Topic: Security Log Event Codes | BulletProof Security Forum

Security Log Event Codes

Tagged: Event Codes, Security Log

This topic has 87 replies, 22 voices, and was last updated 1 year ago by meets korun.

Viewing 15 posts - 1 through 15 (of 88 total)

1 2 3 4 5 6 →

Author

Posts
March 17, 2014 at 4:11 pm #13903
AITpro Admin
Keymaster
Event Codes:

BFHS: Blocked/Forbidden Hacker or Spammer (approximately 99.99% of all log entries will have this Event Code)
HPRA: Hacker Probe/Recon/Attack
PSBR: Plugin Skip/Bypass Rule if something legitimate is being blocked.
WPADMIN-SBR: wp-admin Skip/Bypass Rule if something legitimate is being blocked.
HEAD: HEAD Request Blocked – Either a spambot or something legitimate making a HEAD Request (See Event Code: HEAD solution)
PFWR: Plugin Firewall Whitelist Rule (BPS Pro only). Plugin Firewall AutoPilot Mode creates whitelist rules automatically.
UAEGWR: Uploads Anti-Exploit Guard Whitelist Rule (BPS Pro only) if something legitimate is being blocked.

Examples Logged Fields/Scenarios:

Event Code: PFWR-PSBR-HPR (3 relevant fields to check & 3 possible causes)
```
Event Code: PFWR-PSBR-HPR
SERVER_PROTOCOL: HTTP/1.1
REQUEST_URI: /wp-content/plugins/xyz-plugin/js/xyz-plugin-script.js
HTTP_USER_AGENT: Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; InfoPath.1; SV1; .NET CLR 3.8.36217; WOW64; en-US)
```
The Event Code indicates this could either be a random hacker recon/probe or Plugin Skip/Bypass rule that needs to be created or a Plugin Firewall whitelist rule (BPS Pro only) that needs to be created.

Solution: If the plugin is actually installed/exists & the Server Protocol is HTTP/1.1 and not HTTP/1.0 and the User Agent is not blank/empty then either a Plugin Skip/Bypass rule needs to be created or a Plugin Firewall whitelist rule (BPS Pro only) needs to be created. If the Server Protocol is HTTP/1.0 or the User Agent is blank then the odds are very high that this is a random hacker recon/probe. If the plugin is NOT actually installed on the website then this is a 100% confirmed random hacker recon/probe. Searching the Forum will produce any documented solutions for Plugin Skip/Bypass rules by searching using the plugin’s name as the search word/term. For Plugin Firewall whitelist rules see this Forum Topic link: https://forum.ait-pro.com/forums/topic/plugin-firewall-read-me-first-troubleshooting/

Event Code: WPADMIN-SBR (2 relevant fields to check – only 1 possible cause and solution)
```
Event Code: WPADMIN-SBR
HTTP_REFERER: http://[domain name removed for privacy]/wp-admin/post.php?post=287&action=edit
REQUEST_URI: /wp-content/plugins/sublimevideo-official/tinymce/sv-insert.php?%27webkitAllowFullScreen=%271

HTTP_REFERER: http://[domain name removed for privacy]/2014/01/02/fallouts-classic-catalogue-removed-from-gog-due-to-rights-issue/
REQUEST_URI: /blog/wp-admin/curate-this.php?u=http%3A%5C%2F%5C%2F[domain name removed for privacy]%5C%2F2014%5C%2F01%5C%2F02%5C%2Ffallouts-classic-catalogue-removed-from-gog-due-to-rights-issue%5C%2F&t=Fallout%27s%20classic%20catalogue%20removed%20from%20GOG%20due%20to%20rights%20issue%20%7C%20PC%20Gamer&s=&v=4

HTTP_REFERER: http://[domain name removed for privacy]/wp-admin/admin.php?page=formidable-settings
REQUEST_URI: /wp-admin/index.php?plugin=formidable&controller=settings&frm_action=process-form&action=process-form&_wpnonce=6b6ef1c65d
```
Solution: There are 2 relevant fields to check for Event Code: WPADMIN-SBR.. The HTTP_REFERER and REQUEST_URI logging fields. If the Referer or Request URI has /wp-admin/ in the path then these are things that are being blocked by BPS in the wp-admin .htaccess file and a Skip/Bypass rule needs to be created for the wp-admin .htaccess file by adding it to BPS Custom Code. Typically either a wp-admin file needs to be whitelisted in the Skip/Bypass rule or a Query String needs to be whitelisted. Searching the Forum will produce any documented solutions for wp-admin Skip/Bypass rules by searching using the plugin’s name as the search word/term.

Event Code: UAEGWR-HPR (1 relevant field to check – 2 possible causes)
```
Event Code: UAEGWR-HPR
REQUEST_URI: /wp-content/uploads/avada.js
```
Solution: There is 1 relevant field to check for Event Code: UAEGWR-HPR. The REQUEST_URI logging field. Either a plugin or theme is storing and calling/requesting a .js, .swf or other file type from the WordPress /uploads folder and it is being blocked by BPS or this is a random hacker probe/recon. If the file shown in the Request URI does not actually exist on the website then this is a 100% confirmed random hacker probe/recon. For UAEG whitelist rules see this Forum Topic link: https://forum.ait-pro.com/forums/topic/uploads-anti-exploit-guard-uaeg-read-me-first/

Event Code: HEAD (3 relevant fields to check – 2 possible scenarios)
```
Event Code: BFHS-HEAD - HEAD Request Blocked
HTTP_REFERER:
REQUEST_URI: /?author=3
HTTP_USER_AGENT: curl/7.35.0
```
Solution: Either a spambot or other bad bot is making a HEAD Request on your website and it was blocked or something legitimate like a plugin or theme is making HEAD Requests for things like image retrieval or other tasks. To Allow/not block ALL HEAD Requests do the steps below:

1. Copy this modified REQUEST METHODS FILTERED .htaccess code below to this BPS Custom Code text box CUSTOM CODE REQUEST METHODS FILTERED: Whitelist User Agents or remove HEAD here
2. Click the Save Root Custom Code button.
3. Go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.

BPS Pro 11.6+ & BPS free .53.2+
You may see this code or the 11.5+/.53.1+ code in your root htaccess file. The code does the same exact thing and is whitelisted in the same exact way.
```
# REQUEST METHODS FILTERED
# If you want to allow HEAD Requests use BPS Custom Code and copy
# this entire REQUEST METHODS FILTERED section of code to this BPS Custom Code
# text box: CUSTOM CODE REQUEST METHODS FILTERED.
# See the CUSTOM CODE REQUEST METHODS FILTERED help text for additional steps.
RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK|DEBUG) [NC]
RewriteRule ^(.*)$ - [F]
#RewriteCond %{REQUEST_METHOD} ^(HEAD) [NC]
#RewriteRule ^(.*)$ /wp-content/plugins/bulletproof-security/405.php [L]
```
BPS Pro 11.5+ and BPS .53.1+
```
# REQUEST METHODS FILTERED
# If you want to allow HEAD Requests use BPS Custom Code and copy
# this entire REQUEST METHODS FILTERED section of code to this BPS Custom Code
# text box: CUSTOM CODE REQUEST METHODS FILTERED.
# See the CUSTOM CODE REQUEST METHODS FILTERED help text for additional steps.
RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK|DEBUG) [NC]
RewriteRule ^(.*)$ - [F]
#RewriteCond %{REQUEST_METHOD} ^(HEAD) [NC]
#RewriteRule ^(.*)$ - [R=405,L]
```
If you are using an older BPS plugin version or older BPS root htaccess code then use this code instead or upgrade to a newer version of BPS.
```
# REQUEST METHODS FILTERED
# If you want to allow HEAD Requests use BPS Custom Code and 
# remove/delete HEAD| from the Request Method filter.
# Example: RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK|DEBUG) [NC]
# The TRACE, DELETE, TRACK and DEBUG Request methods should never be removed.
RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK|DEBUG) [NC]
RewriteRule ^(.*)$ - [F]
```
- This topic was modified 2 years, 4 months ago by AITpro Admin.
- This topic was modified 2 years, 4 months ago by AITpro Admin.
- This topic was modified 2 years, 4 months ago by AITpro Admin.
April 9, 2014 at 7:57 am #14803
Bill Justesen
Participant
I am having one of these errors, but I cannot figure out why it isn’t bypassing via the firewall whitelist. The entire error is the following:
```
[403 GET / HEAD Request: April 9, 2014 - 7:22 am]
Event Code: PFWR-PSBR-HPR
Solution: http://forum.ait-pro.com/forums/topic/security-log-event-codes/
REMOTE_ADDR: 184.18.206.92
Host Name: pool-184-18-206-92.ftwy.in.frontiernet.net
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER: http: //xxxxxxxx.com/finalists/2012-finalists/
REQUEST_URI: /wp-content/plugins/shashin/public/display/trunk8.js?ver=3.4.10
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (iPhone; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D167 Safari/9537.53
```
The plugin exists, the protocol is HTTP/1.1, and I have added it to the firewall whitelist. And if I view the .htaccess file in the plugins folder, I can see the following line:
```
SetEnvIf Request_URI "/shashin/public/display/trunk8.js$" whitelist
```
Is there something else I am missing?
April 9, 2014 at 8:12 am #14804
AITpro Admin
Keymaster
UPDATE: BPS Pro 13+ and BPS 2.0+ versions have a feature called: Setup Wizard AutoFix (AutoWhitelist|AutoSetup|AutoCleanup) that automatically creates plugin and theme whitelist rules and automatically sets up and cleans up caching plugins htaccess code.

It could be that both a plugin/skip bypass rule and a Plugin Firewall whitelist rule are needed or maybe just a plugin skip/bypass rule is what is needed and not a Plugin Firewall whitelist rule.

To isolate/pinpoint exactly what in BPS Pro is blocking something use these troubleshooting steps: http://forum.ait-pro.com/forums/topic/read-me-first-pro/#bps-pro-general-troubleshooting. All BPS Pro security features can be turned On/Off individually to isolate which security features is blocking something.

Create a plugin Skip/Bypass rule for the Shashin plugin in BPS Custom Code.
1. Copy the Shashin plugin skip/bypass rule below to this BPS Root Custom Code text box: CUSTOM CODE PLUGIN/THEME SKIP/BYPASS RULES
2. Click the Save Root Custom Code button.
3. Go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.
Note: If your WordPress installation is a subfolder installation then add your WordPress folder name in the path. Example: /My-WordPress-Folder-Name/wp-content/plugins/shashin/
```
# Shashin plugin skip/bypass rule
RewriteCond %{REQUEST_URI} ^/wp-content/plugins/shashin/ [NC]
RewriteRule . - [S=13]
```
April 9, 2014 at 10:59 am #14809
Bill Justesen
Participant

That seemed to take care of the issue. Thanks!
April 9, 2014 at 11:11 am #14810
AITpro Admin
Keymaster

Great! Thanks for confirming the solution. Also we are trying several different methods to try and get the exact solution that is needed in Phase 2 Security Log Solution Targeting on the frontend of the site so that it is logged with the exact solution in the Security Log, but we keep running into a website performance problem. A website performance decrease of even .1 (point 1) seconds is not acceptable so it is looking like the backend troubleshooting tool is going to be the only way to go.

– The Security Log searched by Event Code. Phase 2 development is looking at using the Event Codes in a troubleshooting tool that will extract log entries and automatically generate the solution. Since this is a user initiated processing tool in the protected backend of a site it does not have the potentional of being abused if this was automated on the frontend of the site by the Security Logging mechanisms/processing.
December 23, 2014 at 6:47 am #20204
Paul
Participant

So if the plugin is NOT actually installed on the website then this is a 100% confirmed random hacker recon/probe. It can be safely ignored as i don’t have it in my plugins
December 23, 2014 at 9:56 am #20215
AITpro Admin
Keymaster

Yes that is correct.
January 13, 2015 at 5:10 pm #20449
Ciewicz
Participant
I am not sure if wp-admin file needs to be whitelisted in the Skip/Bypass rule or a Query String needs to be whitelisted. Please advise. Most of the other items in the log are listed as,
```
[400 GET Bad Request: January 11, 2015 6:09 pm]
Event Code: The request could not be understood by the server due to malformed syntax.
Solution: N/A - Malformed Request - Not an Attack
```
```
[403 GET / HEAD Request: January 13, 2015 11:55 pm]
Event Code: WPADMIN-SBR
Solution: http://forum.ait-pro.com/forums/topic/security-log-event-codes/
REMOTE_ADDR: 50.160.240.226
Host Name: c-50-160-240-226.hsd1.ga.comcast.net
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER: http://www.mydomain.com/wp-admin/
REQUEST_URI: /wp-admin/admin-ajax.php?action=gad_fill_dp&cookie=currency%3DUSD%3B%20language%3Den%3B%20_ga%3DGA1.2.1995448560.1420901558%3B%20__utma%3D41600436.1995448560.1420901558.1421170385.1421176663.6%3B%20__utmz%3D41600436.1421157456.1.1.utmcsr%3D(direct)%7Cutmccn%3D(direct)%7Cutmcmd%3D(none)%3B%20PHPSESSID%3D74688fa71d9720a58a3620533eb488e1%3B%20__utmc%3D41600436%3B%20wordpress_test_cookie%3DWP%2BCookie%2Bcheck%3B%20wp-settings-9%3Deditor%253Dtinymce%2526hidetb%253D1%2526libraryContent%253Dbrowse%2526align%253Dcenter%2526imgsize%253Dmedium%2526ed_size%253D426%2526wplink%253D0%2526advImgDetails%253Dshow%2526urlbutton%253Dnone%3B%20wp-settings-time-9%3D1421169433&rndval=1421193353950
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 5.1; rv:34.0) Gecko/20100101 Firefox/34.0
```
January 13, 2015 at 5:47 pm #20450
AITpro Admin
Keymaster
Try an admin-ajax.php skip/bypass rule first. It is possible there are several problems going on since the Request URI Query string is a mess. If this code below does not work then I will need to know the name of the plugin or theme that is causing the error.

1. Add the admin-ajax.php skip/bypass rule below to this wp-admin Custom Code text box: CUSTOM CODE WPADMIN PLUGIN/FILE SKIP RULES
2. Click the Save wp-admin Custom Code button.
3. Go to the Security Modes page and Activate wp-admin Folder BulletProof Mode.

Note: The skip rule must be [S=2] because it will be written to your wp-admin .htaccess file above skip / bypass rule [S=1]. If you have other wp-admin skip/bypass rules already then either combine them or add this skip/bypass rule separately above the other rules and change the skip #. Example: If you already have skip #’s 2 and 3 then this rule would be skip rule #4.
```
# admin-ajax.php skip/bypass rule
RewriteCond %{REQUEST_URI} (admin-ajax\.php) [NC]
RewriteRule . - [S=2]
```
January 14, 2015 at 8:43 am #20461
Ciewicz
Participant
AITpro Admin,

Thank you for the quick reply. I added the code and it has removed that entry in the Security Log file. I copied the entries, deleted the log to see if that entry would be logged when accessing and it did not. The only item logged now is below. We have also had to add the Allow IP Only due to the brute force attempts.
```
BPS SECURITY LOG
=================
=================

[403 GET / HEAD Request: January 14, 2015 4:29 pm]
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: 208.82.118.141
Host Name: ps3.jdsolve.com
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP: 
HTTP_FORWARDED: 
HTTP_X_FORWARDED_FOR: 
HTTP_X_CLUSTER_CLIENT_IP: 
REQUEST_METHOD: GET
HTTP_REFERER: 
REQUEST_URI: /wp-login.php
QUERY_STRING: 
HTTP_USER_AGENT: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
```
January 14, 2015 at 9:03 am #20462
AITpro Admin
Keymaster

This is a blocked spammer or hacker pretending to be the Google Bot. 208.82.118.141 is not a Google IP address.
http://whois.domaintools.com/208.82.118.141
January 17, 2015 at 8:25 pm #20556
jenni101
Participant
Hi Edward,

I’m in the early learning stage of my security logs, so would appreciate your feedback on this.

I’ve found a WPADMIN-SBR event code in my security log, with an http/1.1 referres and an OK (?) user agent, as below…
```
 [403 GET / HEAD Request: 17th January 2015 - 10:22 pm]
Event Code: WPADMIN-SBR
Solution: http://forum.ait-pro.com/forums/topic/security-log-event-codes/
REMOTE_ADDR: 134.249.140.218
Host Name: 134-249-140-218-gprs.kyivstar.net
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP: 
HTTP_FORWARDED: 
HTTP_X_FORWARDED_FOR: 
HTTP_X_CLUSTER_CLIENT_IP: 
REQUEST_METHOD: GET
HTTP_REFERER: http://mysite.com
REQUEST_URI: /wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php
QUERY_STRING: 
HTTP_USER_AGENT: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.68 Safari/534.30
```
but the same host name then is also logged for heaps of repeated requests for plugins/themes that I don’t have, so with an event code of BFHS and occasionally PFWR-PSBR-HPR. eg of it is below…
```
[403 GET / HEAD Request: 17th January 2015 - 10:23 pm]
Event Code: PFWR-PSBR-HPR
Solution: http://forum.ait-pro.com/forums/topic/security-log-event-codes/
REMOTE_ADDR: 134.249.140.218
Host Name: 134-249-140-218-gprs.kyivstar.net
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP: 
HTTP_FORWARDED: 
HTTP_X_FORWARDED_FOR: 
HTTP_X_CLUSTER_CLIENT_IP: 
REQUEST_METHOD: GET
HTTP_REFERER: http://mysite.com/wp-content/plugins/tinymce-thumbnail-gallery/php/download-image.php?href=../../../../wp-config.php
REQUEST_URI: /wp-content/plugins/wp-filemanager/incl/libfile.php?&path=../../&filename=wp-config.php&action=download
QUERY_STRING: 
HTTP_USER_AGENT: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.68 Safari/534.30
```
From the above I’m guessing it’s not something I need to add to my wp-admin skip/bypass rule? Sorry it’s so basic – is this typical of how hacker/probes behave?

Cheers.
January 17, 2015 at 9:05 pm #20557
AITpro Admin
Keymaster

This is a blocked hacker recon/probe/attempt looking for the known vulnerability in the revolution slider plugin or trying to exploit and hack your website. You do not need to do anything since BPS has already blocked the hacker recon/probe/hacking attempt. See the link below for more info.
http://forum.ait-pro.com/forums/topic/slider-revolution-responsive-wordpress-plugin-vulnerability/

The other security log entry is another hacker recon/probe/attempt that is being blocked.
January 17, 2015 at 10:47 pm #20562
jenni101
Participant

Many thanks.
February 4, 2015 at 6:44 am #20787
Hans
Participant
I’m a bit intimidated by all this code, and since my girlfriends website has suffered a number of brute force attacks, I started using your plugin on top of wordfence. I followed the instructions and installed the bonus codes also, changing the ip-adresses in the brute-force attack-code like instructed.

Now every time I try to search in the wp-admin Pages, I get a 403-error page. The log-entry hereunder concurs that it is blocked, but I don’t know how to solve it. Searching for edit.php on this forum didn’t give a sollution, so if someone could please advise me on what code to add or change.

It’s a dutch website using the dutch translation of wordpress, and alle plugins are updated to the latest version. Thanks for the good work. I’ve started with the free version for now and am very happy such an advanced tool exsists to fight of attacks. Thanks in advance your help.

For privacy-reasons I’ve changed the domain-name and ip-address tot xxx.
```
[403 GET / HEAD Request: 4 februari 2015 - 15:11]
Event Code: WPADMIN-SBR
Solution: http://forum.ait-pro.com/forums/topic/security-log-event-codes/
REMOTE_ADDR: xxx.xxx.xxx.xxx
Host Name: xxx.xxx.xxx.xxx.dsl.alice.nl
SERVER_PROTOCOL: HTTP/1.0
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR: xxx.xxx.xxx.xxx
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER: http://xxxxxxxxxxxxxxxxxx.nl/wp-admin/edit.php?post_type=page
REQUEST_URI: /wp-admin/edit.php?s=test&=Pagina%27s+zoeken&post_status=all&post_type=page&_wpnonce=2e22bd85bc&_wp_http_referer=%2Fwp-admin%2Fedit.php%3Fpost_type%3Dpage&action=-1&m=0&seo_filter=&paged=1&action2=-1
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
```
Author

Posts