He recibido algunos correos electrónicos de restablecimiento de contraseña para el usuario "admin" (es decir, nombre de usuario admin) en una instalación de Wordpress antigua (pero actualizada). El propietario del sitio no solicitó estos restablecimientos de contraseña.
Es muy improbable que el atacante tenga acceso a la dirección de correo electrónico (o que pueda haber interceptado datos en la ruta del servidor web y del cliente de correo electrónico) a los que se envió el restablecimiento de la contraseña.
¿Por qué un pirata informático podría intentar restablecer la contraseña? (descubrí la vulnerabilidad de restablecimiento de contraseña CSRF de Wordpress 4.0, pero por lo que puedo ver, esto no parece coincidir con lo que estoy viendo .
Las entradas relevantes (desinfectadas) del archivo de registro (que comienzan aproximadamente en el momento en que se recibió el correo electrónico de reinicio) tienen el siguiente aspecto:
www.attacked.wpsite.addr:443 74.63.240.187 - - [28/Dec/2017:06:10:17 +1300] "POST /wp-login.php?action=lostpassword HTTP/1.1" 302 3644 "-" "-"
www.attacked.wpsite.addr:443 74.63.240.187 - - [28/Dec/2017:06:10:19 +1300] "POST /wp-login.php?action=lostpassword HTTP/1.1" 302 3644 "-" "-"
www.attacked.wpsite.addr:443 54.148.232.32 - - [28/Dec/2017:06:10:22 +1300] "POST /wp-login.php?action=lostpassword HTTP/1.1" 400 3856 "-" "-"
www.attacked.wpsite.addr:443 54.148.232.32 - - [28/Dec/2017:06:10:24 +1300] "POST /wp-login.php?action=lostpassword HTTP/1.1" 400 3856 "-" "-"
www.attacked.wpsite.addr:443 162.243.152.212 - - [28/Dec/2017:06:18:54 +1300] "POST /wp-login.php?action=lostpassword HTTP/1.1" 400 3856 "-" "-"
www.attacked.wpsite.addr:443 162.243.152.212 - - [28/Dec/2017:06:18:56 +1300] "POST /wp-login.php?action=lostpassword HTTP/1.1" 400 3856 "-" "-"
www.attacked.wpsite.addr:443 65.19.143.194 - - [28/Dec/2017:06:24:55 +1300] "POST /wp-login.php?action=lostpassword HTTP/1.1" 400 3745 "-" "-"
www.attacked.wpsite.addr:443 65.19.143.194 - - [28/Dec/2017:06:24:59 +1300] "POST /wp-login.php?action=lostpassword HTTP/1.1" 400 3745 "-" "-"
www.attacked.wpsite.addr:80 185.86.13.213 - - [28/Dec/2017:06:25:19 +1300] "GET /wp-login.php HTTP/1.1" 302 279 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36"
www.attacked.wpsite.addr:443 185.86.13.213 - - [28/Dec/2017:06:25:21 +1300] "GET /wp-login.php HTTP/1.1" 200 6009 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36"
www.attacked.wpsite.addr:443 185.86.13.213 - - [28/Dec/2017:06:25:21 +1300] "POST /wp-login.php HTTP/1.1" 200 3754 "https://www.attacked.wpsite.addr/wp-login.php" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36"
www.attacked.wpsite.addr:80 51.15.146.69 - - [28/Dec/2017:06:43:47 +1300] "POST /wp-login.php HTTP/1.1" 302 238 "http://attacked.wpsite.addr/wp-login.php" "Mozilla/5.0 (Windows NT 5.2; rv:52.42.99) Gecko/20130250 Firefox/52.42.99"
www.attacked.wpsite.addr:443 51.15.146.69 - - [28/Dec/2017:06:43:49 +1300] "GET /wp-login.php HTTP/1.1" 200 4798 "http://attacked.wpsite.addr/wp-login.php" "Mozilla/5.0 (Windows NT 5.2; rv:52.42.99) Gecko/20130250 Firefox/52.42.99"
www.attacked.wpsite.addr:443 91.200.12.22 - - [28/Dec/2017:07:59:58 +1300] "POST /wp-login.php HTTP/1.1" 200 4987 "https://attacked.wpsite.addr/wp-login.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_36_89) AppleWebKit/532.85.48 (KHTML, like Gecko) Chrome/57.4.9780.5052 Safari/534.56"
www.attacked.wpsite.addr:443 91.200.12.22 - - [28/Dec/2017:07:59:59 +1300] "POST /wp-login.php HTTP/1.1" 200 2128 "https://attacked.wpsite.addr/wp-login.php" "Mozilla/5.0 (Windows NT 5.0) AppleWebKit/533.09.52 (KHTML, like Gecko) Version/5.5.1 Safari/532.17"
www.attacked.wpsite.addr:443 198.71.87.205 - - [28/Dec/2017:08:08:36 +1300] "GET /wp-login.php HTTP/1.1" 200 4830 "http://www.attacked.wpsite.addr/" "Opera/9.80 (Windows NT 6.2; Win64; x64) Presto/2.12.388 Version/12.17"
www.attacked.wpsite.addr:443 198.71.87.205 - - [28/Dec/2017:08:08:36 +1300] "GET /wp-login.php?action=lostpassword HTTP/1.1" 200 1549 "https://www.attacked.wpsite.addr/wp-login.php" "Opera/9.80 (Windows NT 6.2; Win64; x64) Presto/2.12.388 Version/12.17"
www.attacked.wpsite.addr:80 185.86.13.213 - - [28/Dec/2017:09:16:41 +1300] "GET /wp-login.php HTTP/1.1" 302 279 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36"
www.attacked.wpsite.addr:443 185.86.13.213 - - [28/Dec/2017:09:16:44 +1300] "GET /wp-login.php HTTP/1.1" 200 6009 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36"
www.attacked.wpsite.addr:443 185.86.13.213 - - [28/Dec/2017:09:16:44 +1300] "POST /wp-login.php HTTP/1.1" 200 3722 "https://www.attacked.wpsite.addr/wp-login.php" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36"
www.attacked.wpsite.addr:443 172.18.252.242 - - [28/Dec/2017:09:41:04 +1300] "GET /wp-login.php?redirect_to=https%3A%2F%2Fwww.attacked.wpsite.addr%2Fwp-admin%2F&reauth=1 HTTP/1.1" 200 3666 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0"
www.attacked.wpsite.addr:443 172.18.252.242 - - [28/Dec/2017:09:41:05 +1300] "GET /wp-admin/load-styles.php?c=0&dir=ltr&load%5B%5D=dashicons,buttons,forms,l10n,login&ver=4.9.1 HTTP/1.1" 200 36906 "https://www.attacked.wpsite.addr/wp-login.php?redirect_to=https%3A%2F%2Fwww.attacked.wpsite.addr%2Fwp-admin%2F&reauth=1" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0"
www.attacked.wpsite.addr:443 172.18.252.242 - - [28/Dec/2017:09:41:38 +1300] "POST /wp-login.php HTTP/1.1" 302 1338 "https://www.attacked.wpsite.addr/wp-login.php?redirect_to=https%3A%2F%2Fwww.attacked.wpsite.addr%2Fwp-admin%2F&reauth=1" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0"
www.attacked.wpsite.addr:443 172.18.252.242 - - [28/Dec/2017:09:41:39 +1300] "GET /wp-admin/ HTTP/1.1" 200 17170 "https://www.attacked.wpsite.addr/wp-login.php?redirect_to=https%3A%2F%2Fwww.attacked.wpsite.addr%2Fwp-admin%2F&reauth=1" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0"
www.attacked.wpsite.addr:443 91.200.12.22 - - [28/Dec/2017:10:09:25 +1300] "POST /wp-login.php HTTP/1.1" 200 4987 "https://attacked.wpsite.addr/wp-login.php" "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/535.25.78 (KHTML, like Gecko) Chrome/53.7.2713.8085 Safari/531.86"
www.attacked.wpsite.addr:443 91.200.12.22 - - [28/Dec/2017:10:09:25 +1300] "POST /wp-login.php HTTP/1.1" 200 4987 "https://attacked.wpsite.addr/wp-login.php" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/536.39.82 (KHTML, like Gecko) Chrome/54.8.4130.9402 Safari/531.90"