Apr 13

WordPress Attack!!! Let’s take a look

———————————————————————
– OVERVIEW / THOUGHT PROCESS –
———————————————————————

Recently, an article was written regarding a massive attack on WordPress sites through an array of linked computers. The analogy was that one (1) fire hose could be pointed at a brick wall with no destruction… but hundreds and even thousands of fire hoses pointed at that same wall could cause some serious damage depending on how thick that wall is.

As soon as I saw this article, I was interested in seeing if websites housed on my servers were hit with this bot. Immediately, I copied all of my log files and sent them to myself for analysis. Following this, I did a series of clicks and pastes to help me analyze the files. Below is the WordPress button that I clicked and the log below the title is exactly what was posted in my access_log file as the page was requested from the server.

I sanitized a few things, so when you see these entries, you’ll know what I’m talking about.  Also, I’ll give you an explanation of the lines in the logs so that you know what you’re seeing:

IPV4 – – stands for Internet Protocol Version 4 which is your standard IP address used to deliver most traffic on the internet today.

IPV6 – – stands for Internet Protocol Version 6 is the future of IP addresses developed because the number of available IPV4 addresses are funning low.

LOG EXPLANATION – – Example Entry:  IPV4 – – [13/Apr/2013:16:44:24 +0000] “POST /wp-login.php HTTP/1.1” 302 –

  •  IPV4 – this text replaces the actual IP address located in the unchanged log file.
  • [13/Apr/2013:16:44:24 +0000] – Time stamp for the log… these were all done at the same time, but the actual log will show when an attacker attempted to access your files.
  • POST – This is the command that was processed with the server.  Common commands are GET, HEAD, POST, and TRACE.
  • /wp-login.php – This is the file to which the command is referring.  The parameters meant to be passed with this command will be in a script which the access_log file will not see.
  • HTTP/1.1 – This is the protocol being used in the request.
  • 302 – This is the status code which will tell us what happened in the request.  You can find each of the status codes in the reference found here.

———————————————————————
– WHAT’S THE GAME PLAN? –
———————————————————————

The easiest way to know if a bot was trying to log onto my server is to look at the logs from a time when I know I was not attempting to update any pages on that server.  Since the article doesn’t reference a time-frame when the attacks started, I can assume that the most recent access_log entry that I don’t recognize is an attack.  The only way to verify this is to compare this entry to a KNOWN entry, or baseline, which I’ve created below.  Each of the below logs were purposefully created to identify a baseline for each action that I can do on the server.

Therefore, I will compare the log entries that I think are attacks with the baseline to identify any malicious intent.  Here’s the link to the Baseline (intentionally created logs).

———————————————————————
– ANALYSIS / RESULTS –
———————————————————————

There are over 33,000 lines in the access_log, so I really need to narrow this analysis down to something specific.  The easiest way to understand if a bot was able to log onto my server is to look at what happens when I log on successfully.

I see a line with POST, followed by multiple lines containing the wp-admin reference.
IPV4 – – [13/Apr/2013:16:44:24 +0000] “POST /wp-login.php HTTP/1.1″ 302 –
IPV4 – – [13/Apr/2013:16:44:25 +0000] “GET /wp-admin/ HTTP/1.1″ 200 63408

So that’s what I’ll be looking for.  Reading the article about the attack reveals that the bots are looking for the default login of ‘admin’ to exploit which allows a log in with all privileges.  I know that this account is deleted for all of my installations, however, I still want to know if there was anything further to worry about.

Looking at the access_log, the only successful log in attempts that I found were ones where I know it’s me.  There were, however, many attempts to log onto my server unsuccessfully.  The next section (-BOT LOGIN ATTEMPTS-) is an example of such an attempt.

Knowing that my server is safe from this particular attack, I can cease my analysis and conclude that I am in no immediate danger.  There were multiple unsuccessful attempts that yielded nothing for the attacker.

The only other thing that I have question on, now, is the second entry which shows up after each unsuccessful attempt.  The line: IPV4 – – [10/Apr/2013:18:46:45 +0000] “GET /robots.txt HTTP/1.1” 404 290 says that the request is for the robots.txt file which doesn’t exist on any of my installations.  So does the bot put this file on the server if it gets access?!?  I guess that’s a question for another day.  Maybe I’ll create another WordPress installation with all default settings and see what happens… because WHY NOT?!?  If I find anything, I’ll post it.  Till then, go check your logs and see what’s up.

(FOLLOW-UP)  ANSWER TO ROBOTS.TXT….. This just goes to show you that you learn something new every day (and I love that!).  I’ve never used a robots.txt file on any of my web servers, but it’s got some simple functionality that could be useful in many cases.  A wikipedia search will reveal that it’s a file which will prevent search engines from accessing otherwise public portions of a website.

 

—————————————–

Always remember… WHAT IF AND WHY NOT?!?

 

 


 

———————————————————————
– BOT LOGIN ATTEMPTS –
———————————————————————

UNSUCCESSFUL LOGIN

IPV4 – – [10/Apr/2013:18:43:18 +0000] “POST /wp-login.php HTTP/1.1” 200 3205
IPV4 – – [10/Apr/2013:18:43:18 +0000] “POST /wp-login.php HTTP/1.1” 200 3205
IPV4 – – [10/Apr/2013:18:43:18 +0000] “POST /wp-login.php HTTP/1.1” 200 3205
IPV4 – – [10/Apr/2013:18:43:18 +0000] “POST /wp-login.php HTTP/1.1” 200 3205
IPV4 – – [10/Apr/2013:18:43:18 +0000] “POST /wp-login.php HTTP/1.1” 200 3205
IPV4 – – [10/Apr/2013:18:43:18 +0000] “POST /wp-login.php HTTP/1.1” 200 3205
IPV4 – – [10/Apr/2013:18:43:18 +0000] “POST /wp-login.php HTTP/1.1” 200 3205
IPV4 – – [10/Apr/2013:18:43:18 +0000] “POST /wp-login.php HTTP/1.1” 200 3205
IPV4 – – [10/Apr/2013:18:43:18 +0000] “POST /wp-login.php HTTP/1.1” 200 3205
IPV4 – – [10/Apr/2013:18:43:18 +0000] “POST /wp-login.php HTTP/1.1” 200 3205
IPV4 – – [10/Apr/2013:18:43:18 +0000] “POST /wp-login.php HTTP/1.1” 200 3205

GET ROBOTS.TXT (FOUND IN ERROR LOG)

IPV4 – – [10/Apr/2013:18:46:45 +0000] “GET /robots.txt HTTP/1.1” 404 290
IPV4 – – [10/Apr/2013:18:48:28 +0000] “GET / HTTP/1.1” 301 –
IPV4 – – [10/Apr/2013:18:56:37 +0000] “GET /robots.txt HTTP/1.1” 404 294

 

 


 

———————————————————————
– THE BASELINE (INTENTIONALLY CREATED) –
———————————————————————


HERE’S THE BASELINE:

———————————————————————
– UNSUCCESSFUL LOG IN (BAD CREDENTIALS) –
———————————————————————

IPV4 – – [13/Apr/2013:18:39:46 +0000] “POST /wp-login.php HTTP/1.1” 200 3205

———————————————————————
– SUCCESSFUL LOG IN –
———————————————————————

IPV4 – – [13/Apr/2013:16:44:24 +0000] “POST /wp-login.php HTTP/1.1” 302 –

IPV4 – – [13/Apr/2013:16:44:25 +0000] “GET /wp-admin/ HTTP/1.1” 200 63408

IPV4 – – [13/Apr/2013:16:44:26 +0000] “GET /wp-includes/js/thickbox/thickbox.css?ver=20121105 HTTP/1.1” 304 –

IPV4 – – [13/Apr/2013:16:44:26 +0000] “GET /wp-admin/load-scripts.php?c=1&load%5B%5D=jquery,utils,json2&ver=3.5.1 HTTP/1.1” 200 38604

IPV4 – – [13/Apr/2013:16:44:26 +0000] “GET /wp-admin/load-styles.php?c=1&dir=ltr&load=media-views&ver=3.5.1 HTTP/1.1” 200 5532

IPV4 – – [13/Apr/2013:16:44:26 +0000] “GET /wp-content/plugins/jetpack/_inc/gallery-settings.js?ver=20121225 HTTP/1.1” 304 –

IPV4 – – [13/Apr/2013:16:44:26 +0000] “GET /wp-admin/load-scripts.php?c=1&load%5B%5D=admin-bar,hoverIntent,common,wp-ajax-response,jquery-color,wp-lists,quicktags,jquery-query,admin-comments,jquery-ui-core,jquery-&load%5B%5D=ui-widget,jquery-ui-mouse,jquery-ui-sortable,postbox,dashboard,customize-base,customize-loader,thickbox,plugin-install,underscor&load%5B%5D=e,shortcode,media-upload,backbone,media-models,plupload,plupload-html5,plupload-flash,plupload-silverlight,plupload-html4,wp-plu&load%5B%5D=pload,media-views,media-editor&ver=3.5.1 HTTP/1.1” 200 95790

IPV4 – – [13/Apr/2013:16:44:26 +0000] “GET /wp-content/plugins/jetpack/modules/contact-form/images/grunion-form.png HTTP/1.1” 304 –

IPV4 – – [13/Apr/2013:16:44:27 +0000] “GET /wp-includes/js/thickbox/loadingAnimation.gif HTTP/1.1” 304 –

IPV4 – – [13/Apr/2013:16:44:27 +0000] “GET /wp-admin/images/wpspin_light.gif HTTP/1.1” 304 –

IPV4 – – [13/Apr/2013:16:44:27 +0000] “GET /wp-admin/admin-ajax.php?action=dashboard-widgets&widget=dashboard_incoming_links HTTP/1.1” 200 253

IPV4 – – [13/Apr/2013:16:44:27 +0000] “GET /wp-admin/admin-ajax.php?action=dashboard-widgets&widget=dashboard_primary HTTP/1.1” 200 1841

IPV4 – – [13/Apr/2013:16:44:28 +0000] “GET /wp-admin/admin-ajax.php?action=dashboard-widgets&widget=dashboard_secondary HTTP/1.1” 200 1357

IPV4 – – [13/Apr/2013:16:44:28 +0000] “GET /wp-admin/admin-ajax.php?action=dashboard-widgets&widget=dashboard_plugins HTTP/1.1” 200 964

IPV4 – – [13/Apr/2013:16:44:28 +0000] “GET /wp-admin/admin.php?page=stats&noheader&dashboard&width=994 HTTP/1.1” 200 3779

IPV4 – – [13/Apr/2013:16:44:30 +0000] “POST /wp-admin/admin.php?page=stats&noheader&chart=flot-stats-data HTTP/1.1” 200 9370

———————————————————————
– LOG OUT –
———————————————————————

IPV4 – – [13/Apr/2013:16:45:13 +0000] “GET /wp-login.php?action=logout&_wpnonce=b225c8aaa0 HTTP/1.1” 302 –

IPV4 – – [13/Apr/2013:16:45:13 +0000] “GET /wp-login.php?loggedout=true HTTP/1.1” 200 2340

———————————————————————
– USERS BUTTON –
———————————————————————

IPV4 – – [13/Apr/2013:16:47:06 +0000] “GET /wp-admin/users.php HTTP/1.1” 200 35352

———————————————————————
– PLUG INS BUTTON –
———————————————————————

IPV4 – – [13/Apr/2013:16:47:16 +0000] “GET /wp-admin/plugins.php HTTP/1.1” 200 48529

IPV4 – – [13/Apr/2013:16:47:18 +0000] “GET /wp-admin/load-scripts.php?c=1&load%5B%5D=admin-bar,hoverIntent,common,thickbox,plugin-install,underscore,backbone&ver=3.5.1 HTTP/1.1” 200 20539

———————————————————————
– APPEARANCE BUTTON –
———————————————————————

IPV4 – – [13/Apr/2013:16:48:15 +0000] “GET /wp-admin/themes.php HTTP/1.1” 200 45422

IPV4 – – [13/Apr/2013:16:48:17 +0000] “GET /wp-content/themes/genesis/screenshot.png HTTP/1.1” 200 6557

IPV4 – – [13/Apr/2013:16:48:17 +0000] “GET /wp-content/themes/noteworthy/screenshot.png HTTP/1.1” 200 78791

IPV4 – – [13/Apr/2013:16:48:17 +0000] “GET /wp-admin/load-scripts.php?c=1&load%5B%5D=admin-bar,hoverIntent,common,thickbox,theme,customize-base,customize-loader,underscore,backbone&ver=3.5.1 HTTP/1.1” 200 24141

IPV4 – – [13/Apr/2013:16:48:17 +0000] “GET /wp-content/themes/twentytwelve/screenshot.png HTTP/1.1” 200 171045

IPV4 – – [13/Apr/2013:16:48:17 +0000] “GET /wp-content/themes/twentyeleven/screenshot.png HTTP/1.1” 200 197796

———————————————————————
– SETTINGS BUTTON –
———————————————————————

IPV4 – – [13/Apr/2013:16:48:46 +0000] “GET /wp-admin/options-general.php HTTP/1.1” 200 54441

———————————————————————
– TOOLS BUTTON –
———————————————————————

IPV4 – – [13/Apr/2013:16:49:11 +0000] “GET /wp-admin/tools.php HTTP/1.1” 200 26733

IPV4 – – [13/Apr/2013:16:49:12 +0000] “GET /wp-admin/images/press-this.png?v=20120502 HTTP/1.1” 200 417

———————————————————————
– COMMENTS BUTTON –
———————————————————————

IPV4 – – [13/Apr/2013:16:49:45 +0000] “GET /wp-admin/edit-comments.php HTTP/1.1” 200 41283

IPV4 – – [13/Apr/2013:16:49:46 +0000] “GET /wp-includes/css/editor.min.css?ver=3.5.1 HTTP/1.1” 200 44756

IPV4 – – [13/Apr/2013:16:49:46 +0000] “GET /wp-admin/load-styles.php?c=1&dir=ltr&load=wp-jquery-ui-dialog&ver=3.5.1 HTTP/1.1” 200 1083

IPV4 – – [13/Apr/2013:16:49:46 +0000] “GET /wp-admin/load-scripts.php?c=1&load%5B%5D=admin-bar,hoverIntent,common,wp-ajax-response,jquery-color,wp-lists,quicktags,jquery-query,admin-comments,underscore,backbone,wo&load%5B%5D=rd-count,jquery-ui-core,jquery-ui-widget,jquery-ui-mouse,jquery-ui-resizable,jquery-ui-draggable,jquery-ui-button,jquery-ui-posi&load%5B%5D=tion,jquery-ui-dialog,wpdialogs,wplink,wpdialogs-popup&ver=3.5.1 HTTP/1.1” 200 60397

———————————————————————
– PAGE BUTTON –
———————————————————————

IPV4 – – [13/Apr/2013:16:50:07 +0000] “GET /wp-admin/edit.php?post_type=page HTTP/1.1” 200 46395

IPV4 – – [13/Apr/2013:16:50:08 +0000] “GET /wp-admin/load-scripts.php?c=1&load%5B%5D=admin-bar,hoverIntent,common,suggest,inline-edit-post,underscore,backbone&ver=3.5.1 HTTP/1.1” 200 19612

———————————————————————
– MEDIA BUTTON –
———————————————————————

IPV4 – – [13/Apr/2013:16:50:25 +0000] “GET /wp-admin/upload.php HTTP/1.1” 200 74468

IPV4 – – [13/Apr/2013:16:50:27 +0000] “GET /wp-content/uploads/2013/03/Wordpress_Posts_Comments_Bulk_Settings-150×150.png HTTP/1.1” 304 –

IPV4 – – [13/Apr/2013:16:50:27 +0000] “GET /wp-content/uploads/2013/03/Wordpress_Posts_Screen_Options-300×61.png HTTP/1.1” 200 8471

IPV4 – – [13/Apr/2013:16:50:27 +0000] “GET /wp-content/uploads/2013/03/Wordpress_Settings_Discussion_Settings-150×150.png HTTP/1.1” 200 21932

IPV4 – – [13/Apr/2013:16:50:27 +0000] “GET /wp-content/uploads/2013/03/Wordpress_Pages_Comments_Options-300×49.png HTTP/1.1” 200 5743

IPV4 – – [13/Apr/2013:16:50:27 +0000] “GET /wp-content/uploads/2013/03/NOQUEUE.png HTTP/1.1” 200 10398

IPV4 – – [13/Apr/2013:16:50:27 +0000] “GET /wp-content/uploads/2013/03/Wordpress_Settings_Discussion_Settings1-150×150.png HTTP/1.1” 200 21932

IPV4 – – [13/Apr/2013:16:50:27 +0000] “GET /wp-content/uploads/2013/03/Wordpress_Comments_On_Website-150×150.png HTTP/1.1” 200 11906

IPV4 – – [13/Apr/2013:16:50:27 +0000] “GET /wp-content/uploads/2013/03/Wordpress_Post_addnew-150×150.png HTTP/1.1” 200 5838

IPV4 – – [13/Apr/2013:16:50:27 +0000] “GET /wp-content/uploads/2013/03/Wordpress_Media_Insert_Media-150×150.png HTTP/1.1” 304 –

IPV4 – – [13/Apr/2013:16:50:27 +0000] “GET /wp-content/uploads/2013/03/Wordpress_Page_addnew1-150×150.png HTTP/1.1” 200 6086

IPV4 – – [13/Apr/2013:16:50:27 +0000] “GET /wp-content/uploads/2013/03/centos.png HTTP/1.1” 200 2964

IPV4 – – [13/Apr/2013:16:50:27 +0000] “GET /wp-content/uploads/2013/03/Wordpress_Media_Upload_Edit-300×71.png HTTP/1.1” 200 10973

IPV4 – – [13/Apr/2013:16:50:27 +0000] “GET /wp-content/uploads/2013/03/Wordpress_Buttons-144×150.png HTTP/1.1” 304 –

IPV4 – – [13/Apr/2013:16:50:27 +0000] “GET /wp-content/uploads/2013/03/Wordpress_Media_Edit_Media-150×150.png HTTP/1.1” 304 –

IPV4 – – [13/Apr/2013:16:50:27 +0000] “GET /wp-content/uploads/2013/03/Wordpress_Tools_all-150×150.png HTTP/1.1” 304 –

IPV4 – – [13/Apr/2013:16:50:27 +0000] “GET /wp-content/uploads/2013/03/Wordpress_Users_addnew-150×150.png HTTP/1.1” 304 –

IPV4 – – [13/Apr/2013:16:50:27 +0000] “GET /wp-content/uploads/2013/03/Wordpress_Users_all-copy-150×150.png HTTP/1.1” 304 –

IPV4 – – [13/Apr/2013:16:50:27 +0000] “GET /wp-content/uploads/2013/03/Wordpress_Settings_writings-150×150.png HTTP/1.1” 304 –

IPV4 – – [13/Apr/2013:16:50:27 +0000] “GET /wp-content/uploads/2013/03/Wordpress_Settings_permalink-150×150.png HTTP/1.1” 304 –

IPV4 – – [13/Apr/2013:16:50:27 +0000] “GET /wp-content/uploads/2013/03/Wordpress_Settings_reading-150×150.png HTTP/1.1” 304 –

IPV4 – – [13/Apr/2013:16:50:27 +0000] “GET /wp-admin/load-scripts.php?c=1&load%5B%5D=admin-bar,hoverIntent,common,wp-ajax-response,jquery-ui-core,jquery-ui-widget,jquery-ui-mouse,jquery-ui-draggable,media,undersco&load%5B%5D=re,backbone&ver=3.5.1 HTTP/1.1” 200 27612

———————————————————————
– POSTS BUTTON –
———————————————————————

IPV4 – – [13/Apr/2013:16:50:53 +0000] “GET /wp-admin/edit.php HTTP/1.1” 200 92421

———————————————————————
– ADD POST BUTTON –
———————————————————————

IPV4 – – [13/Apr/2013:16:51:59 +0000] “GET /wp-admin/post-new.php HTTP/1.1” 200 95163

IPV4 – – [13/Apr/2013:16:52:00 +0000] “GET /wp-content/plugins/jetpack/modules/after-the-deadline/atd.core.js?ver=20120221 HTTP/1.1” 304 –

IPV4 – – [13/Apr/2013:16:52:00 +0000] “GET /wp-content/plugins/jetpack/modules/after-the-deadline/jquery.atd.js?ver=20120221 HTTP/1.1” 304 –

IPV4 – – [13/Apr/2013:16:52:00 +0000] “GET /wp-content/plugins/jetpack/modules/after-the-deadline/atd.css?ver=20120221 HTTP/1.1” 304 –

IPV4 – – [13/Apr/2013:16:52:00 +0000] “GET /wp-content/plugins/jetpack/modules/after-the-deadline/atd-nonvis-editor-plugin.js?ver=20120221 HTTP/1.1” 304 –

IPV4 – – [13/Apr/2013:16:52:00 +0000] “GET /wp-admin/load-styles.php?c=1&dir=ltr&load=admin-bar,buttons,media-views,wp-admin&ver=3.5.1 HTTP/1.1” 200 36438

IPV4 – – [13/Apr/2013:16:52:00 +0000] “GET /wp-content/plugins/jetpack/modules/after-the-deadline/atd-autoproofread.js?ver=20120221 HTTP/1.1” 304 –

IPV4 – – [13/Apr/2013:16:52:00 +0000] “GET /wp-content/plugins/jetpack/modules/after-the-deadline/install_atd_l10n.js?ver=20120221 HTTP/1.1” 304 –

IPV4 – – [13/Apr/2013:16:52:00 +0000] “GET /wp-admin/load-scripts.php?c=1&load%5B%5D=admin-bar,hoverIntent,common,schedule,wp-ajax-response,autosave,suggest,jquery-color,wp-lists,postbox,post,thickbox,shortcode,me&load%5B%5D=dia-editor,word-count,editor,jquery-ui-resizable,jquery-ui-draggable,jquery-ui-button,jquery-ui-position,jquery-ui-dialog,wpdial&load%5B%5D=ogs,wplink,wpdialogs-popup,wp-fullscreen,media-upload&ver=3.5.1 HTTP/1.1” 200 60279

IPV4 – – [13/Apr/2013:16:52:00 +0000] “GET /wp-admin/load-scripts.php?c=1&load%5B%5D=jquery,utils,jquery-ui-core,jquery-ui-widget,jquery-ui-mouse,jquery-ui-sortable,underscore,backbone,media-models,plupload,pluplo&load%5B%5D=ad-html5,plupload-flash,plupload-silverlight,plupload-html4,json2,wp-plupload,media-views,quicktags&ver=3.5.1 HTTP/1.1” 200 101740

IPV4 – – [13/Apr/2013:16:52:00 +0000] “GET /wp-includes/js/tinymce/langs/wp-langs-en.js?ver=358-23224 HTTP/1.1” 200 13662

IPV4 – – [13/Apr/2013:16:52:00 +0000] “GET /wp-admin/admin-ajax.php?action=atd_settings&ver=20120221 HTTP/1.1” 200 294

IPV4 – – [13/Apr/2013:16:52:00 +0000] “GET /wp-includes/js/tinymce/wp-tinymce.php?c=1&ver=358-23224 HTTP/1.1” 200 115718

IPV4 – – [13/Apr/2013:16:52:02 +0000] “GET /wp-content/plugins/jetpack/modules/after-the-deadline/tinymce/editor_plugin.js?v=20120221&ver=358-23224 HTTP/1.1” 200 16170

IPV4 – – [13/Apr/2013:16:52:02 +0000] “GET /wp-admin/images/media-button.png HTTP/1.1” 200 323

IPV4 – – [13/Apr/2013:16:52:02 +0000] “GET /wp-admin/images/date-button.gif HTTP/1.1” 200 400

IPV4 – – [13/Apr/2013:16:52:02 +0000] “GET /wp-admin/images/resize.gif HTTP/1.1” 200 71

IPV4 – – [13/Apr/2013:16:52:02 +0000] “GET /wp-includes/js/tinymce/plugins/spellchecker/css/content.css HTTP/1.1” 200 97

IPV4 – – [13/Apr/2013:16:52:02 +0000] “GET /wp-content/plugins/jetpack/modules/after-the-deadline/tinymce/css/content.css?ver=358-23224 HTTP/1.1” 200 233

IPV4 – – [13/Apr/2013:16:52:02 +0000] “GET /wp-includes/js/tinymce/plugins/inlinepopups/skins/clearlooks2/window.css?ver=358-23224 HTTP/1.1” 200 6859

IPV4 – – [13/Apr/2013:16:52:02 +0000] “GET /wp-content/themes/noteworthy/editor-style.css HTTP/1.1” 200 1676

IPV4 – – [13/Apr/2013:16:52:02 +0000] “GET /wp-includes/js/tinymce/themes/advanced/skins/wp_theme/content.css HTTP/1.1” 200 3842

IPV4 – – [13/Apr/2013:16:52:02 +0000] “GET /wp-includes/js/tinymce/plugins/wpeditimage/img/image.png HTTP/1.1” 200 946

IPV4 – – [13/Apr/2013:16:52:02 +0000] “GET /wp-includes/js/tinymce/plugins/wpeditimage/img/delete.png HTTP/1.1” 200 1386

IPV4 – – [13/Apr/2013:16:52:02 +0000] “GET /wp-includes/js/tinymce/plugins/wpgallery/img/edit.png HTTP/1.1” 200 1590

IPV4 – – [13/Apr/2013:16:52:02 +0000] “GET /wp-content/plugins/jetpack/modules/after-the-deadline/tinymce/atdbuttontr.gif HTTP/1.1” 200 123

IPV4 – – [13/Apr/2013:16:52:02 +0000] “GET /wp-includes/js/tinymce/plugins/wpgallery/img/delete.png HTTP/1.1” 200 1386

IPV4 – – [13/Apr/2013:16:52:02 +0000] “GET /wp-includes/js/tinymce/themes/advanced/img/icons.gif HTTP/1.1” 200 11982

IPV4 – – [13/Apr/2013:16:52:02 +0000] “GET /wp-includes/images/wpicons.png?ver=20120720 HTTP/1.1” 200 16089

IPV4 – – [13/Apr/2013:16:52:02 +0000] “GET /wp-includes/images/down_arrow.gif HTTP/1.1” 200 60

———————————————————————
– POST — UPDATE — PUBLISH BUTTON –
———————————————————————

IPV4 – – [13/Apr/2013:16:52:33 +0000] “POST /wp-admin/admin-ajax.php HTTP/1.1” 200 259

IPV4 – – [13/Apr/2013:16:52:34 +0000] “POST /wp-admin/admin-ajax.php HTTP/1.1” 200 246

IPV4 – – [13/Apr/2013:16:52:40 +0000] “POST /wp-admin/post.php HTTP/1.1” 302 –

IPV6 – – [13/Apr/2013:16:52:41 +0000] “POST /wp-cron.php?doing_wp_cron=1365871961.7418789863586425781250 HTTP/1.0” 200 –

IPV4 – – [13/Apr/2013:16:52:41 +0000] “GET /wp-admin/post.php?post=599&action=edit&message=6 HTTP/1.1” 200 98334

IPV4 – – [13/Apr/2013:16:52:42 +0000] “GET /wp-admin/load-scripts.php?c=1&load%5B%5D=jquery,utils,quicktags,jquery-ui-core,jquery-ui-widget,jquery-ui-mouse,jquery-ui-sortable,underscore,backbone,media-models,plupl&load%5B%5D=oad,plupload-html5,plupload-flash,plupload-silverlight,plupload-html4,json2,wp-plupload,media-views&ver=3.5.1 HTTP/1.1” 200 101809

IPV4 – – [13/Apr/2013:16:52:43 +0000] “GET /wp-admin/load-scripts.php?c=1&load%5B%5D=admin-bar,hoverIntent,common,schedule,wp-ajax-response,autosave,jquery-color,wp-lists,jquery-query,admin-comments,suggest,postbo&load%5B%5D=x,post,thickbox,shortcode,media-editor,word-count,editor,jquery-ui-resizable,jquery-ui-draggable,jquery-ui-button,jquery-ui-posi&load%5B%5D=tion,jquery-ui-dialog,wpdialogs,wplink,wpdialogs-popup,wp-fullscreen,media-upload&ver=3.5.1 HTTP/1.1” 200 65729

IPV4 – – [13/Apr/2013:16:52:43 +0000] “GET /wp-admin/admin-ajax.php?action=atd_settings&ver=20120221 HTTP/1.1” 200 294

———————————————————————
– RANDOM WHILE ON THE POST PAGE –
———————————————————————

IPV4 – – [13/Apr/2013:16:52:55 +0000] “GET /robots.txt HTTP/1.1” 404 294

IPV4 – – [13/Apr/2013:16:52:55 +0000] “GET /?feed=rss2 HTTP/1.1” 200 140824

IPV4 – – [13/Apr/2013:16:52:56 +0000] “GET / HTTP/1.1” 200 13932

———————————————————————
– PAGE BUTTON –
———————————————————————

IPV4 – – [13/Apr/2013:16:53:43 +0000] “POST /wp-admin/admin-ajax.php HTTP/1.1” 200 320

IPV6 – – [13/Apr/2013:16:53:49 +0000] “POST /wp-cron.php?doing_wp_cron=1365872029.7804329395294189453125 HTTP/1.0” 200 –

IPV4 – – [13/Apr/2013:16:53:49 +0000] “GET /wp-admin/edit.php?post_type=page HTTP/1.1” 200 46395

IPV4 – – [13/Apr/2013:16:53:50 +0000] “POST /wp-admin/admin-ajax.php HTTP/1.1” 200 1

———————————————————————
– ADD PAGE BUTTON –
———————————————————————

IPV4 – – [13/Apr/2013:16:54:46 +0000] “GET /wp-admin/post-new.php?post_type=page HTTP/1.1” 200 81104

IPV4 – – [13/Apr/2013:16:54:47 +0000] “GET /wp-admin/admin-ajax.php?action=atd_settings&ver=20120221 HTTP/1.1” 200 294

———————————————————————
– PAGE AUTOSAVE (BEFORE PUBLISHING) –
———————————————————————

IPV4 – – [13/Apr/2013:16:55:19 +0000] “POST /wp-admin/admin-ajax.php HTTP/1.1” 200 259

IPV4 – – [13/Apr/2013:16:55:20 +0000] “POST /wp-admin/admin-ajax.php HTTP/1.1” 200 252

IPV4 – – [13/Apr/2013:16:55:48 +0000] “POST /wp-admin/admin-ajax.php HTTP/1.1” 200 320

———————————————————————
– PAGE — PUBLISH BUTTON –
———————————————————————

IPV4 – – [13/Apr/2013:16:56:01 +0000] “POST /wp-admin/post.php HTTP/1.1” 302 –

IPV4 – – [13/Apr/2013:16:56:02 +0000] “GET /wp-admin/post.php?post=602&action=edit&message=6 HTTP/1.1” 200 84257

IPV4 – – [13/Apr/2013:16:56:03 +0000] “GET /wp-admin/admin-ajax.php?action=atd_settings&ver=20120221 HTTP/1.1” 200 294

———————————————————————
– VISITING SITE (NOT LOGGED IN) –
———————————————————————

IPV4 – – [13/Apr/2013:16:57:31 +0000] “GET / HTTP/1.1” 200 13934

IPV4 – – [13/Apr/2013:16:57:32 +0000] “GET /wp-content/plugins/easy-fancybox/easy-fancybox.css.php?ver=1.3.4 HTTP/1.1” 200 8158

IPV4 – – [13/Apr/2013:16:57:32 +0000] “GET /wp-content/uploads/wpcf7_captcha/2083839035.png HTTP/1.1” 200 1048

———————————————————————
– CLICKING ON ARCHIVES (NOT LOGGED IN) –
———————————————————————

IPV4 – – [13/Apr/2013:16:58:48 +0000] “GET /?page_id=371 HTTP/1.1” 200 23566

IPV4 – – [13/Apr/2013:16:58:49 +0000] “GET /wp-content/plugins/easy-fancybox/easy-fancybox.css.php?ver=1.3.4 HTTP/1.1” 200 8158

IPV4 – – [13/Apr/2013:16:58:49 +0000] “GET /wp-content/uploads/2013/02/httpd_VHost_fail-100×75.png HTTP/1.1” 304 –

IPV4 – – [13/Apr/2013:16:58:49 +0000] “GET /wp-content/uploads/2013/02/no_godaddy-100×75.png HTTP/1.1” 304 –

IPV4 – – [13/Apr/2013:16:58:49 +0000] “GET /wp-content/uploads/2013/02/fedora_install-100×75.png HTTP/1.1” 304 –

IPV4 – – [13/Apr/2013:16:58:50 +0000] “GET /wp-content/uploads/2013/03/phpMyAdmin_Logo-100×75.png HTTP/1.1” 304 –

IPV4 – – [13/Apr/2013:16:58:50 +0000] “GET /wp-content/uploads/2013/02/postfix_tls-100×75.png HTTP/1.1” 304 –

IPV4 – – [13/Apr/2013:16:58:50 +0000] “GET /wp-content/uploads/2013/02/Drupal_install-100×75.png HTTP/1.1” 304 –

IPV4 – – [13/Apr/2013:16:58:50 +0000] “GET /wp-content/uploads/2013/03/vsftpd_wordpress-100×75.png HTTP/1.1” 304 –

IPV4 – – [13/Apr/2013:16:58:50 +0000] “GET /wp-content/uploads/wpcf7_captcha/1991504088.png HTTP/1.1” 200 930