Home › Forums › BulletProof Security Pro › Security Log Event Codes
Tagged: Event Codes, Security Log
- This topic has 94 replies, 26 voices, and was last updated 1 day, 3 hours ago by Rahul.
-
AuthorPosts
-
AITpro AdminKeymaster
To whitelist/allow apostrophe’s / single quote code characters in wp-admin searches click the link below.
http://forum.ait-pro.com/forums/topic/search-string-403-error/#post-14372HansParticipantIt works. Wonderfull. Thank you very much.
George MohanParticipantHow can i fix this error
[403 GET / HEAD Request: September 8, 2015 - 3:58 PM] Event Code: BFHS - Blocked/Forbidden Hacker or Spammer Solution: N/A - Hacker/Spammer Blocked/Forbidden REMOTE_ADDR: 103.22.201.224 Host Name: 103.22.201.224 SERVER_PROTOCOL: HTTP/1.1 HTTP_CLIENT_IP: HTTP_FORWARDED: HTTP_X_FORWARDED_FOR: 117.241.63.235 HTTP_X_CLUSTER_CLIENT_IP: REQUEST_METHOD: GET HTTP_REFERER: https://www.google.co.in/ REQUEST_URI: /images/2015/08/Loham-firstday-collection-report-300x240.jpg QUERY_STRING: HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.85 Safari/537.36
This is error or someone try to hack ??
[403 GET / HEAD Request: September 13, 2015 - 10:32 PM] Event Code: WPADMIN-SBR Solution: http://forum.ait-pro.com/forums/topic/security-log-event-codes/ REMOTE_ADDR: 141.101.105.80 Host Name: 141.101.105.80 SERVER_PROTOCOL: HTTP/1.1 HTTP_CLIENT_IP: HTTP_FORWARDED: HTTP_X_FORWARDED_FOR: 195.154.168.128 HTTP_X_CLUSTER_CLIENT_IP: REQUEST_METHOD: GET HTTP_REFERER: http://movieseeks.com/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php REQUEST_URI: /wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php QUERY_STRING: HTTP_USER_AGENT: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
AITpro AdminKeymaster103.22.201.224 is a CloudFlare IP address. This is probably just a nuisance Security Log entry that you can ignore. Check that the image file: /images/2015/08/Loham-firstday-collection-report-300×240.jpg is displayed normally on your site and also check any Hotlink protection code to make sure you are not blocking Google or other search engines.
The second Security Log entry is a blocked hacker recon/probe/attempt looking for the known vulnerability in the revolution slider plugin or trying to exploit and hack your website. You do not need to do anything since BPS has already blocked the hacker recon/probe/hacking attempt. See the link below for more info.
http://forum.ait-pro.com/forums/topic/slider-revolution-responsive-wordpress-plugin-vulnerability/George MohanParticipantk thank you
DebParticipantHi, another “internal” error entry.
One of many sites on same server where other BPSpro sites are set up and running fine. Nothing unusual about this install at all–brand new.A “GET” security log entry every time I do an S-Monitor “Send Test Email” which do work and are being sent (where other sites are no longer working) listing the site’s own server ip address, hostname, and bulletproof plugin. Go figure. I’ve run the pre-setup and setup wizards a couple of times and checked the plugin firewall – just adding .js I saw pop up in log before. [Auto-Pilot didn’t appear to really work. cURL scan didn’t find any entries. cURL does function.]
[403 GET Request: February 26, 2016 - 1:58 am] Event Code: PFWR-PSBR-HPR Solution: http://forum.ait-pro.com/forums/topic/security-log-event-codes/ REMOTE_ADDR: ip.address.of.site.server Host Name: the.sites.vps.hostname SERVER_PROTOCOL: HTTP/1.0 HTTP_CLIENT_IP: HTTP_FORWARDED: HTTP_X_FORWARDED_FOR: HTTP_X_CLUSTER_CLIENT_IP: REQUEST_METHOD: GET HTTP_REFERER: REQUEST_URI: /wp-content/plugins/bulletproof-security/admin/test/bps-email-check.php QUERY_STRING: HTTP_USER_AGENT: WordPress/4.4.2; http://thesitedomainname.com
AITpro AdminKeymasterOk we will check this in the BPS Pro code and see if we find any issues/problems. I believe this issue/problem is going to have something to do with your specific hosting server/websites or maybe you are using this Bonus Custom Code that can block by Server Protocol HTTP/1.0: http://forum.ait-pro.com/forums/topic/protect-login-page-from-brute-force-login-attacks/ I have not tested that possibility yet.
I do not believe this error has anything at all to do with the Plugin Firewall. PFW AutoPilot Mode will not create rules that should not be created. ie bad or invalid rules and will instead do nothing so that a new problem does not occur.
Also you should delete whatever PFW whitelist rule you created for this “…just adding .js I saw pop up in log before…”. Adding .js in the Plugin Firewall whitelist text area is not valid. See the Plugin Firewall Read Me help button for or the http://forum.ait-pro.com/forums/topic/plugin-firewall-read-me-first-troubleshooting/ forum topic for the only valid format for Plugin Firewall whitelist rules and more extensive help info. The Plugin Firewall only affects frontloading scripts on your website. The /bulletproof-security/admin/test/bps-email-check.php is not a frontloading script and only loads in the backend of your website. Only frontloading plugin scripts need to be whitelisted and backend scripts never need to be whitelisted. The cURL scanner only scans the frontend Source Code of your website for possible frontloading scripts that need to be whitelisted in the Plugin Firewall.
DebParticipantAll the normal plugins I have in this new install are in all the other site installs and working fine on this server.
This is the only wp install out of 9 total on the server this happens on. Most plugins are identical. Plugin Firewall was the culprit… here’s the full testing I did.1. Cleared the whitelist in firewall – retested – same error upon Send Test Email.
1a. ran the cURL scan and it only added one: “/s2member/s2member-o.php”
After all the plugins were deactivated, scanner had added back the ones I’d found and put back in:[Plugin Firewall AutoPilot Mode New Whitelist Rule(s) Created: February 26, 2016 - 2:31 pm] Whitelist Rule: /sidebar-login/assets/js/jquery.blockUI.min.js Whitelist Rule: /sidebar-login/assets/js/sidebar-login.min.js
2. Only 3 custom code sets now (I have many more on other sites but haven’t needed them here yet):
# BEGIN WEBSITE SPEED BOOST CUSTOM CODE is the only custom code in there.
# WP AUTHOR ENUMERATION BOT PROBE PROTECTION
# CUSTOM GZIP CODE FOR S2MEMBER3. Deactivated all, plugin after plugin (in order of deactivation-all of them): Postman SMTP, MailPoet Newsletters, Contact Form 7, Popups – WordPress Popup, s2Member Framework, Wordfence Security, Automatic Copyright Year, Compact Audio Player, Divi Builder, Elegant Themes Updater, Javascript Html and Text Adder, Optimize Database after Deleting Revisions, Revision Control, Sidebar Login, Toggle The Title, Under Construction / Maintenance Mode From Acurax, UpdraftPlus – Backup/Restore, WP-DBManager. (All gone, but not deleted.)
4. Changed Theme (Divi) out for TwentySixteen after half the plugins deactivated: No change still popped the error.
Only BPS Pro left on/2016 theme and still popped the Sec Log error after “Send Test Email” in S-Monitor.
5. Deactivated entire Plugin Firewall–but left AutoPilot on to every 1 Minute. Still popped error. Then turned off AutoPilate, still error—but the Firewall had turned itself back on after the red dot had been there one move before on all tabs I was watching.
AFTER THEN, AGAIN, DEACTIVATING THE PLUGIN FIREWALL – ERROR DID NOT OCCUR.6. All system data: [system data was deleted as it is not relevant to the problem]
AITpro AdminKeymasterThe only way the Plugin Firewall could be causing this problem is for these 2 reasons:
1. You have invalid Plugin Firewall whitelist rules.
2. Your Proxy server is configured incorrectly.I will need to login to this site to find out which of the 2 reasons above is causing this problem. Send a WP Admin login to: info at ait-pro dot com.
AITpro AdminKeymaster@ Deb – You can try these steps to clear/reset the Plugin Firewall and see if that fixes the problem.
Do the steps below.
Fix all general Plugin Firewall issues/problems:
1. Go to the BPS Security Log page and click the Delete Log button to delete your current Security Log file contents.
2. Go to the Plugin Firewall page.
3. Click the Plugin Firewall BulletProof Mode Deactivate button.
4. Delete (or cut if you want to add your existing whitelist rules back into the Plugins Script|File Whitelist Text Area) all of your Plugin Firewall whitelist rules out of the Plugins Script|File Whitelist Text Area.
5. Click the Save Whitelist Options button.
6. Click the Plugin Firewall Test Mode button.
7. Check your site pages by clicking on all main website pages: contact form page, home page, login page, etc.
8. Recheck the Plugins Script|File Whitelist Text Area (after 1 minute) and you should see new Plugin Firewall whitelist rules have been created.
9. Change the AutoPilot Mode Cron Check Frequency to 15 minutes or whatever frequency time you would like to use.
10. Click the Plugin Firewall Activate button.AITpro AdminKeymaster@ Deb – The problem is now fixed and was related to the Proxy server setup on this site/server so just added the server/website IP address in the Plugin Firewall > Plugin Firewall Additional Whitelist Tools > Whitelist by Hostname (domain name) and IP Address option text box and created a new Plugin Firewall htaccess file. I am logged out of the site now.
DebParticipantThank you very much.
I still don’t understand how I could have seen that (where) and added the code.
What proxy server?None of the other sites on the server have the problem.
??? confused here.
[I do see this under the whitelist, and have used it before on another GoDaddy server
Click the Read Me help button for help information about the Plugin Firewall Additional Whitelist Tools
Whitelist by Hostname (domain name) and IP Address:
Use a comma and a space between Hostnames and IP Addresses.
Example: example.com, 100.99.88.77, example-2.com
If you want to use backslashes, escape a backslash with another backslash.
Example: example\\.com, 100\\.99\\.88\\.77, example-2\\.com]How would we know to go there. Just do it and see if it works?
Thank you so much, as usual.
This is supposedly a new and only SSD drive VPS server w/8GBs of memory.
It is fast to me compared to all other servers I work with.AITpro AdminKeymaster@ Deb – This is just something that we know and not something that you would probably be able to figure out because it is occurring at the server level and not the website level. The most obvious clue is that the Server Protocol is HTTP/1.0 in the Security Log entry you posted. Older Proxy servers use HTTP/1.0 instead of using the newer HTTP/1.1 Server Protocol. So it is dead giveaway that the server has a Load Balancer/Proxy installed. The typical solution is always the same for this type of Load Balancer/Proxy issue, which is to add the server’s IP address in the Additional Whitelist Tool. The reason that information is not posted in the beginning of this forum topic is because less than .05% of website owners could be affected by this.
George MohanParticipantHow can i fix the below error?
[403 GET Request: March 31, 2016 - 7:07 AM] Event Code: BFHS - Blocked/Forbidden Hacker or Spammer Solution: N/A - Hacker/Spammer Blocked/Forbidden REMOTE_ADDR: 108.162.216.76 Host Name: 108.162.216.76 SERVER_PROTOCOL: HTTP/1.1 HTTP_CLIENT_IP: HTTP_FORWARDED: HTTP_X_FORWARDED_FOR: 66.249.91.63 HTTP_X_CLUSTER_CLIENT_IP: REQUEST_METHOD: GET HTTP_REFERER: REQUEST_URI: /wp-config.php?cmd=free QUERY_STRING: HTTP_USER_AGENT: AdsBot-Google (+http://www.google.com/adsbot.html) [403 POST Request: April 3, 2016 - 1:25 AM] Event Code: WPADMIN-SBR Solution: http://forum.ait-pro.com/forums/topic/security-log-event-codes/ REMOTE_ADDR: 62.76.185.186 Host Name: 221962-10001.clodo.ru SERVER_PROTOCOL: HTTP/1.1 HTTP_CLIENT_IP: HTTP_FORWARDED: HTTP_X_FORWARDED_FOR: HTTP_X_CLUSTER_CLIENT_IP: REQUEST_METHOD: GET HTTP_REFERER: REQUEST_URI: /wp-admin/admin-ajax.php?page=login&img=../wp-config.php QUERY_STRING: HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1; rv:12.0) Gecko/20130101 Firefox/10.1 REQUEST BODY: --------------------------cde3f952ac8f67bc Content-Disposition: form-data; name="action" revslider_show_image --------------------------cde3f952ac8f67bc Content-Disposition: form-data; name="img" ../wp-config.php --------------------------cde3f952ac8f67bc--
AITpro AdminKeymasterThe first log entry almost looks legitimate. The IP address is google, but it may be spoofed by using HTTP_X_FORWARDED_FOR and same applies to the User Agent. What is definitely not legitimate is the Request URI to: /wp-config.php?cmd=free. I cannot think of any reason why Google would be trying to access your wp-config.php file so I assume this is a hacker probing your site and making it look like they are Google. Are you doing anything with Google AdWords or Adsense on your website?
The second log entry is obviously a hacker using a very common hacking probe.
-
AuthorPosts
- You must be logged in to reply to this topic.