Security Log Event Codes

Home Forums BulletProof Security Pro Security Log Event Codes

This topic contains 78 replies, has 16 voices, and was last updated by  AITpro Admin 4 months, 1 week ago.

Viewing 15 posts - 31 through 45 (of 79 total)
  • Author
    Posts
  • #28862

    George Mohan
    Participant

    Yes we use Adsense  & also cloudflare.com

    #28863

    AITpro Admin
    Keymaster

    Ok, but that still does not explain why Google would be trying to access your wp-config.php file.  The only thing I can think of for why Google would be told to crawl the wp-config.php file would be if a mistake was made somewhere telling Google to crawl the wp-config.php file.  The WordPress wp-config.php file should NEVER be directly accessed via the Browser by anything for any reason.  The wp-config.php file is designed to ONLY be processed/loaded and not accessed by a Browser for any reason.  So this either has to be a mistake somewhere on your website or this is a hacker pretending to be Google.  You may want to look at this Google Adsense help link:  https://support.google.com/adsense/answer/161351?hl=en&ref_topic=1348129 to do things like check your site for Adsense issues, errors, etc.

    #29945

    jenni101
    Participant

    Hi there,

    Recently have logged heaps of blocked entries in my security log for searches in my image library, run by separate software but sits in a sub-folder of my wordpress root site, as eg below:

    [403 GET / HEAD Request: June 21, 2016 - 1:37 am]
    Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
    Solution: N/A - Hacker/Spammer Blocked/Forbidden
    REMOTE_ADDR: 98.138.81.176
    Host Name: p8w17.geo.ne1.hostingprod.com
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP: 
    HTTP_FORWARDED: 
    HTTP_X_FORWARDED_FOR: 
    HTTP_X_CLUSTER_CLIENT_IP: 
    REQUEST_METHOD: GET
    HTTP_REFERER: 
    REQUEST_URI: /imagelibrary/index.php?module=search&pId=100&phrase=1&keyword=alpine%20parrot%27%20and%20%27x%27%3D%27y
    QUERY_STRING: 
    HTTP_USER_AGENT: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; dial; SV1; .NET CLR 1.0.3705
    

    My root BPS Pro .htaccess file has some custom code in to exclude this sub-folder and an addon domain that also sits in a sub-folder (and both have their own .htaccess files). The custom code is this:

    # To NOT apply rules to other CHILD websites or ADDON DOMAINS and 
    # to not log errors for these child sites
    # and the RewriteRule for Custom Apps (Image Library) outside of WP
    RewriteRule ^perfectplanetpublishing.co.nz/ - [L]
    RewriteRule ^perfectplanetpublishing.com/ - [L]
    RewriteRule ^imagelibrary/ - [L]
    RewriteRule ^photoclub/ - [L]
    

    So I have 2 questions about this:

    1. I’ve replicated the keyword search (alpine + parrot) in my image library and it works fine – so I assume it’s correctly being blocked as a hacker/spammer? rather than it being a legitimate keyword search?
    2. Do you think I need to change any of my BPS custom code now to exclude my image library, as I’m now getting security logs for it? Or is it still current?

    Many thanks, j

    #29946

    AITpro Admin
    Keymaster

    @ jenni101 – What is triggering BPS to block these Query Strings is the single quote code character/apostrophe/%27 url encoded.  I am not sure why the /imagelibrary/ folder is not being bypassed/skipped, but you can try adding a forward slash / to see if that works.  Do NOT add a forward slash for any of your other site RewriteRules.

    RewriteRule ^/imagelibrary/ - [L]

    I just thought of something obvious.  If your website is calling the image library files from your website then even image library is in another folder, your website is calling files from your website and those Query Strings will be blocked, unless you do this:  http://forum.ait-pro.com/forums/topic/apostrophe-single-quote-code-character/#post-6939

    #29952

    jenni101
    Participant

    @aitpro – no, our website doesn’t call any files from the image library folder, as it runs totally independently. But I’ll trial the additional forward slash and will let you know if it’s still logging security event for the image library.

    Many thanks, j

    #29953

    AITpro Admin
    Keymaster

    @ jenni101 – Also meant to ask exactly where the htaccess file is in relation to the /imagelibrary/ folder.
    Example:  htaccess file is here:  /public_html/.htaccess and the imagelibrary folder is here:  /public_html/imagelibrary/

    #30053

    Pako
    Participant

    UPDATE: BPS Pro 13+ and BPS 2.0+ versions have a feature called: Setup Wizard AutoFix (AutoWhitelist|AutoSetup|AutoCleanup) that automatically creates plugin and theme whitelist rules and automatically sets up and cleans up caching plugins htaccess code.

    Hi

    If it can helps some of you (like me) who are using WP Rocket I enter this:

    # WP Rocket plugin skip/bypass rule
    RewriteCond %{REQUEST_URI} ^/wp-content/plugins/wp-rocket/ [NC]
    RewriteRule . - [S=13]

    in: BPS Root Custom Code text box:  CUSTOM CODE PLUGIN/THEME SKIP/BYPASS RULES

    I have done that because when I was updating a post or a page, the first time the page or the post load I get errors in my console and the page or post do not display correctly at the first time, only a refresh of the same page make it display correctly… don’t know how or why but it works..

    #30093

    Pako
    Participant

    Hi

    I get this Event code: WPADMIN-SBR as I was trying to export my Custom Code from B-Core 🙁
    It would be great if you can give me the right Skip/Bypass rule that needs to be created within BPS Custome code (and where, I mean, in which text box?)
    Thans a lot
    Here is the log (I have hidden my IP, hostname and URL):
    +++

    Event Code: WPADMIN-SBR
    Solution: http://forum.ait-pro.com/forums/topic/security-log-event-codes/
    REMOTE_ADDR: AAA.BBB.CCC.DDD
    Host Name: blablablablabla.net
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP: 
    HTTP_FORWARDED: 
    HTTP_X_FORWARDED_FOR: AAA.BBB.CCC.DDD
    HTTP_X_CLUSTER_CLIENT_IP: 
    REQUEST_METHOD: GET
    HTTP_REFERER: http://www.my-site.com/wp-admin/admin.php?page=bulletproof-security%2Fadmin%2Fcore%2Fcore.php
    REQUEST_URI: /wp-content/plugins/bulletproof-security/admin/core/cc-master.zip
    QUERY_STRING: 
    HTTP_USER_AGENT: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36
    #30096

    AITpro Admin
    Keymaster

    There should be an htaccess file here: /wp-content/plugins/bulletproof-security/admin/core/.htaccess that automatically whitelists your current IP address and allows you to download the cc-master.zip file.  Do these steps and let me know if you can download the cc-master.zip file.

    1. Use FTP or your web host control panel file manager and delete the htaccess file here: /wp-content/plugins/bulletproof-security/admin/core/.htaccess.  A new htaccess file should be automatically created when you visit the Custom Code page again.
    2. Go to the Custom Code page > click the Export button > download the cc-master.zip file.

    #30097

    Pako
    Participant

    hi @AITPRO

    Don’t you think it’s better if I turn Off AutoRestore before doing that?

    Thanks

    #30100

    AITpro Admin
    Keymaster

    @ Pako – You do not need to turn Off AutoRestore for that and can just delete the .htaccess file.

    #30102

    Pako
    Participant

    Nope… id do not work
    I deleted the .htaccess and visite the custom code page > yes the .htacess has been recreated and yes my own IP is ok ihis files.
    But when I click the button to download :

    my-site.com 403 Forbidden Error Page
    If you arrived here due to a search or clicking on a link click your Browser's back button to return to the previous page. Thank you.
    IP Address: 149.126.78.33

    This ip 149…… is not my IP…
    It’s my INCAPSULA Proxy IP

    #30103

    AITpro Admin
    Keymaster

    @ Pako – That is very odd. I guess we will have to add another option to allow adding additional IP addresses in the Custom Code htaccess file and other htaccess files that are automatically created in BPS plugin folders. For now you will have to do things manually to workaround the Incapsula IP address problem.  ie manually download the zip file using FTP.

    #31743

    AbZu2
    Participant

    Every time I post a new article on WP I get a security log notice. The latest entry was:

    [405 HEAD Request: 14/12/2016 - 19:49]
    Event Code: BFHS-HEAD - HEAD Request Blocked
    Solution: http://forum.ait-pro.com/forums/topic/security-log-event-codes/
    REMOTE_ADDR: 138.201.248.33
    Host Name: static.33.248.201.138.clients.your-server.de
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: HEAD
    HTTP_REFERER:
    REQUEST_URI: /2016/12/14/endgame-ii-the-antarctic-atlantis-and-ancient-et-ruins-david-wilcock-and-corey-goode
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/5.0 (compatible; um-LN/1.0; mailto: techinfo@ubermetrics-technologies.com)
    #31744

    AITpro Admin
    Keymaster

    The error is a 405 HEAD Request error, which means a HEAD Request was made by something.  To allow HEAD Requests on your website do the steps below.

    1. Copy the REQUEST METHODS FILTERED .htaccess code below to the BPS Root Custom Code text box:  CUSTOM CODE REQUEST METHODS FILTERED
    2. Click the Save Root Custom Code button.
    3. Go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.

    # REQUEST METHODS FILTERED
    # If you want to allow HEAD Requests use BPS Custom Code and copy
    # this entire REQUEST METHODS FILTERED section of code to this BPS Custom Code
    # text box: CUSTOM CODE REQUEST METHODS FILTERED.
    # See the CUSTOM CODE REQUEST METHODS FILTERED help text for additional steps.
    RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK|DEBUG) [NC]
    RewriteRule ^(.*)$ - [F]
    #RewriteCond %{REQUEST_METHOD} ^(HEAD) [NC]
    #RewriteRule ^(.*)$ /wp-content/plugins/bulletproof-security/405.php [L]
Viewing 15 posts - 31 through 45 (of 79 total)

You must be logged in to reply to this topic.