Topic: Security Log Event Codes | BulletProof Security Forum

Security Log Event Codes

Tagged: Event Codes, Security Log

This topic has 87 replies, 22 voices, and was last updated 1 year ago by meets korun.

Viewing 15 posts - 31 through 45 (of 88 total)

← 1 2 3 4 5 6 →

Author

Posts
April 3, 2016 at 12:20 pm #28862
George Mohan
Participant

Yes we use Adsense & also cloudflare.com
April 3, 2016 at 12:47 pm #28863
AITpro Admin
Keymaster

Ok, but that still does not explain why Google would be trying to access your wp-config.php file. The only thing I can think of for why Google would be told to crawl the wp-config.php file would be if a mistake was made somewhere telling Google to crawl the wp-config.php file. The WordPress wp-config.php file should NEVER be directly accessed via the Browser by anything for any reason. The wp-config.php file is designed to ONLY be processed/loaded and not accessed by a Browser for any reason. So this either has to be a mistake somewhere on your website or this is a hacker pretending to be Google. You may want to look at this Google Adsense help link: https://support.google.com/adsense/answer/161351?hl=en&ref_topic=1348129 to do things like check your site for Adsense issues, errors, etc.
June 23, 2016 at 5:18 pm #29945
jenni101
Participant
Hi there,

Recently have logged heaps of blocked entries in my security log for searches in my image library, run by separate software but sits in a sub-folder of my wordpress root site, as eg below:
```
[403 GET / HEAD Request: June 21, 2016 - 1:37 am]
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: 98.138.81.176
Host Name: p8w17.geo.ne1.hostingprod.com
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP: 
HTTP_FORWARDED: 
HTTP_X_FORWARDED_FOR: 
HTTP_X_CLUSTER_CLIENT_IP: 
REQUEST_METHOD: GET
HTTP_REFERER: 
REQUEST_URI: /imagelibrary/index.php?module=search&pId=100&phrase=1&keyword=alpine%20parrot%27%20and%20%27x%27%3D%27y
QUERY_STRING: 
HTTP_USER_AGENT: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; dial; SV1; .NET CLR 1.0.3705
```
My root BPS Pro .htaccess file has some custom code in to exclude this sub-folder and an addon domain that also sits in a sub-folder (and both have their own .htaccess files). The custom code is this:
```
# To NOT apply rules to other CHILD websites or ADDON DOMAINS and 
# to not log errors for these child sites
# and the RewriteRule for Custom Apps (Image Library) outside of WP
RewriteRule ^perfectplanetpublishing.co.nz/ - [L]
RewriteRule ^perfectplanetpublishing.com/ - [L]
RewriteRule ^imagelibrary/ - [L]
RewriteRule ^photoclub/ - [L]
```
So I have 2 questions about this:
1. I’ve replicated the keyword search (alpine + parrot) in my image library and it works fine – so I assume it’s correctly being blocked as a hacker/spammer? rather than it being a legitimate keyword search?
2. Do you think I need to change any of my BPS custom code now to exclude my image library, as I’m now getting security logs for it? Or is it still current?
Many thanks, j
June 23, 2016 at 5:26 pm #29946
AITpro Admin
Keymaster
@ jenni101 – What is triggering BPS to block these Query Strings is the single quote code character/apostrophe/%27 url encoded. I am not sure why the /imagelibrary/ folder is not being bypassed/skipped, but you can try adding a forward slash / to see if that works. Do NOT add a forward slash for any of your other site RewriteRules.
```
RewriteRule ^/imagelibrary/ - [L]
```
I just thought of something obvious. If your website is calling the image library files from your website then even image library is in another folder, your website is calling files from your website and those Query Strings will be blocked, unless you do this: http://forum.ait-pro.com/forums/topic/apostrophe-single-quote-code-character/#post-6939
June 23, 2016 at 5:42 pm #29952
jenni101
Participant

@aitpro – no, our website doesn’t call any files from the image library folder, as it runs totally independently. But I’ll trial the additional forward slash and will let you know if it’s still logging security event for the image library.

Many thanks, j
June 23, 2016 at 5:50 pm #29953
AITpro Admin
Keymaster

@ jenni101 – Also meant to ask exactly where the htaccess file is in relation to the /imagelibrary/ folder.
Example: htaccess file is here: /public_html/.htaccess and the imagelibrary folder is here: /public_html/imagelibrary/
June 26, 2016 at 8:13 am #30053
Pako
Participant
UPDATE: BPS Pro 13+ and BPS 2.0+ versions have a feature called: Setup Wizard AutoFix (AutoWhitelist|AutoSetup|AutoCleanup) that automatically creates plugin and theme whitelist rules and automatically sets up and cleans up caching plugins htaccess code.

Hi

If it can helps some of you (like me) who are using WP Rocket I enter this:
```
# WP Rocket plugin skip/bypass rule
RewriteCond %{REQUEST_URI} ^/wp-content/plugins/wp-rocket/ [NC]
RewriteRule . - [S=13]
```
in: BPS Root Custom Code text box: CUSTOM CODE PLUGIN/THEME SKIP/BYPASS RULES

I have done that because when I was updating a post or a page, the first time the page or the post load I get errors in my console and the page or post do not display correctly at the first time, only a refresh of the same page make it display correctly… don’t know how or why but it works..
June 26, 2016 at 10:58 pm #30093
Pako
Participant
Hi

I get this Event code: WPADMIN-SBR as I was trying to export my Custom Code from B-Core 🙁
It would be great if you can give me the right Skip/Bypass rule that needs to be created within BPS Custome code (and where, I mean, in which text box?)
Thans a lot
Here is the log (I have hidden my IP, hostname and URL):
+++
```
Event Code: WPADMIN-SBR
Solution: http://forum.ait-pro.com/forums/topic/security-log-event-codes/
REMOTE_ADDR: AAA.BBB.CCC.DDD
Host Name: blablablablabla.net
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP: 
HTTP_FORWARDED: 
HTTP_X_FORWARDED_FOR: AAA.BBB.CCC.DDD
HTTP_X_CLUSTER_CLIENT_IP: 
REQUEST_METHOD: GET
HTTP_REFERER: http://www.my-site.com/wp-admin/admin.php?page=bulletproof-security%2Fadmin%2Fcore%2Fcore.php
REQUEST_URI: /wp-content/plugins/bulletproof-security/admin/core/cc-master.zip
QUERY_STRING: 
HTTP_USER_AGENT: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36
```
June 27, 2016 at 9:09 am #30096
AITpro Admin
Keymaster

There should be an htaccess file here: /wp-content/plugins/bulletproof-security/admin/core/.htaccess that automatically whitelists your current IP address and allows you to download the cc-master.zip file. Do these steps and let me know if you can download the cc-master.zip file.

1. Use FTP or your web host control panel file manager and delete the htaccess file here: /wp-content/plugins/bulletproof-security/admin/core/.htaccess. A new htaccess file should be automatically created when you visit the Custom Code page again.
2. Go to the Custom Code page > click the Export button > download the cc-master.zip file.
June 27, 2016 at 9:35 am #30097
Pako
Participant

hi @AITPRO

Don’t you think it’s better if I turn Off AutoRestore before doing that?

Thanks
June 27, 2016 at 10:03 am #30100
AITpro Admin
Keymaster

@ Pako – You do not need to turn Off AutoRestore for that and can just delete the .htaccess file.
June 27, 2016 at 10:19 am #30102
Pako
Participant
Nope… id do not work
I deleted the .htaccess and visite the custom code page > yes the .htacess has been recreated and yes my own IP is ok ihis files.
But when I click the button to download :
```
my-site.com 403 Forbidden Error Page
If you arrived here due to a search or clicking on a link click your Browser's back button to return to the previous page. Thank you.
IP Address: 149.126.78.33
```
This ip 149…… is not my IP…
It’s my INCAPSULA Proxy IP…
June 27, 2016 at 10:33 am #30103
AITpro Admin
Keymaster

@ Pako – That is very odd. I guess we will have to add another option to allow adding additional IP addresses in the Custom Code htaccess file and other htaccess files that are automatically created in BPS plugin folders. For now you will have to do things manually to workaround the Incapsula IP address problem. ie manually download the zip file using FTP.
December 14, 2016 at 11:20 am #31743
AbZu2
Participant
Every time I post a new article on WP I get a security log notice. The latest entry was:
```
[405 HEAD Request: 14/12/2016 - 19:49]
Event Code: BFHS-HEAD - HEAD Request Blocked
Solution: http://forum.ait-pro.com/forums/topic/security-log-event-codes/
REMOTE_ADDR: 138.201.248.33
Host Name: static.33.248.201.138.clients.your-server.de
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: HEAD
HTTP_REFERER:
REQUEST_URI: /2016/12/14/endgame-ii-the-antarctic-atlantis-and-ancient-et-ruins-david-wilcock-and-corey-goode
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (compatible; um-LN/1.0; mailto: techinfo@ubermetrics-technologies.com)
```
December 14, 2016 at 11:25 am #31744
AITpro Admin
Keymaster
The error is a 405 HEAD Request error, which means a HEAD Request was made by something. To allow HEAD Requests on your website do the steps below.

1. Copy the REQUEST METHODS FILTERED .htaccess code below to the BPS Root Custom Code text box: CUSTOM CODE REQUEST METHODS FILTERED
2. Click the Save Root Custom Code button.
3. Go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.
```
# REQUEST METHODS FILTERED
# If you want to allow HEAD Requests use BPS Custom Code and copy
# this entire REQUEST METHODS FILTERED section of code to this BPS Custom Code
# text box: CUSTOM CODE REQUEST METHODS FILTERED.
# See the CUSTOM CODE REQUEST METHODS FILTERED help text for additional steps.
RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK|DEBUG) [NC]
RewriteRule ^(.*)$ - [F]
#RewriteCond %{REQUEST_METHOD} ^(HEAD) [NC]
#RewriteRule ^(.*)$ /wp-content/plugins/bulletproof-security/405.php [L]
```
Author

Posts

Viewing 15 posts - 31 through 45 (of 88 total)

← 1 2 3 4 5 6 →

You must be logged in to reply to this topic.

BulletProof Security Forum

Security Log Event Codes

Search Forums

Topic Tags