came to look for.

The script is old (oulde) and there were more tweaks and versions in PHP, Perl and cgi (some linked from that thread) from 2004 but it still works. I couldn't find it again for awhile, but today I did (Thank you Brett!) I got it from this thread: [webmasterworld.com...]
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. General SEO Issues / Crawler, Spider, and User Agent ID 12:04 pm May 4, 2026