———————————————————————
– OVERVIEW / THOUGHT PROCESS –
———————————————————————
Recently, an article was written regarding a massive attack on WordPress sites through an array of linked computers. The analogy was that one (1) fire hose could be pointed at a brick wall with no destruction… but hundreds and even thousands of fire hoses pointed at that same wall could cause some serious damage depending on how thick that wall is.
As soon as I saw this article, I was interested in seeing if websites housed on my servers were hit with this bot. Immediately, I copied all of my log files and sent them to myself for analysis. Following this, I did a series of clicks and pastes to help me analyze the files. Below is the WordPress button that I clicked and the log below the title is exactly what was posted in my access_log file as the page was requested from the server.
I sanitized a few things, so when you see these entries, you’ll know what I’m talking about. Also, I’ll give you an explanation of the lines in the logs so that you know what you’re seeing:
IPV4 – – stands for Internet Protocol Version 4 which is your standard IP address used to deliver most traffic on the internet today.
IPV6 – – stands for Internet Protocol Version 6 is the future of IP addresses developed because the number of available IPV4 addresses are funning low.
LOG EXPLANATION – – Example Entry: IPV4 – – [13/Apr/2013:16:44:24 +0000] “POST /wp-login.php HTTP/1.1” 302 –
- IPV4 – this text replaces the actual IP address located in the unchanged log file.
- [13/Apr/2013:16:44:24 +0000] – Time stamp for the log… these were all done at the same time, but the actual log will show when an attacker attempted to access your files.
- POST – This is the command that was processed with the server. Common commands are GET, HEAD, POST, and TRACE.
- /wp-login.php – This is the file to which the command is referring. The parameters meant to be passed with this command will be in a script which the access_log file will not see.
- HTTP/1.1 – This is the protocol being used in the request.
- 302 – This is the status code which will tell us what happened in the request. You can find each of the status codes in the reference found here.
———————————————————————
– WHAT’S THE GAME PLAN? –
———————————————————————
The easiest way to know if a bot was trying to log onto my server is to look at the logs from a time when I know I was not attempting to update any pages on that server. Since the article doesn’t reference a time-frame when the attacks started, I can assume that the most recent access_log entry that I don’t recognize is an attack. The only way to verify this is to compare this entry to a KNOWN entry, or baseline, which I’ve created below. Each of the below logs were purposefully created to identify a baseline for each action that I can do on the server.
Therefore, I will compare the log entries that I think are attacks with the baseline to identify any malicious intent. Here’s the link to the Baseline (intentionally created logs).
———————————————————————
– ANALYSIS / RESULTS –
———————————————————————
There are over 33,000 lines in the access_log, so I really need to narrow this analysis down to something specific. The easiest way to understand if a bot was able to log onto my server is to look at what happens when I log on successfully.
I see a line with POST, followed by multiple lines containing the wp-admin reference.
IPV4 – – [13/Apr/2013:16:44:24 +0000] “POST /wp-login.php HTTP/1.1″ 302 –
IPV4 – – [13/Apr/2013:16:44:25 +0000] “GET /wp-admin/ HTTP/1.1″ 200 63408
So that’s what I’ll be looking for. Reading the article about the attack reveals that the bots are looking for the default login of ‘admin’ to exploit which allows a log in with all privileges. I know that this account is deleted for all of my installations, however, I still want to know if there was anything further to worry about.
Looking at the access_log, the only successful log in attempts that I found were ones where I know it’s me. There were, however, many attempts to log onto my server unsuccessfully. The next section (-BOT LOGIN ATTEMPTS-) is an example of such an attempt.
Knowing that my server is safe from this particular attack, I can cease my analysis and conclude that I am in no immediate danger. There were multiple unsuccessful attempts that yielded nothing for the attacker.
The only other thing that I have question on, now, is the second entry which shows up after each unsuccessful attempt. The line: IPV4 – – [10/Apr/2013:18:46:45 +0000] “GET /robots.txt HTTP/1.1” 404 290 says that the request is for the robots.txt file which doesn’t exist on any of my installations. So does the bot put this file on the server if it gets access?!? I guess that’s a question for another day. Maybe I’ll create another WordPress installation with all default settings and see what happens… because WHY NOT?!? If I find anything, I’ll post it. Till then, go check your logs and see what’s up.
(FOLLOW-UP) ANSWER TO ROBOTS.TXT….. This just goes to show you that you learn something new every day (and I love that!). I’ve never used a robots.txt file on any of my web servers, but it’s got some simple functionality that could be useful in many cases. A wikipedia search will reveal that it’s a file which will prevent search engines from accessing otherwise public portions of a website.
—————————————–
Always remember… WHAT IF AND WHY NOT?!?
———————————————————————
– BOT LOGIN ATTEMPTS –
———————————————————————
UNSUCCESSFUL LOGIN
IPV4 – – [10/Apr/2013:18:43:18 +0000] “POST /wp-login.php HTTP/1.1” 200 3205
IPV4 – – [10/Apr/2013:18:43:18 +0000] “POST /wp-login.php HTTP/1.1” 200 3205
IPV4 – – [10/Apr/2013:18:43:18 +0000] “POST /wp-login.php HTTP/1.1” 200 3205
IPV4 – – [10/Apr/2013:18:43:18 +0000] “POST /wp-login.php HTTP/1.1” 200 3205
IPV4 – – [10/Apr/2013:18:43:18 +0000] “POST /wp-login.php HTTP/1.1” 200 3205
IPV4 – – [10/Apr/2013:18:43:18 +0000] “POST /wp-login.php HTTP/1.1” 200 3205
IPV4 – – [10/Apr/2013:18:43:18 +0000] “POST /wp-login.php HTTP/1.1” 200 3205
IPV4 – – [10/Apr/2013:18:43:18 +0000] “POST /wp-login.php HTTP/1.1” 200 3205
IPV4 – – [10/Apr/2013:18:43:18 +0000] “POST /wp-login.php HTTP/1.1” 200 3205
IPV4 – – [10/Apr/2013:18:43:18 +0000] “POST /wp-login.php HTTP/1.1” 200 3205
IPV4 – – [10/Apr/2013:18:43:18 +0000] “POST /wp-login.php HTTP/1.1” 200 3205
GET ROBOTS.TXT (FOUND IN ERROR LOG)
IPV4 – – [10/Apr/2013:18:46:45 +0000] “GET /robots.txt HTTP/1.1” 404 290
IPV4 – – [10/Apr/2013:18:48:28 +0000] “GET / HTTP/1.1” 301 –
IPV4 – – [10/Apr/2013:18:56:37 +0000] “GET /robots.txt HTTP/1.1” 404 294
———————————————————————
– THE BASELINE (INTENTIONALLY CREATED) –
———————————————————————
———————————————————————
– UNSUCCESSFUL LOG IN (BAD CREDENTIALS) –
———————————————————————
IPV4 – – [13/Apr/2013:18:39:46 +0000] “POST /wp-login.php HTTP/1.1” 200 3205
———————————————————————
– SUCCESSFUL LOG IN –
———————————————————————
IPV4 – – [13/Apr/2013:16:44:24 +0000] “POST /wp-login.php HTTP/1.1” 302 –
IPV4 – – [13/Apr/2013:16:44:25 +0000] “GET /wp-admin/ HTTP/1.1” 200 63408
IPV4 – – [13/Apr/2013:16:44:26 +0000] “GET /wp-includes/js/thickbox/thickbox.css?ver=20121105 HTTP/1.1” 304 –
IPV4 – – [13/Apr/2013:16:44:26 +0000] “GET /wp-admin/load-scripts.php?c=1&load%5B%5D=jquery,utils,json2&ver=3.5.1 HTTP/1.1” 200 38604
IPV4 – – [13/Apr/2013:16:44:26 +0000] “GET /wp-admin/load-styles.php?c=1&dir=ltr&load=media-views&ver=3.5.1 HTTP/1.1” 200 5532
IPV4 – – [13/Apr/2013:16:44:26 +0000] “GET /wp-content/plugins/jetpack/_inc/gallery-settings.js?ver=20121225 HTTP/1.1” 304 –
IPV4 – – [13/Apr/2013:16:44:26 +0000] “GET /wp-admin/load-scripts.php?c=1&load%5B%5D=admin-bar,hoverIntent,common,wp-ajax-response,jquery-color,wp-lists,quicktags,jquery-query,admin-comments,jquery-ui-core,jquery-&load%5B%5D=ui-widget,jquery-ui-mouse,jquery-ui-sortable,postbox,dashboard,customize-base,customize-loader,thickbox,plugin-install,underscor&load%5B%5D=e,shortcode,media-upload,backbone,media-models,plupload,plupload-html5,plupload-flash,plupload-silverlight,plupload-html4,wp-plu&load%5B%5D=pload,media-views,media-editor&ver=3.5.1 HTTP/1.1” 200 95790
IPV4 – – [13/Apr/2013:16:44:26 +0000] “GET /wp-content/plugins/jetpack/modules/contact-form/images/grunion-form.png HTTP/1.1” 304 –
IPV4 – – [13/Apr/2013:16:44:27 +0000] “GET /wp-includes/js/thickbox/loadingAnimation.gif HTTP/1.1” 304 –
IPV4 – – [13/Apr/2013:16:44:27 +0000] “GET /wp-admin/images/wpspin_light.gif HTTP/1.1” 304 –
IPV4 – – [13/Apr/2013:16:44:27 +0000] “GET /wp-admin/admin-ajax.php?action=dashboard-widgets&widget=dashboard_incoming_links HTTP/1.1” 200 253
IPV4 – – [13/Apr/2013:16:44:27 +0000] “GET /wp-admin/admin-ajax.php?action=dashboard-widgets&widget=dashboard_primary HTTP/1.1” 200 1841
IPV4 – – [13/Apr/2013:16:44:28 +0000] “GET /wp-admin/admin-ajax.php?action=dashboard-widgets&widget=dashboard_secondary HTTP/1.1” 200 1357
IPV4 – – [13/Apr/2013:16:44:28 +0000] “GET /wp-admin/admin-ajax.php?action=dashboard-widgets&widget=dashboard_plugins HTTP/1.1” 200 964
IPV4 – – [13/Apr/2013:16:44:28 +0000] “GET /wp-admin/admin.php?page=stats&noheader&dashboard&width=994 HTTP/1.1” 200 3779
IPV4 – – [13/Apr/2013:16:44:30 +0000] “POST /wp-admin/admin.php?page=stats&noheader&chart=flot-stats-data HTTP/1.1” 200 9370
———————————————————————
– LOG OUT –
———————————————————————
IPV4 – – [13/Apr/2013:16:45:13 +0000] “GET /wp-login.php?action=logout&_wpnonce=b225c8aaa0 HTTP/1.1” 302 –
IPV4 – – [13/Apr/2013:16:45:13 +0000] “GET /wp-login.php?loggedout=true HTTP/1.1” 200 2340
———————————————————————
– USERS BUTTON –
———————————————————————
IPV4 – – [13/Apr/2013:16:47:06 +0000] “GET /wp-admin/users.php HTTP/1.1” 200 35352
———————————————————————
– PLUG INS BUTTON –
———————————————————————
IPV4 – – [13/Apr/2013:16:47:16 +0000] “GET /wp-admin/plugins.php HTTP/1.1” 200 48529
IPV4 – – [13/Apr/2013:16:47:18 +0000] “GET /wp-admin/load-scripts.php?c=1&load%5B%5D=admin-bar,hoverIntent,common,thickbox,plugin-install,underscore,backbone&ver=3.5.1 HTTP/1.1” 200 20539
———————————————————————
– APPEARANCE BUTTON –
———————————————————————
IPV4 – – [13/Apr/2013:16:48:15 +0000] “GET /wp-admin/themes.php HTTP/1.1” 200 45422
IPV4 – – [13/Apr/2013:16:48:17 +0000] “GET /wp-content/themes/genesis/screenshot.png HTTP/1.1” 200 6557
IPV4 – – [13/Apr/2013:16:48:17 +0000] “GET /wp-content/themes/noteworthy/screenshot.png HTTP/1.1” 200 78791
IPV4 – – [13/Apr/2013:16:48:17 +0000] “GET /wp-admin/load-scripts.php?c=1&load%5B%5D=admin-bar,hoverIntent,common,thickbox,theme,customize-base,customize-loader,underscore,backbone&ver=3.5.1 HTTP/1.1” 200 24141
IPV4 – – [13/Apr/2013:16:48:17 +0000] “GET /wp-content/themes/twentytwelve/screenshot.png HTTP/1.1” 200 171045
IPV4 – – [13/Apr/2013:16:48:17 +0000] “GET /wp-content/themes/twentyeleven/screenshot.png HTTP/1.1” 200 197796
———————————————————————
– SETTINGS BUTTON –
———————————————————————
IPV4 – – [13/Apr/2013:16:48:46 +0000] “GET /wp-admin/options-general.php HTTP/1.1” 200 54441
———————————————————————
– TOOLS BUTTON –
———————————————————————
IPV4 – – [13/Apr/2013:16:49:11 +0000] “GET /wp-admin/tools.php HTTP/1.1” 200 26733
IPV4 – – [13/Apr/2013:16:49:12 +0000] “GET /wp-admin/images/press-this.png?v=20120502 HTTP/1.1” 200 417
———————————————————————
– COMMENTS BUTTON –
———————————————————————
IPV4 – – [13/Apr/2013:16:49:45 +0000] “GET /wp-admin/edit-comments.php HTTP/1.1” 200 41283
IPV4 – – [13/Apr/2013:16:49:46 +0000] “GET /wp-includes/css/editor.min.css?ver=3.5.1 HTTP/1.1” 200 44756
IPV4 – – [13/Apr/2013:16:49:46 +0000] “GET /wp-admin/load-styles.php?c=1&dir=ltr&load=wp-jquery-ui-dialog&ver=3.5.1 HTTP/1.1” 200 1083
IPV4 – – [13/Apr/2013:16:49:46 +0000] “GET /wp-admin/load-scripts.php?c=1&load%5B%5D=admin-bar,hoverIntent,common,wp-ajax-response,jquery-color,wp-lists,quicktags,jquery-query,admin-comments,underscore,backbone,wo&load%5B%5D=rd-count,jquery-ui-core,jquery-ui-widget,jquery-ui-mouse,jquery-ui-resizable,jquery-ui-draggable,jquery-ui-button,jquery-ui-posi&load%5B%5D=tion,jquery-ui-dialog,wpdialogs,wplink,wpdialogs-popup&ver=3.5.1 HTTP/1.1” 200 60397
———————————————————————
– PAGE BUTTON –
———————————————————————
IPV4 – – [13/Apr/2013:16:50:07 +0000] “GET /wp-admin/edit.php?post_type=page HTTP/1.1” 200 46395
IPV4 – – [13/Apr/2013:16:50:08 +0000] “GET /wp-admin/load-scripts.php?c=1&load%5B%5D=admin-bar,hoverIntent,common,suggest,inline-edit-post,underscore,backbone&ver=3.5.1 HTTP/1.1” 200 19612
———————————————————————
– MEDIA BUTTON –
———————————————————————
IPV4 – – [13/Apr/2013:16:50:25 +0000] “GET /wp-admin/upload.php HTTP/1.1” 200 74468
IPV4 – – [13/Apr/2013:16:50:27 +0000] “GET /wp-content/uploads/2013/03/Wordpress_Posts_Comments_Bulk_Settings-150×150.png HTTP/1.1” 304 –
IPV4 – – [13/Apr/2013:16:50:27 +0000] “GET /wp-content/uploads/2013/03/Wordpress_Posts_Screen_Options-300×61.png HTTP/1.1” 200 8471
IPV4 – – [13/Apr/2013:16:50:27 +0000] “GET /wp-content/uploads/2013/03/Wordpress_Settings_Discussion_Settings-150×150.png HTTP/1.1” 200 21932
IPV4 – – [13/Apr/2013:16:50:27 +0000] “GET /wp-content/uploads/2013/03/Wordpress_Pages_Comments_Options-300×49.png HTTP/1.1” 200 5743
IPV4 – – [13/Apr/2013:16:50:27 +0000] “GET /wp-content/uploads/2013/03/NOQUEUE.png HTTP/1.1” 200 10398
IPV4 – – [13/Apr/2013:16:50:27 +0000] “GET /wp-content/uploads/2013/03/Wordpress_Settings_Discussion_Settings1-150×150.png HTTP/1.1” 200 21932
IPV4 – – [13/Apr/2013:16:50:27 +0000] “GET /wp-content/uploads/2013/03/Wordpress_Comments_On_Website-150×150.png HTTP/1.1” 200 11906
IPV4 – – [13/Apr/2013:16:50:27 +0000] “GET /wp-content/uploads/2013/03/Wordpress_Post_addnew-150×150.png HTTP/1.1” 200 5838
IPV4 – – [13/Apr/2013:16:50:27 +0000] “GET /wp-content/uploads/2013/03/Wordpress_Media_Insert_Media-150×150.png HTTP/1.1” 304 –
IPV4 – – [13/Apr/2013:16:50:27 +0000] “GET /wp-content/uploads/2013/03/Wordpress_Page_addnew1-150×150.png HTTP/1.1” 200 6086
IPV4 – – [13/Apr/2013:16:50:27 +0000] “GET /wp-content/uploads/2013/03/centos.png HTTP/1.1” 200 2964
IPV4 – – [13/Apr/2013:16:50:27 +0000] “GET /wp-content/uploads/2013/03/Wordpress_Media_Upload_Edit-300×71.png HTTP/1.1” 200 10973
IPV4 – – [13/Apr/2013:16:50:27 +0000] “GET /wp-content/uploads/2013/03/Wordpress_Buttons-144×150.png HTTP/1.1” 304 –
IPV4 – – [13/Apr/2013:16:50:27 +0000] “GET /wp-content/uploads/2013/03/Wordpress_Media_Edit_Media-150×150.png HTTP/1.1” 304 –
IPV4 – – [13/Apr/2013:16:50:27 +0000] “GET /wp-content/uploads/2013/03/Wordpress_Tools_all-150×150.png HTTP/1.1” 304 –
IPV4 – – [13/Apr/2013:16:50:27 +0000] “GET /wp-content/uploads/2013/03/Wordpress_Users_addnew-150×150.png HTTP/1.1” 304 –
IPV4 – – [13/Apr/2013:16:50:27 +0000] “GET /wp-content/uploads/2013/03/Wordpress_Users_all-copy-150×150.png HTTP/1.1” 304 –
IPV4 – – [13/Apr/2013:16:50:27 +0000] “GET /wp-content/uploads/2013/03/Wordpress_Settings_writings-150×150.png HTTP/1.1” 304 –
IPV4 – – [13/Apr/2013:16:50:27 +0000] “GET /wp-content/uploads/2013/03/Wordpress_Settings_permalink-150×150.png HTTP/1.1” 304 –
IPV4 – – [13/Apr/2013:16:50:27 +0000] “GET /wp-content/uploads/2013/03/Wordpress_Settings_reading-150×150.png HTTP/1.1” 304 –
IPV4 – – [13/Apr/2013:16:50:27 +0000] “GET /wp-admin/load-scripts.php?c=1&load%5B%5D=admin-bar,hoverIntent,common,wp-ajax-response,jquery-ui-core,jquery-ui-widget,jquery-ui-mouse,jquery-ui-draggable,media,undersco&load%5B%5D=re,backbone&ver=3.5.1 HTTP/1.1” 200 27612
———————————————————————
– POSTS BUTTON –
———————————————————————
IPV4 – – [13/Apr/2013:16:50:53 +0000] “GET /wp-admin/edit.php HTTP/1.1” 200 92421
———————————————————————
– ADD POST BUTTON –
———————————————————————
IPV4 – – [13/Apr/2013:16:51:59 +0000] “GET /wp-admin/post-new.php HTTP/1.1” 200 95163
IPV4 – – [13/Apr/2013:16:52:00 +0000] “GET /wp-content/plugins/jetpack/modules/after-the-deadline/atd.core.js?ver=20120221 HTTP/1.1” 304 –
IPV4 – – [13/Apr/2013:16:52:00 +0000] “GET /wp-content/plugins/jetpack/modules/after-the-deadline/jquery.atd.js?ver=20120221 HTTP/1.1” 304 –
IPV4 – – [13/Apr/2013:16:52:00 +0000] “GET /wp-content/plugins/jetpack/modules/after-the-deadline/atd.css?ver=20120221 HTTP/1.1” 304 –
IPV4 – – [13/Apr/2013:16:52:00 +0000] “GET /wp-content/plugins/jetpack/modules/after-the-deadline/atd-nonvis-editor-plugin.js?ver=20120221 HTTP/1.1” 304 –
IPV4 – – [13/Apr/2013:16:52:00 +0000] “GET /wp-admin/load-styles.php?c=1&dir=ltr&load=admin-bar,buttons,media-views,wp-admin&ver=3.5.1 HTTP/1.1” 200 36438
IPV4 – – [13/Apr/2013:16:52:00 +0000] “GET /wp-content/plugins/jetpack/modules/after-the-deadline/atd-autoproofread.js?ver=20120221 HTTP/1.1” 304 –
IPV4 – – [13/Apr/2013:16:52:00 +0000] “GET /wp-content/plugins/jetpack/modules/after-the-deadline/install_atd_l10n.js?ver=20120221 HTTP/1.1” 304 –
IPV4 – – [13/Apr/2013:16:52:00 +0000] “GET /wp-admin/load-scripts.php?c=1&load%5B%5D=admin-bar,hoverIntent,common,schedule,wp-ajax-response,autosave,suggest,jquery-color,wp-lists,postbox,post,thickbox,shortcode,me&load%5B%5D=dia-editor,word-count,editor,jquery-ui-resizable,jquery-ui-draggable,jquery-ui-button,jquery-ui-position,jquery-ui-dialog,wpdial&load%5B%5D=ogs,wplink,wpdialogs-popup,wp-fullscreen,media-upload&ver=3.5.1 HTTP/1.1” 200 60279
IPV4 – – [13/Apr/2013:16:52:00 +0000] “GET /wp-admin/load-scripts.php?c=1&load%5B%5D=jquery,utils,jquery-ui-core,jquery-ui-widget,jquery-ui-mouse,jquery-ui-sortable,underscore,backbone,media-models,plupload,pluplo&load%5B%5D=ad-html5,plupload-flash,plupload-silverlight,plupload-html4,json2,wp-plupload,media-views,quicktags&ver=3.5.1 HTTP/1.1” 200 101740
IPV4 – – [13/Apr/2013:16:52:00 +0000] “GET /wp-includes/js/tinymce/langs/wp-langs-en.js?ver=358-23224 HTTP/1.1” 200 13662
IPV4 – – [13/Apr/2013:16:52:00 +0000] “GET /wp-admin/admin-ajax.php?action=atd_settings&ver=20120221 HTTP/1.1” 200 294
IPV4 – – [13/Apr/2013:16:52:00 +0000] “GET /wp-includes/js/tinymce/wp-tinymce.php?c=1&ver=358-23224 HTTP/1.1” 200 115718
IPV4 – – [13/Apr/2013:16:52:02 +0000] “GET /wp-content/plugins/jetpack/modules/after-the-deadline/tinymce/editor_plugin.js?v=20120221&ver=358-23224 HTTP/1.1” 200 16170
IPV4 – – [13/Apr/2013:16:52:02 +0000] “GET /wp-admin/images/media-button.png HTTP/1.1” 200 323
IPV4 – – [13/Apr/2013:16:52:02 +0000] “GET /wp-admin/images/date-button.gif HTTP/1.1” 200 400
IPV4 – – [13/Apr/2013:16:52:02 +0000] “GET /wp-admin/images/resize.gif HTTP/1.1” 200 71
IPV4 – – [13/Apr/2013:16:52:02 +0000] “GET /wp-includes/js/tinymce/plugins/spellchecker/css/content.css HTTP/1.1” 200 97
IPV4 – – [13/Apr/2013:16:52:02 +0000] “GET /wp-content/plugins/jetpack/modules/after-the-deadline/tinymce/css/content.css?ver=358-23224 HTTP/1.1” 200 233
IPV4 – – [13/Apr/2013:16:52:02 +0000] “GET /wp-includes/js/tinymce/plugins/inlinepopups/skins/clearlooks2/window.css?ver=358-23224 HTTP/1.1” 200 6859
IPV4 – – [13/Apr/2013:16:52:02 +0000] “GET /wp-content/themes/noteworthy/editor-style.css HTTP/1.1” 200 1676
IPV4 – – [13/Apr/2013:16:52:02 +0000] “GET /wp-includes/js/tinymce/themes/advanced/skins/wp_theme/content.css HTTP/1.1” 200 3842
IPV4 – – [13/Apr/2013:16:52:02 +0000] “GET /wp-includes/js/tinymce/plugins/wpeditimage/img/image.png HTTP/1.1” 200 946
IPV4 – – [13/Apr/2013:16:52:02 +0000] “GET /wp-includes/js/tinymce/plugins/wpeditimage/img/delete.png HTTP/1.1” 200 1386
IPV4 – – [13/Apr/2013:16:52:02 +0000] “GET /wp-includes/js/tinymce/plugins/wpgallery/img/edit.png HTTP/1.1” 200 1590
IPV4 – – [13/Apr/2013:16:52:02 +0000] “GET /wp-content/plugins/jetpack/modules/after-the-deadline/tinymce/atdbuttontr.gif HTTP/1.1” 200 123
IPV4 – – [13/Apr/2013:16:52:02 +0000] “GET /wp-includes/js/tinymce/plugins/wpgallery/img/delete.png HTTP/1.1” 200 1386
IPV4 – – [13/Apr/2013:16:52:02 +0000] “GET /wp-includes/js/tinymce/themes/advanced/img/icons.gif HTTP/1.1” 200 11982
IPV4 – – [13/Apr/2013:16:52:02 +0000] “GET /wp-includes/images/wpicons.png?ver=20120720 HTTP/1.1” 200 16089
IPV4 – – [13/Apr/2013:16:52:02 +0000] “GET /wp-includes/images/down_arrow.gif HTTP/1.1” 200 60
———————————————————————
– POST — UPDATE — PUBLISH BUTTON –
———————————————————————
IPV4 – – [13/Apr/2013:16:52:33 +0000] “POST /wp-admin/admin-ajax.php HTTP/1.1” 200 259
IPV4 – – [13/Apr/2013:16:52:34 +0000] “POST /wp-admin/admin-ajax.php HTTP/1.1” 200 246
IPV4 – – [13/Apr/2013:16:52:40 +0000] “POST /wp-admin/post.php HTTP/1.1” 302 –
IPV6 – – [13/Apr/2013:16:52:41 +0000] “POST /wp-cron.php?doing_wp_cron=1365871961.7418789863586425781250 HTTP/1.0” 200 –
IPV4 – – [13/Apr/2013:16:52:41 +0000] “GET /wp-admin/post.php?post=599&action=edit&message=6 HTTP/1.1” 200 98334
IPV4 – – [13/Apr/2013:16:52:42 +0000] “GET /wp-admin/load-scripts.php?c=1&load%5B%5D=jquery,utils,quicktags,jquery-ui-core,jquery-ui-widget,jquery-ui-mouse,jquery-ui-sortable,underscore,backbone,media-models,plupl&load%5B%5D=oad,plupload-html5,plupload-flash,plupload-silverlight,plupload-html4,json2,wp-plupload,media-views&ver=3.5.1 HTTP/1.1” 200 101809
IPV4 – – [13/Apr/2013:16:52:43 +0000] “GET /wp-admin/load-scripts.php?c=1&load%5B%5D=admin-bar,hoverIntent,common,schedule,wp-ajax-response,autosave,jquery-color,wp-lists,jquery-query,admin-comments,suggest,postbo&load%5B%5D=x,post,thickbox,shortcode,media-editor,word-count,editor,jquery-ui-resizable,jquery-ui-draggable,jquery-ui-button,jquery-ui-posi&load%5B%5D=tion,jquery-ui-dialog,wpdialogs,wplink,wpdialogs-popup,wp-fullscreen,media-upload&ver=3.5.1 HTTP/1.1” 200 65729
IPV4 – – [13/Apr/2013:16:52:43 +0000] “GET /wp-admin/admin-ajax.php?action=atd_settings&ver=20120221 HTTP/1.1” 200 294
———————————————————————
– RANDOM WHILE ON THE POST PAGE –
———————————————————————
IPV4 – – [13/Apr/2013:16:52:55 +0000] “GET /robots.txt HTTP/1.1” 404 294
IPV4 – – [13/Apr/2013:16:52:55 +0000] “GET /?feed=rss2 HTTP/1.1” 200 140824
IPV4 – – [13/Apr/2013:16:52:56 +0000] “GET / HTTP/1.1” 200 13932
———————————————————————
– PAGE BUTTON –
———————————————————————
IPV4 – – [13/Apr/2013:16:53:43 +0000] “POST /wp-admin/admin-ajax.php HTTP/1.1” 200 320
IPV6 – – [13/Apr/2013:16:53:49 +0000] “POST /wp-cron.php?doing_wp_cron=1365872029.7804329395294189453125 HTTP/1.0” 200 –
IPV4 – – [13/Apr/2013:16:53:49 +0000] “GET /wp-admin/edit.php?post_type=page HTTP/1.1” 200 46395
IPV4 – – [13/Apr/2013:16:53:50 +0000] “POST /wp-admin/admin-ajax.php HTTP/1.1” 200 1
———————————————————————
– ADD PAGE BUTTON –
———————————————————————
IPV4 – – [13/Apr/2013:16:54:46 +0000] “GET /wp-admin/post-new.php?post_type=page HTTP/1.1” 200 81104
IPV4 – – [13/Apr/2013:16:54:47 +0000] “GET /wp-admin/admin-ajax.php?action=atd_settings&ver=20120221 HTTP/1.1” 200 294
———————————————————————
– PAGE AUTOSAVE (BEFORE PUBLISHING) –
———————————————————————
IPV4 – – [13/Apr/2013:16:55:19 +0000] “POST /wp-admin/admin-ajax.php HTTP/1.1” 200 259
IPV4 – – [13/Apr/2013:16:55:20 +0000] “POST /wp-admin/admin-ajax.php HTTP/1.1” 200 252
IPV4 – – [13/Apr/2013:16:55:48 +0000] “POST /wp-admin/admin-ajax.php HTTP/1.1” 200 320
———————————————————————
– PAGE — PUBLISH BUTTON –
———————————————————————
IPV4 – – [13/Apr/2013:16:56:01 +0000] “POST /wp-admin/post.php HTTP/1.1” 302 –
IPV4 – – [13/Apr/2013:16:56:02 +0000] “GET /wp-admin/post.php?post=602&action=edit&message=6 HTTP/1.1” 200 84257
IPV4 – – [13/Apr/2013:16:56:03 +0000] “GET /wp-admin/admin-ajax.php?action=atd_settings&ver=20120221 HTTP/1.1” 200 294
———————————————————————
– VISITING SITE (NOT LOGGED IN) –
———————————————————————
IPV4 – – [13/Apr/2013:16:57:31 +0000] “GET / HTTP/1.1” 200 13934
IPV4 – – [13/Apr/2013:16:57:32 +0000] “GET /wp-content/plugins/easy-fancybox/easy-fancybox.css.php?ver=1.3.4 HTTP/1.1” 200 8158
IPV4 – – [13/Apr/2013:16:57:32 +0000] “GET /wp-content/uploads/wpcf7_captcha/2083839035.png HTTP/1.1” 200 1048
———————————————————————
– CLICKING ON ARCHIVES (NOT LOGGED IN) –
———————————————————————
IPV4 – – [13/Apr/2013:16:58:48 +0000] “GET /?page_id=371 HTTP/1.1” 200 23566
IPV4 – – [13/Apr/2013:16:58:49 +0000] “GET /wp-content/plugins/easy-fancybox/easy-fancybox.css.php?ver=1.3.4 HTTP/1.1” 200 8158
IPV4 – – [13/Apr/2013:16:58:49 +0000] “GET /wp-content/uploads/2013/02/httpd_VHost_fail-100×75.png HTTP/1.1” 304 –
IPV4 – – [13/Apr/2013:16:58:49 +0000] “GET /wp-content/uploads/2013/02/no_godaddy-100×75.png HTTP/1.1” 304 –
IPV4 – – [13/Apr/2013:16:58:49 +0000] “GET /wp-content/uploads/2013/02/fedora_install-100×75.png HTTP/1.1” 304 –
IPV4 – – [13/Apr/2013:16:58:50 +0000] “GET /wp-content/uploads/2013/03/phpMyAdmin_Logo-100×75.png HTTP/1.1” 304 –
IPV4 – – [13/Apr/2013:16:58:50 +0000] “GET /wp-content/uploads/2013/02/postfix_tls-100×75.png HTTP/1.1” 304 –
IPV4 – – [13/Apr/2013:16:58:50 +0000] “GET /wp-content/uploads/2013/02/Drupal_install-100×75.png HTTP/1.1” 304 –
IPV4 – – [13/Apr/2013:16:58:50 +0000] “GET /wp-content/uploads/2013/03/vsftpd_wordpress-100×75.png HTTP/1.1” 304 –
IPV4 – – [13/Apr/2013:16:58:50 +0000] “GET /wp-content/uploads/wpcf7_captcha/1991504088.png HTTP/1.1” 200 930