Defended attacks

[Andre]

Hi,

just FYI. Here you can see an attack, on one of my sites, where this great plugin defended my digital property. Eddie, which kind of attack was this? Injection probably, but exactly?

>>>>>>>>>>> 403 GET or Other Request Error Logged - 20. August 2013 - 21:58 <<<<<<<<<<<
REMOTE_ADDR: 93.189.44.116
Host Name: 93.189.44.116
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER:
REQUEST_URI: /images/banners/.lib_9ptpbq.php
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)

________

And these are just bots right?

>>>>>>>>>>> 403 GET or Other Request Error Logged - 17. August 2013 - 15:15 <<<<<<<<<<<
REMOTE_ADDR: 24.236.135.95
Host Name: 24-236-135-95.dhcp.bycy.mi.charter.com
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER:
REQUEST_URI: /?author=1
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)

>>>>>>>>>>> 403 GET or Other Request Error Logged - 20. August 2013 - 04:15 <<<<<<<<<<<
REMOTE_ADDR: 1.202.219.81
Host Name: 81.219.202.1.static.bjtelecom.net
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER:
REQUEST_URI: /
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (compatible; JikeSpider; +http://shoulu.jike.com/spider.html)

I secure my author link also through the plugin “Edit Author Slug”, so that nobody can find out my Username in clear text easily. Good additional small security layer, I can only recommend. (Why not build into BPS also?)
Cheers.
Andre
EDIT: While the attacker probably thinks this is a Joomla Site, cause /images/banners/… comes from Joomla. 🙁

[AITpro Admin]

The first one is a recon/probe for the file: .lib_9ptpbq.php. The second one is a recon/probe by a faked Google bot User Agent looking for your author name. The third one is a general HEAD Request made by the Chinese Spider/Bot:  JikeSpider All of these recons/probes/etc are automated bots.  Automated recons/probes by bots do not care what type of site you have.  Automated bots have preprogrammed parameters that they automatically run/check against your site. BPS is already blocking all of these.

[AITpro Admin]

At some point we will be adding additional security measures/options for the Author slug/URL.  It is on the list, but will not be in the next version of BPS Pro and maybe not the version after that either.  We have already reached max changes/new addtions/etc for BPS Pro 7.0.

[Andre]

Thanks so far.

[Andre]

Hi for evaluating things in teh security log, I would like to know, if this is a request that shows, that a visitor wasnt able to fill out the contact form, or send it and if it shows, that the form isnt usable, what I coudl do that it will be usable by everyone.

>>>>>>>>>>> 403 GET or Other Request Error Logged - 30. August 2013 - 00:45 <<<<<<<<<<<
REMOTE_ADDR: 212.184.133.120
Host Name: pD4B88578.dip0.t-ipconnect.de
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER: https: //www.domain.de/kontakt/
REQUEST_URI: /wp-content/plugins/formidable/js/formidable.min.js?ver=1.07.01
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (iPad; CPU OS 6_1_3 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Mobile/10B329 [FBAN/FBIOS;FBAV/6.4;FBBV/290891;FBDV/iPad2,5;FBMD/iPad;FBSN/iPhone OS;FBSV/6.1.3;FBSS/1; FBCR/;FBID/tablet;FBLC/de_DE;FBOP/1]

Everything need was set up in my eyes, exclusiojn in ARQ and in Firewall Whitelist.
Thanks in advance.

[AITpro Admin]

The Plugin Firewall Whitelist rule would be

/formidable/js/formidable.min.js
or
/formidable/js/(.*).js

For Plugin Firewall testing and additional help information about the Security Log see the  Security Log & Plugin Firewall Video Tutorial.
http://forum.ait-pro.com/video-tutorials/

[Andre]

Mmmh, yes, but I was asking if the log entry says, that the form coudlnt be used… Got this again: While this is obviously the google bot, but the log entry in the post above seems to be a normal webuser.

>>>>>>>>>>> 403 GET or Other Request Error Logged - 31. August 2013 - 02:31 <<<<<<<<<<<
REMOTE_ADDR: 66.249.75.178
Host Name: crawl-66-249-75-178.googlebot.com
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER: https: //www.domain.de/kontakt/
REQUEST_URI: /wp-content/plugins/formidable/js/formidable.min.js?ver=1.07.01
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)

This is my whitelist (as it was from setting up BPS in the beginning already):

/myrepono-wordpress-backup-plugin/api/myrepono.php, /formidable/js/formidable.js, /formidable/pro/js/(.*).js, /wp-dbmanager/wp-dbmanager.php

EDIT:
Well, while I see now, that the ones you mentioned are not whitelisted.
I had to see it clearly in front of me in a code field like here.
Lets whitelist them first and see if it was all that was needed now. 🙂

[AITpro Admin]

Also you can also use the cURL Multi-page scanning tools in Pro-Tools to get your Plugin Firewall whitelist rules.

[Krzysztof]

A great plugin is http://wordpress.org/plugins/username-changer/installation/ especially if you make mistakes in the beginning and use same login and author name. Maybe also this could be included at some point in version 12 maybe 🙂

[Andre]

I cannot use cURL while my hoster has any weird setup. *Thanks for your contribute Krzystof

[Author]

Posts