Topic: Security Log Event Codes | BulletProof Security Forum

Security Log Event Codes

Tagged: Event Codes, Security Log

This topic has 87 replies, 22 voices, and was last updated 1 year ago by meets korun.

Viewing 15 posts - 16 through 30 (of 88 total)

← 1 2 3 4 5 6 →

Author

Posts
February 4, 2015 at 7:37 am #20789
AITpro Admin
Keymaster

To whitelist/allow apostrophe’s / single quote code characters in wp-admin searches click the link below.
http://forum.ait-pro.com/forums/topic/search-string-403-error/#post-14372
February 4, 2015 at 8:16 am #20796
Hans
Participant

It works. Wonderfull. Thank you very much.
September 14, 2015 at 1:49 am #24983
George Mohan
Participant
How can i fix this error
```
[403 GET / HEAD Request: September 8, 2015 - 3:58 PM]
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: 103.22.201.224
Host Name: 103.22.201.224
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR: 117.241.63.235
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER: https://www.google.co.in/
REQUEST_URI: /images/2015/08/Loham-firstday-collection-report-300x240.jpg
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.85 Safari/537.36
```
This is error or someone try to hack ??
```
[403 GET / HEAD Request: September 13, 2015 - 10:32 PM]
Event Code: WPADMIN-SBR
Solution: http://forum.ait-pro.com/forums/topic/security-log-event-codes/
REMOTE_ADDR: 141.101.105.80
Host Name: 141.101.105.80
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR: 195.154.168.128
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER: http://movieseeks.com/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php
REQUEST_URI: /wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
```
September 14, 2015 at 7:02 am #24987
AITpro Admin
Keymaster

103.22.201.224 is a CloudFlare IP address. This is probably just a nuisance Security Log entry that you can ignore. Check that the image file: /images/2015/08/Loham-firstday-collection-report-300×240.jpg is displayed normally on your site and also check any Hotlink protection code to make sure you are not blocking Google or other search engines.

The second Security Log entry is a blocked hacker recon/probe/attempt looking for the known vulnerability in the revolution slider plugin or trying to exploit and hack your website. You do not need to do anything since BPS has already blocked the hacker recon/probe/hacking attempt. See the link below for more info.
http://forum.ait-pro.com/forums/topic/slider-revolution-responsive-wordpress-plugin-vulnerability/
September 15, 2015 at 5:26 am #25008
George Mohan
Participant

k thank you
February 26, 2016 at 12:29 am #28305
Deb
Participant
Hi, another “internal” error entry.
One of many sites on same server where other BPSpro sites are set up and running fine. Nothing unusual about this install at all–brand new.

A “GET” security log entry every time I do an S-Monitor “Send Test Email” which do work and are being sent (where other sites are no longer working) listing the site’s own server ip address, hostname, and bulletproof plugin. Go figure. I’ve run the pre-setup and setup wizards a couple of times and checked the plugin firewall – just adding .js I saw pop up in log before. [Auto-Pilot didn’t appear to really work. cURL scan didn’t find any entries. cURL does function.]
```
[403 GET Request: February 26, 2016 - 1:58 am]
Event Code: PFWR-PSBR-HPR
Solution: http://forum.ait-pro.com/forums/topic/security-log-event-codes/
REMOTE_ADDR: ip.address.of.site.server
Host Name: the.sites.vps.hostname
SERVER_PROTOCOL: HTTP/1.0
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER:
REQUEST_URI: /wp-content/plugins/bulletproof-security/admin/test/bps-email-check.php
QUERY_STRING:
HTTP_USER_AGENT: WordPress/4.4.2; http://thesitedomainname.com
```
February 26, 2016 at 8:56 am #28317
AITpro Admin
Keymaster

Ok we will check this in the BPS Pro code and see if we find any issues/problems. I believe this issue/problem is going to have something to do with your specific hosting server/websites or maybe you are using this Bonus Custom Code that can block by Server Protocol HTTP/1.0: http://forum.ait-pro.com/forums/topic/protect-login-page-from-brute-force-login-attacks/ I have not tested that possibility yet.

I do not believe this error has anything at all to do with the Plugin Firewall. PFW AutoPilot Mode will not create rules that should not be created. ie bad or invalid rules and will instead do nothing so that a new problem does not occur.

Also you should delete whatever PFW whitelist rule you created for this “…just adding .js I saw pop up in log before…”. Adding .js in the Plugin Firewall whitelist text area is not valid. See the Plugin Firewall Read Me help button for or the http://forum.ait-pro.com/forums/topic/plugin-firewall-read-me-first-troubleshooting/ forum topic for the only valid format for Plugin Firewall whitelist rules and more extensive help info. The Plugin Firewall only affects frontloading scripts on your website. The /bulletproof-security/admin/test/bps-email-check.php is not a frontloading script and only loads in the backend of your website. Only frontloading plugin scripts need to be whitelisted and backend scripts never need to be whitelisted. The cURL scanner only scans the frontend Source Code of your website for possible frontloading scripts that need to be whitelisted in the Plugin Firewall.
February 26, 2016 at 1:17 pm #28332
Deb
Participant
All the normal plugins I have in this new install are in all the other site installs and working fine on this server.
This is the only wp install out of 9 total on the server this happens on. Most plugins are identical. Plugin Firewall was the culprit… here’s the full testing I did.

1. Cleared the whitelist in firewall – retested – same error upon Send Test Email.
1a. ran the cURL scan and it only added one: “/s2member/s2member-o.php”
After all the plugins were deactivated, scanner had added back the ones I’d found and put back in:
```
[Plugin Firewall AutoPilot Mode New Whitelist Rule(s) Created: February 26, 2016 - 2:31 pm]
Whitelist Rule: /sidebar-login/assets/js/jquery.blockUI.min.js
Whitelist Rule: /sidebar-login/assets/js/sidebar-login.min.js
```
2. Only 3 custom code sets now (I have many more on other sites but haven’t needed them here yet):
# BEGIN WEBSITE SPEED BOOST CUSTOM CODE is the only custom code in there.
# WP AUTHOR ENUMERATION BOT PROBE PROTECTION
# CUSTOM GZIP CODE FOR S2MEMBER

3. Deactivated all, plugin after plugin (in order of deactivation-all of them): Postman SMTP, MailPoet Newsletters, Contact Form 7, Popups – WordPress Popup, s2Member Framework, Wordfence Security, Automatic Copyright Year, Compact Audio Player, Divi Builder, Elegant Themes Updater, Javascript Html and Text Adder, Optimize Database after Deleting Revisions, Revision Control, Sidebar Login, Toggle The Title, Under Construction / Maintenance Mode From Acurax, UpdraftPlus – Backup/Restore, WP-DBManager. (All gone, but not deleted.)

4. Changed Theme (Divi) out for TwentySixteen after half the plugins deactivated: No change still popped the error.

Only BPS Pro left on/2016 theme and still popped the Sec Log error after “Send Test Email” in S-Monitor.

5. Deactivated entire Plugin Firewall–but left AutoPilot on to every 1 Minute. Still popped error. Then turned off AutoPilate, still error—but the Firewall had turned itself back on after the red dot had been there one move before on all tabs I was watching.
AFTER THEN, AGAIN, DEACTIVATING THE PLUGIN FIREWALL – ERROR DID NOT OCCUR.

6. All system data: [system data was deleted as it is not relevant to the problem]
February 26, 2016 at 1:31 pm #28334
AITpro Admin
Keymaster

The only way the Plugin Firewall could be causing this problem is for these 2 reasons:

1. You have invalid Plugin Firewall whitelist rules.
2. Your Proxy server is configured incorrectly.

I will need to login to this site to find out which of the 2 reasons above is causing this problem. Send a WP Admin login to: info at ait-pro dot com.
February 26, 2016 at 1:41 pm #28335
AITpro Admin
Keymaster

@ Deb – You can try these steps to clear/reset the Plugin Firewall and see if that fixes the problem.

Do the steps below.
Fix all general Plugin Firewall issues/problems:
1. Go to the BPS Security Log page and click the Delete Log button to delete your current Security Log file contents.
2. Go to the Plugin Firewall page.
3. Click the Plugin Firewall BulletProof Mode Deactivate button.
4. Delete (or cut if you want to add your existing whitelist rules back into the Plugins Script|File Whitelist Text Area) all of your Plugin Firewall whitelist rules out of the Plugins Script|File Whitelist Text Area.
5. Click the Save Whitelist Options button.
6. Click the Plugin Firewall Test Mode button.
7. Check your site pages by clicking on all main website pages: contact form page, home page, login page, etc.
8. Recheck the Plugins Script|File Whitelist Text Area (after 1 minute) and you should see new Plugin Firewall whitelist rules have been created.
9. Change the AutoPilot Mode Cron Check Frequency to 15 minutes or whatever frequency time you would like to use.
10. Click the Plugin Firewall Activate button.
February 26, 2016 at 3:35 pm #28340
AITpro Admin
Keymaster

@ Deb – The problem is now fixed and was related to the Proxy server setup on this site/server so just added the server/website IP address in the Plugin Firewall > Plugin Firewall Additional Whitelist Tools > Whitelist by Hostname (domain name) and IP Address option text box and created a new Plugin Firewall htaccess file. I am logged out of the site now.
February 26, 2016 at 4:14 pm #28342
Deb
Participant

Thank you very much.

I still don’t understand how I could have seen that (where) and added the code.
What proxy server?

None of the other sites on the server have the problem.

??? confused here.

[I do see this under the whitelist, and have used it before on another GoDaddy server
Click the Read Me help button for help information about the Plugin Firewall Additional Whitelist Tools
Whitelist by Hostname (domain name) and IP Address:
Use a comma and a space between Hostnames and IP Addresses.
Example: example.com, 100.99.88.77, example-2.com
If you want to use backslashes, escape a backslash with another backslash.
Example: example\\.com, 100\\.99\\.88\\.77, example-2\\.com]

How would we know to go there. Just do it and see if it works?

Thank you so much, as usual.
This is supposedly a new and only SSD drive VPS server w/8GBs of memory.
It is fast to me compared to all other servers I work with.
February 26, 2016 at 4:27 pm #28343
AITpro Admin
Keymaster

@ Deb – This is just something that we know and not something that you would probably be able to figure out because it is occurring at the server level and not the website level. The most obvious clue is that the Server Protocol is HTTP/1.0 in the Security Log entry you posted. Older Proxy servers use HTTP/1.0 instead of using the newer HTTP/1.1 Server Protocol. So it is dead giveaway that the server has a Load Balancer/Proxy installed. The typical solution is always the same for this type of Load Balancer/Proxy issue, which is to add the server’s IP address in the Additional Whitelist Tool. The reason that information is not posted in the beginning of this forum topic is because less than .05% of website owners could be affected by this.
April 2, 2016 at 10:19 pm #28834
George Mohan
Participant
How can i fix the below error?
```
[403 GET Request: March 31, 2016 - 7:07 AM]
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: 108.162.216.76
Host Name: 108.162.216.76
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR: 66.249.91.63
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER:
REQUEST_URI: /wp-config.php?cmd=free
QUERY_STRING:
HTTP_USER_AGENT: AdsBot-Google (+http://www.google.com/adsbot.html)

[403 POST Request: April 3, 2016 - 1:25 AM]
Event Code: WPADMIN-SBR
Solution: http://forum.ait-pro.com/forums/topic/security-log-event-codes/
REMOTE_ADDR: 62.76.185.186
Host Name: 221962-10001.clodo.ru
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER:
REQUEST_URI: /wp-admin/admin-ajax.php?page=login&img=../wp-config.php
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1; rv:12.0) Gecko/20130101 Firefox/10.1
REQUEST BODY: --------------------------cde3f952ac8f67bc
Content-Disposition: form-data; name="action"

revslider_show_image
--------------------------cde3f952ac8f67bc
Content-Disposition: form-data; name="img"

../wp-config.php
--------------------------cde3f952ac8f67bc--
```
April 2, 2016 at 10:46 pm #28836
AITpro Admin
Keymaster

The first log entry almost looks legitimate. The IP address is google, but it may be spoofed by using HTTP_X_FORWARDED_FOR and same applies to the User Agent. What is definitely not legitimate is the Request URI to: /wp-config.php?cmd=free. I cannot think of any reason why Google would be trying to access your wp-config.php file so I assume this is a hacker probing your site and making it look like they are Google. Are you doing anything with Google AdWords or Adsense on your website?

The second log entry is obviously a hacker using a very common hacking probe.
Author

Posts

Viewing 15 posts - 16 through 30 (of 88 total)

← 1 2 3 4 5 6 →

You must be logged in to reply to this topic.

BulletProof Security Forum

Security Log Event Codes

Search Forums

Topic Tags