Defended attacks

Home Forums BulletProof Security Pro Defended attacks

This topic contains 9 replies, has 3 voices, and was last updated by  Andre 4 years, 9 months ago.

Viewing 10 posts - 1 through 10 (of 10 total)
  • Author
    Posts
  • #8816

    Andre
    Participant

    Hi,

    just FYI. Here you can see an attack, on one of my sites, where this great plugin defended my digital property. Eddie, which kind of attack was this? Injection probably, but exactly?

    >>>>>>>>>>> 403 GET or Other Request Error Logged - 20. August 2013 - 21:58 <<<<<<<<<<<
    REMOTE_ADDR: 93.189.44.116
    Host Name: 93.189.44.116
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER:
    REQUEST_URI: /images/banners/.lib_9ptpbq.php
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)

    ________

    And these are just bots right?

    >>>>>>>>>>> 403 GET or Other Request Error Logged - 17. August 2013 - 15:15 <<<<<<<<<<<
    REMOTE_ADDR: 24.236.135.95
    Host Name: 24-236-135-95.dhcp.bycy.mi.charter.com
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER:
    REQUEST_URI: /?author=1
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
    
    >>>>>>>>>>> 403 GET or Other Request Error Logged - 20. August 2013 - 04:15 <<<<<<<<<<<
    REMOTE_ADDR: 1.202.219.81
    Host Name: 81.219.202.1.static.bjtelecom.net
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER:
    REQUEST_URI: /
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/5.0 (compatible; JikeSpider; +http://shoulu.jike.com/spider.html)

    I secure my author link also through the plugin “Edit Author Slug”, so that nobody can find out my Username in clear text easily. Good additional small security layer, I can only recommend. (Why not build into BPS also?)
    Cheers.
    Andre
    EDIT: While the attacker probably thinks this is a Joomla Site, cause /images/banners/… comes from Joomla. 🙁

    #8819

    AITpro Admin
    Keymaster

    The first one is a recon/probe for the file: .lib_9ptpbq.php. The second one is a recon/probe by a faked Google bot User Agent looking for your author name. The third one is a general HEAD Request made by the Chinese Spider/Bot:  JikeSpider All of these recons/probes/etc are automated bots.  Automated recons/probes by bots do not care what type of site you have.  Automated bots have preprogrammed parameters that they automatically run/check against your site. BPS is already blocking all of these.

    #8820

    AITpro Admin
    Keymaster

    At some point we will be adding additional security measures/options for the Author slug/URL.  It is on the list, but will not be in the next version of BPS Pro and maybe not the version after that either.  We have already reached max changes/new addtions/etc for BPS Pro 7.0.

    #8955

    Andre
    Participant

    Thanks so far.

    #9108

    Andre
    Participant

    Hi for evaluating things in teh security log, I would like to know, if this is a request that shows, that a visitor wasnt able to fill out the contact form, or send it and if it shows, that the form isnt usable, what I coudl do that it will be usable by everyone.

    >>>>>>>>>>> 403 GET or Other Request Error Logged - 30. August 2013 - 00:45 <<<<<<<<<<<
    REMOTE_ADDR: 212.184.133.120
    Host Name: pD4B88578.dip0.t-ipconnect.de
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER: https: //www.domain.de/kontakt/
    REQUEST_URI: /wp-content/plugins/formidable/js/formidable.min.js?ver=1.07.01
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/5.0 (iPad; CPU OS 6_1_3 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Mobile/10B329 [FBAN/FBIOS;FBAV/6.4;FBBV/290891;FBDV/iPad2,5;FBMD/iPad;FBSN/iPhone OS;FBSV/6.1.3;FBSS/1; FBCR/;FBID/tablet;FBLC/de_DE;FBOP/1]

    Everything need was set up in my eyes, exclusiojn in ARQ and in Firewall Whitelist.
    Thanks in advance.

    #9113

    AITpro Admin
    Keymaster

    The Plugin Firewall Whitelist rule would be

    /formidable/js/formidable.min.js
    or
    /formidable/js/(.*).js

    For Plugin Firewall testing and additional help information about the Security Log see the  Security Log & Plugin Firewall Video Tutorial.
    http://forum.ait-pro.com/video-tutorials/

    #9141

    Andre
    Participant

    Mmmh, yes, but I was asking if the log entry says, that the form coudlnt be used… Got this again: While this is obviously the google bot, but the log entry in the post above seems to be a normal webuser.

    >>>>>>>>>>> 403 GET or Other Request Error Logged - 31. August 2013 - 02:31 <<<<<<<<<<<
    REMOTE_ADDR: 66.249.75.178
    Host Name: crawl-66-249-75-178.googlebot.com
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER: https: //www.domain.de/kontakt/
    REQUEST_URI: /wp-content/plugins/formidable/js/formidable.min.js?ver=1.07.01
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)

    This is my whitelist (as it was from setting up BPS in the beginning already):

    /myrepono-wordpress-backup-plugin/api/myrepono.php, /formidable/js/formidable.js, /formidable/pro/js/(.*).js, /wp-dbmanager/wp-dbmanager.php

    EDIT:
    Well, while I see now, that the ones you mentioned are not whitelisted.
    I had to see it clearly in front of me in a code field like here.
    Lets whitelist them first and see if it was all that was needed now. 🙂

    #9146

    AITpro Admin
    Keymaster

    Also you can also use the cURL Multi-page scanning tools in Pro-Tools to get your Plugin Firewall whitelist rules.

    #9161

    Krzysztof
    Participant

    A great plugin is http://wordpress.org/plugins/username-changer/installation/ especially if you make mistakes in the beginning and use same login and author name. Maybe also this could be included at some point in version 12 maybe 🙂

    #9163

    Andre
    Participant

    I cannot use cURL while my hoster has any weird setup. *Thanks for your contribute Krzystof

Viewing 10 posts - 1 through 10 (of 10 total)

You must be logged in to reply to this topic.