Atomicorp

This is on a NON-ASL WP installation.

In the httpd access_log for a particular Wordpress site, I noticed this:
To me, this appears to be an attempt to obtain the wp-config for a domain via what is probably an insecure theme.

What's confusing me is that the domain shown in the log entry is not hosted on the server in question.

And what seems to be happening is a 301 redirect followed by a 200 OK with a significant amount of data.

I seem to recall that when there's a GET with a different domain in a log, it is usually an attempt at using the server as a proxy, which invariably fails on a plesk box, if I recall correctly.

But given that a chunk of data seemed to be transferred, something different seems to be happening here and I'm afraid I can't work it out.

Can someone shed some light please?

Thats a referrer, not the request. The request was for "GET /", the referrer was "http://billmanengquist.se/wp-content/th ... config.php"

Thats harmless in the referrer and why you're seeing a different domain in the referrer. Thats normal. The IP is on the Atomicorp Threat Intelligence index:

https://loggerhead/int/lookup/?ip_search=92.63.87.10

So if you're worried about the source, just make sure you have enabled the TI.

So what you are saying is that I'm going blind in my old age?

ROFL.

Thanks though. Yes, makes sense.

Unfortunately this is a non-ASL machine. Not mine but I look after it, for my sins.

Arent we all going blind in our old age?

Its an interesting referrer by itself, awfully weird to see it there. I'd look at what else that IP sent, and that domain.

There was only one other entry which I'm afraid I have since lost track of but as I recall it wasn't too interesting.

I did a clamscan on the hosted domain (standard rules, not ASL ones) and it came out OK and it the WP installation was up to date so I'm not too worried.