Security Log Event Codes

Home Forums BulletProof Security Pro Security Log Event Codes

This topic contains 76 replies, has 15 voices, and was last updated by  Bub 2 months, 3 weeks ago.

Viewing 15 posts - 1 through 15 (of 77 total)
  • Author
    Posts
  • #13903

    AITpro Admin
    Keymaster

    Security LogEvent Codes:

    BFHS: Blocked/Forbidden Hacker or Spammer (approximately 99.99% of all log entries will have this Event Code)
    HPRA:  Hacker Probe/Recon/Attack
    PSBR: Plugin Skip/Bypass Rule if something legitimate is being blocked.
    WPADMIN-SBR: wp-admin Skip/Bypass Rule if something legitimate is being blocked.
    HEAD: HEAD Request Blocked – Either a spambot or something legitimate making a HEAD Request (See Event Code:  HEAD solution)
    PFWR: Plugin Firewall Whitelist Rule (BPS Pro only). Plugin Firewall AutoPilot Mode creates whitelist rules automatically.
    UAEGWR: Uploads Anti-Exploit Guard Whitelist Rule (BPS Pro only) if something legitimate is being blocked.

    Examples Logged Fields/Scenarios:

    Event Code:  PFWR-PSBR-HPR (3 relevant fields to check & 3 possible causes)

    Event Code: PFWR-PSBR-HPR
    SERVER_PROTOCOL: HTTP/1.1
    REQUEST_URI: /wp-content/plugins/xyz-plugin/js/xyz-plugin-script.js
    HTTP_USER_AGENT: Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; InfoPath.1; SV1; .NET CLR 3.8.36217; WOW64; en-US)

    The Event Code indicates this could either be a random hacker recon/probe or Plugin Skip/Bypass rule that needs to be created or a Plugin Firewall whitelist rule (BPS Pro only) that needs to be created.

    Solution:  If the plugin is actually installed/exists & the Server Protocol is HTTP/1.1 and not HTTP/1.0 and the User Agent is not blank/empty then either a Plugin Skip/Bypass rule needs to be created or a Plugin Firewall whitelist rule (BPS Pro only) needs to be created.  If the Server Protocol is HTTP/1.0 or the User Agent is blank then the odds are very high that this is a random hacker recon/probe.  If the plugin is NOT actually installed on the website then this is a 100% confirmed random hacker recon/probe.  Searching the Forum will produce any documented solutions for Plugin Skip/Bypass rules by searching using the plugin’s name as the search word/term.  For Plugin Firewall whitelist rules see this Forum Topic link:  https://forum.ait-pro.com/forums/topic/plugin-firewall-read-me-first-troubleshooting/

    Event Code:  WPADMIN-SBR (2 relevant fields to check – only 1 possible cause and solution)

    Event Code: WPADMIN-SBR
    HTTP_REFERER: http://[domain name removed for privacy]/wp-admin/post.php?post=287&action=edit
    REQUEST_URI: /wp-content/plugins/sublimevideo-official/tinymce/sv-insert.php?%27webkitAllowFullScreen=%271
    
    HTTP_REFERER: http://[domain name removed for privacy]/2014/01/02/fallouts-classic-catalogue-removed-from-gog-due-to-rights-issue/
    REQUEST_URI: /blog/wp-admin/curate-this.php?u=http%3A%5C%2F%5C%2F[domain name removed for privacy]%5C%2F2014%5C%2F01%5C%2F02%5C%2Ffallouts-classic-catalogue-removed-from-gog-due-to-rights-issue%5C%2F&t=Fallout%27s%20classic%20catalogue%20removed%20from%20GOG%20due%20to%20rights%20issue%20%7C%20PC%20Gamer&s=&v=4
    
    HTTP_REFERER: http://[domain name removed for privacy]/wp-admin/admin.php?page=formidable-settings
    REQUEST_URI: /wp-admin/index.php?plugin=formidable&controller=settings&frm_action=process-form&action=process-form&_wpnonce=6b6ef1c65d

    Solution:  There are 2 relevant fields to check for Event Code:  WPADMIN-SBR..  The HTTP_REFERER and REQUEST_URI logging fields.  If the Referer or Request URI has /wp-admin/ in the path then these are things that are being blocked by BPS in the wp-admin .htaccess file and a Skip/Bypass rule needs to be created for the wp-admin .htaccess file by adding it to BPS Custom Code.  Typically either a wp-admin file needs to be whitelisted in the Skip/Bypass rule or a Query String needs to be whitelisted.  Searching the Forum will produce any documented solutions for wp-admin Skip/Bypass rules by searching using the plugin’s name as the search word/term.

    Event Code:  UAEGWR-HPR (1 relevant field to check – 2 possible causes)

    Event Code: UAEGWR-HPR
    REQUEST_URI: /wp-content/uploads/avada.js

    Solution:   There is 1 relevant field to check for Event Code: UAEGWR-HPR.  The REQUEST_URI logging field.  Either a plugin or theme is storing and calling/requesting a .js, .swf or other file type from the WordPress /uploads folder and it is being blocked by BPS or this is a random hacker probe/recon.  If the file shown in the Request URI does not actually exist on the website then this is a 100% confirmed random hacker probe/recon.  For UAEG whitelist rules see this Forum Topic link:   https://forum.ait-pro.com/forums/topic/uploads-anti-exploit-guard-uaeg-read-me-first/

    Event Code:  HEAD (3 relevant fields to check – 2 possible scenarios)

    Event Code: BFHS-HEAD - HEAD Request Blocked
    HTTP_REFERER:
    REQUEST_URI: /?author=3
    HTTP_USER_AGENT: curl/7.35.0

    Solution:   Either a spambot or other bad bot is making a HEAD Request on your website and it was blocked or something legitimate like a plugin or theme is making HEAD Requests for things like image retrieval or other tasks.  To Allow/not block ALL HEAD Requests do the steps below:

    1. Copy this modified REQUEST METHODS FILTERED .htaccess code below to this BPS Custom Code text box CUSTOM CODE REQUEST METHODS FILTERED: Whitelist User Agents or remove HEAD here
    2. Click the Save Root Custom Code button.
    3. Go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.

    BPS Pro 11.6+ & BPS free .53.2+
    You may see this code or the 11.5+/.53.1+ code in your root htaccess file.  The code does the same exact thing and is whitelisted in the same exact way.

    # REQUEST METHODS FILTERED
    # If you want to allow HEAD Requests use BPS Custom Code and copy
    # this entire REQUEST METHODS FILTERED section of code to this BPS Custom Code
    # text box: CUSTOM CODE REQUEST METHODS FILTERED.
    # See the CUSTOM CODE REQUEST METHODS FILTERED help text for additional steps.
    RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK|DEBUG) [NC]
    RewriteRule ^(.*)$ - [F]
    #RewriteCond %{REQUEST_METHOD} ^(HEAD) [NC]
    #RewriteRule ^(.*)$ /wp-content/plugins/bulletproof-security/405.php [L]

    BPS Pro 11.5+ and BPS .53.1+

    # REQUEST METHODS FILTERED
    # If you want to allow HEAD Requests use BPS Custom Code and copy
    # this entire REQUEST METHODS FILTERED section of code to this BPS Custom Code
    # text box: CUSTOM CODE REQUEST METHODS FILTERED.
    # See the CUSTOM CODE REQUEST METHODS FILTERED help text for additional steps.
    RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK|DEBUG) [NC]
    RewriteRule ^(.*)$ - [F]
    #RewriteCond %{REQUEST_METHOD} ^(HEAD) [NC]
    #RewriteRule ^(.*)$ - [R=405,L]

    If you are using an older BPS plugin version or older BPS root htaccess code then use this code instead or upgrade to a newer version of BPS.

    # REQUEST METHODS FILTERED
    # If you want to allow HEAD Requests use BPS Custom Code and 
    # remove/delete HEAD| from the Request Method filter.
    # Example: RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK|DEBUG) [NC]
    # The TRACE, DELETE, TRACK and DEBUG Request methods should never be removed.
    RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK|DEBUG) [NC]
    RewriteRule ^(.*)$ - [F]
    #14803

    Bill Justesen
    Participant

    I am having one of these errors, but I cannot figure out why it isn’t bypassing via the firewall whitelist. The entire error is the following:

    [403 GET / HEAD Request: April 9, 2014 - 7:22 am]
    Event Code: PFWR-PSBR-HPR
    Solution: http://forum.ait-pro.com/forums/topic/security-log-event-codes/
    REMOTE_ADDR: 184.18.206.92
    Host Name: pool-184-18-206-92.ftwy.in.frontiernet.net
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER: http: //xxxxxxxx.com/finalists/2012-finalists/
    REQUEST_URI: /wp-content/plugins/shashin/public/display/trunk8.js?ver=3.4.10
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/5.0 (iPhone; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D167 Safari/9537.53

    The plugin exists, the protocol is HTTP/1.1, and I have added it to the firewall whitelist. And if I view the .htaccess file in the plugins folder, I can see the following line:

    SetEnvIf Request_URI "/shashin/public/display/trunk8.js$" whitelist

    Is there something else I am missing?

    #14804

    AITpro Admin
    Keymaster

    UPDATE: BPS Pro 13+ and BPS 2.0+ versions have a feature called: Setup Wizard AutoFix (AutoWhitelist|AutoSetup|AutoCleanup) that automatically creates plugin and theme whitelist rules and automatically sets up and cleans up caching plugins htaccess code.

    It could be that both a plugin/skip bypass rule and a Plugin Firewall whitelist rule are needed or maybe just a plugin skip/bypass rule is what is needed and not a Plugin Firewall whitelist rule.

    To isolate/pinpoint exactly what in BPS Pro is blocking something use these troubleshooting steps:  http://forum.ait-pro.com/forums/topic/read-me-first-pro/#bps-pro-general-troubleshooting.  All BPS Pro security features can be turned On/Off individually to isolate which security features is blocking something.

    Create a plugin Skip/Bypass rule for the Shashin plugin in BPS Custom Code.
    1. Copy the Shashin plugin skip/bypass rule below to this BPS Root Custom Code text box:  CUSTOM CODE PLUGIN/THEME SKIP/BYPASS RULES
    2. Click the Save Root Custom Code button.
    3. Go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.
    Note:  If your WordPress installation is a subfolder installation then add your WordPress folder name in the path.  Example:  /My-WordPress-Folder-Name/wp-content/plugins/shashin/

    # Shashin plugin skip/bypass rule
    RewriteCond %{REQUEST_URI} ^/wp-content/plugins/shashin/ [NC]
    RewriteRule . - [S=13]
    #14809

    Bill Justesen
    Participant

    That seemed to take care of the issue. Thanks!

    #14810

    AITpro Admin
    Keymaster

    Great!  Thanks for confirming the solution.  Also we are trying several different methods to try and get the exact solution that is needed in Phase 2 Security Log Solution Targeting on the frontend of the site so that it is logged with the exact solution in the Security Log, but we keep running into a website performance problem.  A website performance decrease of even .1 (point 1) seconds is not acceptable so it is looking like the backend troubleshooting tool is going to be the only way to go.

    – The Security Log searched by Event Code.  Phase 2 development is looking at using the Event Codes in a troubleshooting tool that will extract log entries and automatically generate the solution.  Since this is a user initiated processing tool in the protected backend of a site it does not have the potentional of being abused if this was automated on the frontend of the site by the Security Logging mechanisms/processing.

    #20204

    Paul
    Participant

    So if the plugin is NOT actually installed on the website then this is a 100% confirmed random hacker recon/probe. It can be safely ignored as i don’t have it in my plugins

    #20215

    AITpro Admin
    Keymaster

    Yes that is correct.

    #20449

    Ciewicz
    Participant

    I am not sure if wp-admin file needs to be whitelisted in the Skip/Bypass rule or a Query String needs to be whitelisted. Please advise. Most of the other items in the log are listed as,

    [400 GET Bad Request: January 11, 2015 6:09 pm]
    Event Code: The request could not be understood by the server due to malformed syntax.
    Solution: N/A - Malformed Request - Not an Attack
    [403 GET / HEAD Request: January 13, 2015 11:55 pm]
    Event Code: WPADMIN-SBR
    Solution: http://forum.ait-pro.com/forums/topic/security-log-event-codes/
    REMOTE_ADDR: 50.160.240.226
    Host Name: c-50-160-240-226.hsd1.ga.comcast.net
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER: http://www.mydomain.com/wp-admin/
    REQUEST_URI: /wp-admin/admin-ajax.php?action=gad_fill_dp&cookie=currency%3DUSD%3B%20language%3Den%3B%20_ga%3DGA1.2.1995448560.1420901558%3B%20__utma%3D41600436.1995448560.1420901558.1421170385.1421176663.6%3B%20__utmz%3D41600436.1421157456.1.1.utmcsr%3D(direct)%7Cutmccn%3D(direct)%7Cutmcmd%3D(none)%3B%20PHPSESSID%3D74688fa71d9720a58a3620533eb488e1%3B%20__utmc%3D41600436%3B%20wordpress_test_cookie%3DWP%2BCookie%2Bcheck%3B%20wp-settings-9%3Deditor%253Dtinymce%2526hidetb%253D1%2526libraryContent%253Dbrowse%2526align%253Dcenter%2526imgsize%253Dmedium%2526ed_size%253D426%2526wplink%253D0%2526advImgDetails%253Dshow%2526urlbutton%253Dnone%3B%20wp-settings-time-9%3D1421169433&rndval=1421193353950
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 5.1; rv:34.0) Gecko/20100101 Firefox/34.0
    #20450

    AITpro Admin
    Keymaster

    Try an admin-ajax.php skip/bypass rule first.  It is possible there are several problems going on since the Request URI Query string is a mess. If this code below does not work then I will need to know the name of the plugin or theme that is causing the error.

    1. Add the admin-ajax.php skip/bypass rule below to this wp-admin Custom Code text box: CUSTOM CODE WPADMIN PLUGIN/FILE SKIP RULES
    2. Click the Save wp-admin Custom Code button.
    3. Go to the Security Modes page and Activate wp-admin Folder BulletProof Mode.

    Note:  The skip rule must be [S=2] because it will be written to your wp-admin .htaccess file above skip / bypass rule [S=1].  If you have other wp-admin skip/bypass rules already then either combine them or add this skip/bypass rule separately above the other rules and change the skip #.  Example:  If you already have skip #’s 2 and 3 then this rule would be skip rule #4.

    # admin-ajax.php skip/bypass rule
    RewriteCond %{REQUEST_URI} (admin-ajax\.php) [NC]
    RewriteRule . - [S=2]
    #20461

    Ciewicz
    Participant

    AITpro Admin,

    Thank you for the quick reply. I added the code and it has removed that entry in the Security Log file. I copied the entries, deleted the log to see if that entry would be logged when accessing and it did not. The only item logged now is below. We have also had to add the Allow IP Only due to the brute force attempts.

    BPS SECURITY LOG
    =================
    =================
    
    [403 GET / HEAD Request: January 14, 2015 4:29 pm]
    Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
    Solution: N/A - Hacker/Spammer Blocked/Forbidden
    REMOTE_ADDR: 208.82.118.141
    Host Name: ps3.jdsolve.com
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP: 
    HTTP_FORWARDED: 
    HTTP_X_FORWARDED_FOR: 
    HTTP_X_CLUSTER_CLIENT_IP: 
    REQUEST_METHOD: GET
    HTTP_REFERER: 
    REQUEST_URI: /wp-login.php
    QUERY_STRING: 
    HTTP_USER_AGENT: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
    
    #20462

    AITpro Admin
    Keymaster

    This is a blocked spammer or hacker pretending to be the Google Bot.  208.82.118.141 is not a Google IP address.
    http://whois.domaintools.com/208.82.118.141

    #20556

    jenni101
    Participant

    Hi Edward,

    I’m in the early learning stage of my security logs, so would appreciate your feedback on this.

    I’ve found a WPADMIN-SBR event code in my security log, with an http/1.1 referres and an OK (?) user agent, as below…

     [403 GET / HEAD Request: 17th January 2015 - 10:22 pm]
    Event Code: WPADMIN-SBR
    Solution: http://forum.ait-pro.com/forums/topic/security-log-event-codes/
    REMOTE_ADDR: 134.249.140.218
    Host Name: 134-249-140-218-gprs.kyivstar.net
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP: 
    HTTP_FORWARDED: 
    HTTP_X_FORWARDED_FOR: 
    HTTP_X_CLUSTER_CLIENT_IP: 
    REQUEST_METHOD: GET
    HTTP_REFERER: http://mysite.com
    REQUEST_URI: /wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php
    QUERY_STRING: 
    HTTP_USER_AGENT: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.68 Safari/534.30

    but the same host name then is also logged for heaps of repeated requests for plugins/themes that I don’t have, so with an event code of BFHS and occasionally PFWR-PSBR-HPR. eg of it is below…

    [403 GET / HEAD Request: 17th January 2015 - 10:23 pm]
    Event Code: PFWR-PSBR-HPR
    Solution: http://forum.ait-pro.com/forums/topic/security-log-event-codes/
    REMOTE_ADDR: 134.249.140.218
    Host Name: 134-249-140-218-gprs.kyivstar.net
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP: 
    HTTP_FORWARDED: 
    HTTP_X_FORWARDED_FOR: 
    HTTP_X_CLUSTER_CLIENT_IP: 
    REQUEST_METHOD: GET
    HTTP_REFERER: http://mysite.com/wp-content/plugins/tinymce-thumbnail-gallery/php/download-image.php?href=../../../../wp-config.php
    REQUEST_URI: /wp-content/plugins/wp-filemanager/incl/libfile.php?&path=../../&filename=wp-config.php&action=download
    QUERY_STRING: 
    HTTP_USER_AGENT: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.68 Safari/534.30

    From the above I’m guessing it’s not something I need to add to my wp-admin skip/bypass rule? Sorry it’s so basic – is this typical of how hacker/probes behave?

    Cheers.

    #20557

    AITpro Admin
    Keymaster

    This is a blocked hacker recon/probe/attempt looking for the known vulnerability in the revolution slider plugin or trying to exploit and hack your website.  You do not need to do anything since BPS has already blocked the hacker recon/probe/hacking attempt.  See the link below for more info.
    http://forum.ait-pro.com/forums/topic/slider-revolution-responsive-wordpress-plugin-vulnerability/

    The other security log entry is another hacker recon/probe/attempt that is being blocked.

    #20562

    jenni101
    Participant

    Many thanks.

    #20787

    Hans
    Participant

    I’m a bit intimidated by all this code, and since my girlfriends website has suffered a number of brute force attacks, I started using your plugin on top of wordfence. I followed the instructions and installed the bonus codes also, changing the ip-adresses in the brute-force attack-code like instructed.

    Now every time I try to search in the wp-admin Pages, I get a 403-error page. The log-entry hereunder concurs that it is blocked, but I don’t know how to solve it. Searching for edit.php on this forum didn’t give a sollution, so if someone could please advise me on what code to add or change.

    It’s a dutch website using the dutch translation of wordpress, and alle plugins are updated to the latest version. Thanks for the good work. I’ve started with the free version for now and am very happy such an advanced tool exsists to fight of attacks. Thanks in advance your help.

    For privacy-reasons I’ve changed the domain-name and ip-address tot xxx.

    [403 GET / HEAD Request: 4 februari 2015 - 15:11]
    Event Code: WPADMIN-SBR
    Solution: http://forum.ait-pro.com/forums/topic/security-log-event-codes/
    REMOTE_ADDR: xxx.xxx.xxx.xxx
    Host Name: xxx.xxx.xxx.xxx.dsl.alice.nl
    SERVER_PROTOCOL: HTTP/1.0
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR: xxx.xxx.xxx.xxx
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER: http://xxxxxxxxxxxxxxxxxx.nl/wp-admin/edit.php?post_type=page
    REQUEST_URI: /wp-admin/edit.php?s=test&=Pagina%27s+zoeken&post_status=all&post_type=page&_wpnonce=2e22bd85bc&_wp_http_referer=%2Fwp-admin%2Fedit.php%3Fpost_type%3Dpage&action=-1&m=0&seo_filter=&paged=1&action2=-1
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
Viewing 15 posts - 1 through 15 (of 77 total)

You must be logged in to reply to this topic.