Security Log Event Codes

Home Forums BulletProof Security Pro Security Log Event Codes

This topic contains 78 replies, has 16 voices, and was last updated by  AITpro Admin 2 months, 1 week ago.

Viewing 15 posts - 16 through 30 (of 79 total)
  • Author
    Posts
  • #20789

    AITpro Admin
    Keymaster

    To whitelist/allow apostrophe’s / single quote code characters in wp-admin searches click the link below.
    http://forum.ait-pro.com/forums/topic/search-string-403-error/#post-14372

    #20796

    Hans
    Participant

    It works. Wonderfull. Thank you very much.

    #24983

    George Mohan
    Participant

    How can i fix this error

    [403 GET / HEAD Request: September 8, 2015 - 3:58 PM]
    Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
    Solution: N/A - Hacker/Spammer Blocked/Forbidden
    REMOTE_ADDR: 103.22.201.224
    Host Name: 103.22.201.224
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR: 117.241.63.235
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER: https://www.google.co.in/
    REQUEST_URI: /images/2015/08/Loham-firstday-collection-report-300x240.jpg
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.85 Safari/537.36

    This is error or someone try to hack ??

    [403 GET / HEAD Request: September 13, 2015 - 10:32 PM]
    Event Code: WPADMIN-SBR
    Solution: http://forum.ait-pro.com/forums/topic/security-log-event-codes/
    REMOTE_ADDR: 141.101.105.80
    Host Name: 141.101.105.80
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR: 195.154.168.128
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER: http://movieseeks.com/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php
    REQUEST_URI: /wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
    #24987

    AITpro Admin
    Keymaster

    103.22.201.224 is a CloudFlare IP address.  This is probably just a nuisance Security Log entry that you can ignore.  Check that the image file: /images/2015/08/Loham-firstday-collection-report-300×240.jpg is displayed normally on your site and also check any Hotlink protection code to make sure you are not blocking Google or other search engines.

    The second Security Log entry is a blocked hacker recon/probe/attempt looking for the known vulnerability in the revolution slider plugin or trying to exploit and hack your website.  You do not need to do anything since BPS has already blocked the hacker recon/probe/hacking attempt.  See the link below for more info.
    http://forum.ait-pro.com/forums/topic/slider-revolution-responsive-wordpress-plugin-vulnerability/

    #25008

    George Mohan
    Participant

    k thank you

    #28305

    Deb
    Participant

    Hi, another “internal” error entry.
    One of many sites on same server where other BPSpro sites are set up and running fine. Nothing unusual about this install at all–brand new.

    A “GET” security log entry every time I do an S-Monitor “Send Test Email” which do work and are being sent (where other sites are no longer working) listing the site’s own server ip address, hostname, and bulletproof plugin. Go figure. I’ve run the pre-setup and setup wizards a couple of times and checked the plugin firewall – just adding .js I saw pop up in log before. [Auto-Pilot didn’t appear to really work. cURL scan didn’t find any entries. cURL does function.]

    [403 GET Request: February 26, 2016 - 1:58 am]
    Event Code: PFWR-PSBR-HPR
    Solution: http://forum.ait-pro.com/forums/topic/security-log-event-codes/
    REMOTE_ADDR: ip.address.of.site.server
    Host Name: the.sites.vps.hostname
    SERVER_PROTOCOL: HTTP/1.0
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER:
    REQUEST_URI: /wp-content/plugins/bulletproof-security/admin/test/bps-email-check.php
    QUERY_STRING:
    HTTP_USER_AGENT: WordPress/4.4.2; http://thesitedomainname.com
    #28317

    AITpro Admin
    Keymaster

    Ok we will check this in the BPS Pro code and see if we find any issues/problems.  I believe this issue/problem is going to have something to do with your specific hosting server/websites or maybe you are using this Bonus Custom Code that can block by Server Protocol HTTP/1.0:  http://forum.ait-pro.com/forums/topic/protect-login-page-from-brute-force-login-attacks/   I have not tested that possibility yet.

    I do not believe this error has anything at all to do with the Plugin Firewall.  PFW AutoPilot Mode will not create rules that should not be created.  ie bad or invalid rules and will instead do nothing so that a new problem does not occur.

    Also you should delete whatever PFW whitelist rule you created for this “…just adding .js I saw pop up in log before…”.  Adding .js in the Plugin Firewall whitelist text area is not valid.  See the Plugin Firewall Read Me help button for or the http://forum.ait-pro.com/forums/topic/plugin-firewall-read-me-first-troubleshooting/ forum topic for the only valid format for Plugin Firewall whitelist rules and more extensive help info.  The Plugin Firewall only affects frontloading scripts on your website.  The /bulletproof-security/admin/test/bps-email-check.php is not a frontloading script and only loads in the backend of your website.  Only frontloading plugin scripts need to be whitelisted and backend scripts never need to be whitelisted.  The cURL scanner only scans the frontend Source Code of your website for possible frontloading scripts that need to be whitelisted in the Plugin Firewall.

    #28332

    Deb
    Participant

    All the normal plugins I have in this new install are in all the other site installs and working fine on this server.
    This is the only wp install out of 9 total on the server this happens on. Most plugins are identical. Plugin Firewall was the culprit… here’s the full testing I did.

    1. Cleared the whitelist in firewall – retested – same error upon Send Test Email.
    1a. ran the cURL scan and it only added one: “/s2member/s2member-o.php”
    After all the plugins were deactivated, scanner had added back the ones I’d found and put back in:

    [Plugin Firewall AutoPilot Mode New Whitelist Rule(s) Created: February 26, 2016 - 2:31 pm]
    Whitelist Rule: /sidebar-login/assets/js/jquery.blockUI.min.js
    Whitelist Rule: /sidebar-login/assets/js/sidebar-login.min.js

    2. Only 3 custom code sets now (I have many more on other sites but haven’t needed them here yet):
    # BEGIN WEBSITE SPEED BOOST CUSTOM CODE is the only custom code in there.
    # WP AUTHOR ENUMERATION BOT PROBE PROTECTION
    # CUSTOM GZIP CODE FOR S2MEMBER

    3. Deactivated all, plugin after plugin (in order of deactivation-all of them): Postman SMTP, MailPoet Newsletters, Contact Form 7, Popups – WordPress Popup, s2Member Framework, Wordfence Security, Automatic Copyright Year, Compact Audio Player, Divi Builder, Elegant Themes Updater, Javascript Html and Text Adder, Optimize Database after Deleting Revisions, Revision Control, Sidebar Login, Toggle The Title, Under Construction / Maintenance Mode From Acurax, UpdraftPlus – Backup/Restore, WP-DBManager. (All gone, but not deleted.)

    4. Changed Theme (Divi) out for TwentySixteen after half the plugins deactivated: No change still popped the error.

    Only BPS Pro left on/2016 theme and still popped the Sec Log error after “Send Test Email” in S-Monitor.

    5. Deactivated entire Plugin Firewall–but left AutoPilot on to every 1 Minute. Still popped error. Then turned off AutoPilate, still error—but the Firewall had turned itself back on after the red dot had been there one move before on all tabs I was watching.
    AFTER THEN, AGAIN, DEACTIVATING THE PLUGIN FIREWALL – ERROR DID NOT OCCUR.

    6. All system data: [system data was deleted as it is not relevant to the problem]

    #28334

    AITpro Admin
    Keymaster

    The only way the Plugin Firewall could be causing this problem is for these 2 reasons:

    1. You have invalid Plugin Firewall whitelist rules.
    2. Your Proxy server is configured incorrectly.

    I will need to login to this site to find out which of the 2 reasons above is causing this problem.  Send a WP Admin login to:  info at ait-pro dot com.

    #28335

    AITpro Admin
    Keymaster

    @ Deb – You can try these steps to clear/reset the Plugin Firewall and see if that fixes the problem.

    Do the steps below.
    Fix all general Plugin Firewall issues/problems:
    1. Go to the BPS Security Log page and click the Delete Log button to delete your current Security Log file contents.
    2. Go to the Plugin Firewall page.
    3. Click the Plugin Firewall BulletProof Mode Deactivate button.
    4. Delete (or cut if you want to add your existing whitelist rules back into the Plugins Script|File Whitelist Text Area) all of your Plugin Firewall whitelist rules out of the Plugins Script|File Whitelist Text Area.
    5. Click the Save Whitelist Options button.
    6. Click the Plugin Firewall Test Mode button.
    7. Check your site pages by clicking on all main website pages: contact form page, home page, login page, etc.
    8. Recheck the Plugins Script|File Whitelist Text Area (after 1 minute) and you should see new Plugin Firewall whitelist rules have been created.
    9. Change the AutoPilot Mode Cron Check Frequency to 15 minutes or whatever frequency time you would like to use.
    10. Click the Plugin Firewall Activate button.

    #28340

    AITpro Admin
    Keymaster

    @ Deb – The problem is now fixed and was related to the Proxy server setup on this site/server so just added the server/website IP address in the Plugin Firewall > Plugin Firewall Additional Whitelist Tools > Whitelist by Hostname (domain name) and IP Address option text box and created a new Plugin Firewall htaccess file.  I am logged out of the site now.

    #28342

    Deb
    Participant

    Thank you very much.

    I still don’t understand how I could have seen that (where) and added the code.
    What proxy server?

    None of the other sites on the server have the problem.

    ??? confused here.

    [I do see this under the whitelist, and have used it before on another GoDaddy server
    Click the Read Me help button for help information about the Plugin Firewall Additional Whitelist Tools
    Whitelist by Hostname (domain name) and IP Address:
    Use a comma and a space between Hostnames and IP Addresses.
    Example: example.com, 100.99.88.77, example-2.com
    If you want to use backslashes, escape a backslash with another backslash.
    Example: example\\.com, 100\\.99\\.88\\.77, example-2\\.com]

    How would we know to go there. Just do it and see if it works?

    Thank you so much, as usual.
    This is supposedly a new and only SSD drive VPS server w/8GBs of memory.
    It is fast to me compared to all other servers I work with.

    #28343

    AITpro Admin
    Keymaster

    @ Deb – This is just something that we know and not something that you would probably be able to figure out because it is occurring at the server level and not the website level.  The most obvious clue is that the Server Protocol is HTTP/1.0 in the Security Log entry you posted.  Older Proxy servers use HTTP/1.0 instead of using the newer HTTP/1.1 Server Protocol.  So it is dead giveaway that the server has a Load Balancer/Proxy installed.  The typical solution is always the same for this type of Load Balancer/Proxy issue, which is to add the server’s IP address in the Additional Whitelist Tool.  The reason that information is not posted in the beginning of this forum topic is because less than .05% of website owners could be affected by this.

    #28834

    George Mohan
    Participant

    How can i fix the below error?

    [403 GET Request: March 31, 2016 - 7:07 AM]
    Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
    Solution: N/A - Hacker/Spammer Blocked/Forbidden
    REMOTE_ADDR: 108.162.216.76
    Host Name: 108.162.216.76
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR: 66.249.91.63
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER:
    REQUEST_URI: /wp-config.php?cmd=free
    QUERY_STRING:
    HTTP_USER_AGENT: AdsBot-Google (+http://www.google.com/adsbot.html)
    
    [403 POST Request: April 3, 2016 - 1:25 AM]
    Event Code: WPADMIN-SBR
    Solution: http://forum.ait-pro.com/forums/topic/security-log-event-codes/
    REMOTE_ADDR: 62.76.185.186
    Host Name: 221962-10001.clodo.ru
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER:
    REQUEST_URI: /wp-admin/admin-ajax.php?page=login&img=../wp-config.php
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1; rv:12.0) Gecko/20130101 Firefox/10.1
    REQUEST BODY: --------------------------cde3f952ac8f67bc
    Content-Disposition: form-data; name="action"
    
    revslider_show_image
    --------------------------cde3f952ac8f67bc
    Content-Disposition: form-data; name="img"
    
    ../wp-config.php
    --------------------------cde3f952ac8f67bc--
    #28836

    AITpro Admin
    Keymaster

    The first log entry almost looks legitimate.  The IP address is google, but it may be spoofed by using HTTP_X_FORWARDED_FOR and same applies to the User Agent.  What is definitely not legitimate is the Request URI to: /wp-config.php?cmd=free.  I cannot think of any reason why Google would be trying to access your wp-config.php file so I assume this is a hacker probing your site and making it look like they are Google.  Are you doing anything with Google AdWords or Adsense on your website?

    The second log entry is obviously a hacker using a very common hacking probe.

Viewing 15 posts - 16 through 30 (of 79 total)

You must be logged in to reply to this topic.