Strange wordpress login patterns, (Thu, Jan 15th)

Reader Robert came today with a very interesting situation. He noticed odd wordpress login patterns:

T 31.47.254.62:51020 – +http://www.google.com/bot.html).
Host: **redacted**
Accept: */*.
Cookie: wordpress_test_cookie=WP+Cookie+check.
Content-Length: 131.
Content-Type: application/x-www-form-urlencoded.
.
log=adminpwd=admin%21%21%21wp-submit=Log+Inredirect_to=http://**redacted**/wp-admin/tes1a0″>T 62.210.207.146:43322 – +http://www.google.com/bot.html).
Host: **redacted**
Accept: */*.
Cookie: wordpress_test_cookie=WP+Cookie+check.
Content-Length: 113.
Content-Type: application/x-www-form-urlencoded.
.
log=ahenrypwd=Ahenry%24%24%24wp-submit=Log+Inredirect_to=http://**redacted**/wp-admin/tes1a0″>T 109.199.82.5:46902 – +http://www.google.com/bot.html).
Host: **redacted**
Accept: */*.
Cookie: wordpress_test_cookie=WP+Cookie+check.
Content-Length: 110.
Content-Type: application/x-www-form-urlencoded.
.
log=natemcpwd=Johns666wp-submit=Log+Inredirect_to=http://**redacted**/wp-admin/tes1a0″>”>tes1a0
in the WordPress 4.1 installation download and its not part of the code. It”>Have you seen this kind of wordpress attempts? If yes, let us know via Contact form. I will update the diary with the information gathered.

Manuel Humberto Santander Pelez
SANS Internet Storm Center – Handler
Twitter:@manuelsantander
Web:http://manuel.santander.name
e-mail: msantand at isc dot sans dot org

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

CyberSafe-WP-Admin