Ho ricevuto alcune e-mail di reimpostazione della password per l'utente "admin" (ad esempio, l'amministratore del nome di accesso) in una vecchia installazione di Wordpress (ma aggiornata con patch). Il proprietario del sito non ha richiesto la reimpostazione della password.
È altamente improbabile che l'autore dell'attacco abbia accesso all'indirizzo email (o che possa avere dati intercettati nel percorso del server web e del client di posta elettronica) a cui è stato inviato il reset della password.
Perché un hacker potrebbe tentare di reimpostare la password? (Ho scoperto la vulnerabilità di Reimpostazione password CSRF di Wordpress 4.0, ma da quello che vedo questo non sembra corrispondere a quello che sto vedendo .
Le voci relative al file di registro (sterilizzate) (a partire da quando è stata ricevuta l'email di ripristino) sono le seguenti:
www.attacked.wpsite.addr:443 74.63.240.187 - - [28/Dec/2017:06:10:17 +1300] "POST /wp-login.php?action=lostpassword HTTP/1.1" 302 3644 "-" "-"
www.attacked.wpsite.addr:443 74.63.240.187 - - [28/Dec/2017:06:10:19 +1300] "POST /wp-login.php?action=lostpassword HTTP/1.1" 302 3644 "-" "-"
www.attacked.wpsite.addr:443 54.148.232.32 - - [28/Dec/2017:06:10:22 +1300] "POST /wp-login.php?action=lostpassword HTTP/1.1" 400 3856 "-" "-"
www.attacked.wpsite.addr:443 54.148.232.32 - - [28/Dec/2017:06:10:24 +1300] "POST /wp-login.php?action=lostpassword HTTP/1.1" 400 3856 "-" "-"
www.attacked.wpsite.addr:443 162.243.152.212 - - [28/Dec/2017:06:18:54 +1300] "POST /wp-login.php?action=lostpassword HTTP/1.1" 400 3856 "-" "-"
www.attacked.wpsite.addr:443 162.243.152.212 - - [28/Dec/2017:06:18:56 +1300] "POST /wp-login.php?action=lostpassword HTTP/1.1" 400 3856 "-" "-"
www.attacked.wpsite.addr:443 65.19.143.194 - - [28/Dec/2017:06:24:55 +1300] "POST /wp-login.php?action=lostpassword HTTP/1.1" 400 3745 "-" "-"
www.attacked.wpsite.addr:443 65.19.143.194 - - [28/Dec/2017:06:24:59 +1300] "POST /wp-login.php?action=lostpassword HTTP/1.1" 400 3745 "-" "-"
www.attacked.wpsite.addr:80 185.86.13.213 - - [28/Dec/2017:06:25:19 +1300] "GET /wp-login.php HTTP/1.1" 302 279 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36"
www.attacked.wpsite.addr:443 185.86.13.213 - - [28/Dec/2017:06:25:21 +1300] "GET /wp-login.php HTTP/1.1" 200 6009 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36"
www.attacked.wpsite.addr:443 185.86.13.213 - - [28/Dec/2017:06:25:21 +1300] "POST /wp-login.php HTTP/1.1" 200 3754 "https://www.attacked.wpsite.addr/wp-login.php" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36"
www.attacked.wpsite.addr:80 51.15.146.69 - - [28/Dec/2017:06:43:47 +1300] "POST /wp-login.php HTTP/1.1" 302 238 "http://attacked.wpsite.addr/wp-login.php" "Mozilla/5.0 (Windows NT 5.2; rv:52.42.99) Gecko/20130250 Firefox/52.42.99"
www.attacked.wpsite.addr:443 51.15.146.69 - - [28/Dec/2017:06:43:49 +1300] "GET /wp-login.php HTTP/1.1" 200 4798 "http://attacked.wpsite.addr/wp-login.php" "Mozilla/5.0 (Windows NT 5.2; rv:52.42.99) Gecko/20130250 Firefox/52.42.99"
www.attacked.wpsite.addr:443 91.200.12.22 - - [28/Dec/2017:07:59:58 +1300] "POST /wp-login.php HTTP/1.1" 200 4987 "https://attacked.wpsite.addr/wp-login.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_36_89) AppleWebKit/532.85.48 (KHTML, like Gecko) Chrome/57.4.9780.5052 Safari/534.56"
www.attacked.wpsite.addr:443 91.200.12.22 - - [28/Dec/2017:07:59:59 +1300] "POST /wp-login.php HTTP/1.1" 200 2128 "https://attacked.wpsite.addr/wp-login.php" "Mozilla/5.0 (Windows NT 5.0) AppleWebKit/533.09.52 (KHTML, like Gecko) Version/5.5.1 Safari/532.17"
www.attacked.wpsite.addr:443 198.71.87.205 - - [28/Dec/2017:08:08:36 +1300] "GET /wp-login.php HTTP/1.1" 200 4830 "http://www.attacked.wpsite.addr/" "Opera/9.80 (Windows NT 6.2; Win64; x64) Presto/2.12.388 Version/12.17"
www.attacked.wpsite.addr:443 198.71.87.205 - - [28/Dec/2017:08:08:36 +1300] "GET /wp-login.php?action=lostpassword HTTP/1.1" 200 1549 "https://www.attacked.wpsite.addr/wp-login.php" "Opera/9.80 (Windows NT 6.2; Win64; x64) Presto/2.12.388 Version/12.17"
www.attacked.wpsite.addr:80 185.86.13.213 - - [28/Dec/2017:09:16:41 +1300] "GET /wp-login.php HTTP/1.1" 302 279 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36"
www.attacked.wpsite.addr:443 185.86.13.213 - - [28/Dec/2017:09:16:44 +1300] "GET /wp-login.php HTTP/1.1" 200 6009 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36"
www.attacked.wpsite.addr:443 185.86.13.213 - - [28/Dec/2017:09:16:44 +1300] "POST /wp-login.php HTTP/1.1" 200 3722 "https://www.attacked.wpsite.addr/wp-login.php" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36"
www.attacked.wpsite.addr:443 172.18.252.242 - - [28/Dec/2017:09:41:04 +1300] "GET /wp-login.php?redirect_to=https%3A%2F%2Fwww.attacked.wpsite.addr%2Fwp-admin%2F&reauth=1 HTTP/1.1" 200 3666 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0"
www.attacked.wpsite.addr:443 172.18.252.242 - - [28/Dec/2017:09:41:05 +1300] "GET /wp-admin/load-styles.php?c=0&dir=ltr&load%5B%5D=dashicons,buttons,forms,l10n,login&ver=4.9.1 HTTP/1.1" 200 36906 "https://www.attacked.wpsite.addr/wp-login.php?redirect_to=https%3A%2F%2Fwww.attacked.wpsite.addr%2Fwp-admin%2F&reauth=1" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0"
www.attacked.wpsite.addr:443 172.18.252.242 - - [28/Dec/2017:09:41:38 +1300] "POST /wp-login.php HTTP/1.1" 302 1338 "https://www.attacked.wpsite.addr/wp-login.php?redirect_to=https%3A%2F%2Fwww.attacked.wpsite.addr%2Fwp-admin%2F&reauth=1" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0"
www.attacked.wpsite.addr:443 172.18.252.242 - - [28/Dec/2017:09:41:39 +1300] "GET /wp-admin/ HTTP/1.1" 200 17170 "https://www.attacked.wpsite.addr/wp-login.php?redirect_to=https%3A%2F%2Fwww.attacked.wpsite.addr%2Fwp-admin%2F&reauth=1" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0"
www.attacked.wpsite.addr:443 91.200.12.22 - - [28/Dec/2017:10:09:25 +1300] "POST /wp-login.php HTTP/1.1" 200 4987 "https://attacked.wpsite.addr/wp-login.php" "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/535.25.78 (KHTML, like Gecko) Chrome/53.7.2713.8085 Safari/531.86"
www.attacked.wpsite.addr:443 91.200.12.22 - - [28/Dec/2017:10:09:25 +1300] "POST /wp-login.php HTTP/1.1" 200 4987 "https://attacked.wpsite.addr/wp-login.php" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/536.39.82 (KHTML, like Gecko) Chrome/54.8.4130.9402 Safari/531.90"