Category: Morpheus

Reason why You Should Remove your Default Admin in WordPress

Paul

I was checking my Logs today and I thought some people would like see it:

Fail-loginattempts

I can only guess why people still use there Admin user for WordPress.  As you can see, my log is bigger than this, they tried to log in with the default username.  The Ip of 213.155.4.184  goes to the orginazation of Morpheus, [intlink id=”3743″ type=”post”]is it the same one that came scanning a few months ago[/intlink]?

This is just a quick not that if you haven’t listened to my suggestion of  [intlink id=”4122″ type=”post”]Deleting the Default Username for WordPress[/intlink] this only proves that you should.

You should also consider creating a hard to guess password, and I suggest using [intlink id=”2646″ type=”post”]Roboform[/intlink] to do that.    It is also a great Password manager for those password you could hardly remember.

Morpheus comes a scanning!!

Paul

morpheusscan1I’ve been reading about this on other blogs about this user agent   I have been seeing this agent trying to access an area where I know WordPress doesn’t have anything there.  Some people suspect it is scanning for any Drupal Vulnerabilities.   I have to say if it is searching for Drupal, it is in the wrong place.

Now let’s get down to it.  I’ve seen a lot of comments that just blocking the User is not going to prevent this from happening.   You see they can always spoof the agent with out much trouble but I feel that if they are going to do use an agent that I can track.  It is never a bad idea to block that type of access.  If that was a true agent, I seriously doubt it would be a legitimate agent because of the name.  Others have suggested this is looking to find a PHP Vulnerability and exploit your system.

[ad]I don’t know if it is true.   I have been reading the comments on the blog and some of them are quite interesting.   One such comment that I like how this scanner has been around since 2006 and most PHP servers have been updated to prevent this type of exploit.   So either this scanner is an old system that has nothing better to do or they are just trying to see if they can get a response from my server.   In which case, they now will be give the Access denied.   I have modified my htaccess file to prevent this scanner from even coming to my website.  See blog post to find out how.

What makes this so interesting is it tries to go to “user/soapCaller.bs” expecting to find something, Oh well I am pretty much unconcerned due to the fact that I keep WordPress up to date and I am constantly looking for oddities like this in my log files.   Now we heard that they don’t always have to use the headers and can hide and not be blocked so I have thought about denying anything that doesn’t show IP or has no header?   I wanted to ask my users if that is a good ide or bad idea?   This would stop bots from being bad, I do wonder if this has to do with me talking about [intlink id=”3132″ type=”post”]Pifts.exe a couple months ago[/intlink].    I have read about this on the comments section about this being a Government funded data collection, I don’t know but it does intrique me on the subject.

Remember to help prevent exploits on your server you should keep it up to date as much as possible.  [intlink id=”3700″ type=”post”]If there is an update to WordPress[/intlink], you should always consider updating even when there are problems down the road.