Topic: Question about logwatch email

[wdepot]

We got a recent email from from Logwatch 7.4.0 that shows the following section:

A total of 11 possible successful probes were detected (the following URLs
 contain strings that match one or more of a listing of strings that
 indicate a possible exploit):
 
    /wp-content/plugins/ungallery/source_vuln.php?pic=../../../../../wp-config.php HTTP Response 302
    /wp-content/plugins/sniplets/modules/syntax_highlight.php?libpath=../../../../wp-config.php HTTP Response 302
    /wp-admin/admin.php?page=multi_metabox_listing&action=edit&id=../../../../../../wp-config.php HTTP Response 302
    /wp-content/plugins/mygallery/myfunctions/mygallerybrowser.php?myPath=../../../../wp-config.php HTTP Response 302
    /wp-content/plugins/wp-support-plus-responsive-ticket-system/includes/admin/downloadAttachment.php?path=../../../../../wp-config.php HTTP Response 302
    /wp-content/plugins/tera-charts/charts/treemap.php?fn=../../../../wp-config.php HTTP Response 302
    /wp-content/themes/NativeChurch/download/download.php?file=../../../../wp-config.php HTTP Response 302
    /wp-content/themes/churchope/lib/downloadlink.php?file=../../../../wp-config.php HTTP Response 302
    /wp-admin/admin-ajax.php?action=cpabc_appointments_calendar_update&cpabc_calendar_update=1&id=../../../../../../wp-config.php HTTP Response 302
    /wp-content/plugins/google-document-embedder/libs/pdf.php?fn=lol.pdf&file=../../../../wp-config.php HTTP Response 302
    /wp-content/plugins/cherry-plugin/admin/import-export/download-content.php?file=../../../../../wp-config.php HTTP Response 302

Neither ibay on our server contains a folder named wp-admin or wp-content so I am wondering why our server would be responding with a 302 Found code instead of a 404 Not Found code. Is this some new part of SME10 kind of like the mydomain.com/server-manager thing used to access the server that has been a part of SME for years? Is a section like this something I need to be worried about? I'm assuming that when the server sends a 302 code that no actual data is sent, am I correct?

[TerryF]

wp-admin is a wordpress folder, do you have a worpress site?

[wdepot]

No, we don't have a WordPress site and I've never installed a WordPress contrib on the server unless it automatically comes as a part of SME10.

[TerryF]

No, we don't have a WordPress site and I've never installed a WordPress contrib on the server unless it automatically comes as a part of SME10.

No it does not..shrug, bit like hearing a starnge noise at night check the doors and windows are all locked...

[dallas]

No it does not..shrug, bit like hearing a starnge noise at night check the doors and windows are all locked...

There are a lot of wordpress attacks out there. Have a read through this.
https://www.getastra.com/blog/911/wordpress-files-hacked-wp-config-php-hack/

[ReetP]

Just log noise with hackers trying to find a WP installation to attack.

If you don't have Wordpress it is just an annoyance.

You can check your apache http logs for the exact URL used. As to why it returns 302 and not 404 is probably an Apache thing. Have a generic search on the interwebs for more.

JP may have a more concise answer when he is about.

[Jean-Philippe Pialasse]

no clue

need to investigate. 

indeed strange.