mihalis's picture

Wordpress (hacking) Login attempts

This time I will present the number of login attempts per username for my WordPress site

As I am using a WordPress plugin, I had to get the data from the MySQL database as follows:

mysql> select log_username, count(log_username) from wp_itsec_log where log_function="Invalid Login Attempt" group by log_username;
| log_username | count(log_username) |
| admin | 656 |
| JohnThomas | 1 |
| mtsou | 2 |
| tsoukalos | 386 |
4 rows in set (0.00 sec)

You can see two visualisations of the data that were created using R.

mihalis's picture

Cisco hacking attempts

I have an ADSL Cisco router for connecting to the Internet.

The total number of hacking attempts since February 2015 are:

# grep "Login failed" /var/log/cisco.log | wc
14625 409500 3458312

A sample log entry looks like the following:

# grep "Login failed" /var/log/cisco.log | head -1
Feb 26 16:10:38 HOSTNAME 48: Feb 26 14:10:37.514: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: bin] [Source: SOURCE_IP] [localport: 22] [Reason: Login Authentication Failed] at 16:10:37 utc Thu Feb 26 2015

I extracted the the [user: ...] entries using AWK as follows:

# grep "Login failed" /var/log/cisco.log | awk {'print $13'} | awk -F\] {'print $1'}

The full command for counting the total number that each username appeared is the following:

# grep "Login failed" /var/log/cisco.log | awk {'print $13'} | awk -F\] {'print $1'} | sort | uniq -c | sort -rn | awk {'print $2 " " $1'}
# grep "Login failed" /var/log/cisco.log | awk {'print $13'} | awk -F\] {'print $1'} | sort | uniq -c | sort -rn | awk {'print $2 " " $1'} | wc

The top 10 usernames were the following:

root 10735
test 185
guest 151
git 109
ubnt 98
nagios 95
oracle 89
admin 68
zabbix 63
ubuntu 39

After extracting the information, I used R to visualise the top 40 results that can be seen in the figure :-)

mihalis's picture

Secure your network with Nmap

I wrote “Secure your network with Nmap” for Linux User & Developer, issue 138.

mihalis's picture

www-data PHP & Postfix emails

It all started with an email from my Linode server telling me

"Linode Alert - disk io rate".

After deleting manually many email messages using the following command:
# postsuper -d ALL deferred
postsuper: Deleted: 146 messages

I had to start finding the problem...
What almost solved the problem was creating PHP logs about emails:

# find . -name php.ini

; The path to a log file that will log all mail() calls. Log entries include
; the full path of the script, line number, To address and headers.
;mail.log =

mail.log = /var/log/php.mail.log

Changed permissions to /var/log/php.mail.log so that it can be written by everyone...

Then I was able to produce really useful output

There was a php script called sys09725827.php on both my WordPress and Drupal installations!
I deleted the script and everything is fine now.

  • public_html/wp-includes/fonts/sys09725827.php
  • public_html/themes/bartik/css/sys09725827.php

The following link from helped a lot:

Had to edit:

  • ./sites/default/files/.htaccess
  • /tmp/.htaccess

# cat /tmp/.htaccess
SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006
Deny from all
Options None
Options +FollowSymLinks

# Set the catch-all handler to prevent scripts from being executed.
SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006

# Override the handler again if we're run later in the evaluation list.
SetHandler Drupal_Security_Do_Not_Remove_See_SA_2013_003

# If we know how to do it safely, disable the PHP engine entirely.

php_flag engine off

mihalis's picture

My Top 10 UNIX Security Tools

Security is an important part of an administrator’s job. All the presented tools are very handy for every system or network administration and I think that you should add them to your arsenal of tools.
When checking the security of a machine or a network, I suggest that you start with nmap and never forget that those tools are also available to hackers.

  1. Nmap
  2. WireShark
  3. Nessus Security Scanner
  4. My Firewarll
  5. tcpdump
  6. SQLMap
  7. Aircrack-ng
  8. telnet
  9. Log files
  10. A Password Cracker
Subscribe to RSS - Security