Automatic Whitelist rule for plugins i dont have installed

[David Moneo Simón]

Hello, i have this security logs

[403 GET / HEAD Request: May 17, 2015 1:47 pm]
Event Code: PFWR-PSBR-HPR
Solution: http://forum.ait-pro.com/forums/topic/security-log-event-codes/
REMOTE_ADDR: 81.88.49.xx
Host Name: opus06.register.it
SERVER_PROTOCOL: HTTP/1.0
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER:
REQUEST_URI: /wp-content/plugins/bulletproof-security/admin/test/bps-email-check.php
QUERY_STRING:
HTTP_USER_AGENT: WordPress/4.2.x; http://www.myserver.es

[403 GET / HEAD Request: May 18, 2015 7:40 pm]
Event Code: PFWR-PSBR-HPR
Solution: http://forum.ait-pro.com/forums/topic/security-log-event-codes/
REMOTE_ADDR: 91.226.212.xx
Host Name: 91.226.212.xx
SERVER_PROTOCOL: HTTP/1.0
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER: http://www.myserver.es/wp-content/plugins/wp-mass.php
REQUEST_URI: /wp-content/plugins/wp-mass.php
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

[403 GET / HEAD Request: May 18, 2015 7:40 pm]
Event Code: PFWR-PSBR-HPR
Solution: http://forum.ait-pro.com/forums/topic/security-log-event-codes/
REMOTE_ADDR: 91.226.212.xx
Host Name: 91.226.212.xx
SERVER_PROTOCOL: HTTP/1.0
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER: http://www.myserver.es/wp-content/plugins/wp-kiosaki.php
REQUEST_URI: /wp-content/plugins/wp-kiosaki.php
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

[Plugin Firewall AutoPilot Mode New Whitelist Rule(s) Created: 18 mayo, 2015 - 9:33 pm]
Whitelist Rule: /wp-mass.php
Whitelist Rule: /wp-kiosaki.php

The problem is more about the last two logs, because bps have created a whitelist rule for that files, and i dont have that plugins installed in wordpress (i cant see them in my plugins list), and also i cant find that two files searching in my server in that path. Is there some security problem and do i have to make something?

Thx in advance.

[AITpro Admin]

We were notified yesterday about this bug in the Plugin Firewall AutoPilot Mode filter code and have fixed the bug in the AutoPilot filter code.  We will be releasing BPS Pro 10.3 later today with this new bugfix.  Upgrading to BPS Pro 10.3 will automatically remove/delete any Plugin Firewall whitelist rules that should not exist.  The automated whitelist rule cleanup is included in the AutoPilot Mode Cron.  The whitelist rule cleanup will occur when the next scheduled AutoPilot Mode Cron is run.  This is also a new enhancement to the AutoPilot Mode code that will remove/delete any old whitelist rules that are no longer necessary/being used.  ie if you had a plugin installed at one point that required whitelist rules and have removed/deleted that plugin at some point then those old whitelist rules will be automatically removed/deleted by the AutoPilot Mode Cron.

Apparently this is some sort of new probe/recon method that just started being used recently.  Since these files do not actually exist on your website then there is no security risk to your website and the bug is just causing a nuisance problem:  ie Plugin Firewall whitelist rules are being created for files that do not actually really exist.  For files that do actually really exist, those files are still protected by other overlapping security protection features/methods in BPS Pro.

Note:  Special thanks to Alex Stamatellos at Webcentrix LLC for finding a bug in the Plugin Firewall AutoPilot Mode filter code, which lead to a significant filter improvement in the Plugin Firewall AutoPilot Mode code in BPS Pro 10.3.

[David Moneo Simón]

OK, thanx.  So the only thing i must do is upgrade to bps pro 10.3 when it is released, and it will automatically delete (in next autopilot mode cron run) all the whitelist rules that are not necessary.

Waiting for the upgrade! thx for your quick support.

[AITpro Admin]

Correct.  And the added bonus is that any old whitelist rules that are no longer being used will be automatically removed/deleted.  😉

[Author]

Posts