Security Log Event Codes

[AbZu2]

GREAT. Thanks. That did the trick. Very appreciative of the excellent and rapid response.

[bbmedia]

Interesting case…

We were updating passwords for some new users and found that one password 4$nub(WvHytinC@%@C)1vK2T was being blocked by the htaccess firewall. I have changed personal details but left the log entry otherwise exact. Other passwords obviously had no issues and on editing this password to 4nubWvHytinC@C1vK2T the edit worked fine.

[403 POST Request: April 27, 2017 - 12:14 pm]
BPS Pro: 12.9.1
WP: 4.7.4
Event Code: WPADMIN-SBR
Solution: https://forum.ait-pro.com/forums/topic/security-log-event-codes/
REMOTE_ADDR: 118.208.168.203
Host Name: ppp118-208-168-203.lns20.bne4.internode.on.net
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR: 118.208.168.203
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: POST
HTTP_REFERER: https://[mydomainname]/wp-admin/user-edit.php?user_id=104387&wp_http_referer=%2Fwp-admin%2Fusers.php%3Forderby%3Dregistered%26order%3Ddesc%26paged%3D2
REQUEST_URI: /wp-admin/user-edit.php
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:53.0) Gecko/20100101 Firefox/53.0
REQUEST BODY: _wpnonce=87a31bbb69&_wp_http_referer=%2Fwp-admin%2Fuser-edit.php%3Fuser_id%3D104387%26wp_http_referer%3D%252Fwp-admin%252Fusers.php%253Forderby%253Dregistered%2526order%253Ddesc%2526paged%253D2&wp_http_referer=%2Fwp-admin%2Fusers.php%3Forderby%3Dregistered%26order%3Ddesc%26paged%3D2&from=profile&checkuser_id=2&color-nonce=5411506b94&admin_color=fresh&admin_bar_front=1&locale=site-default&role=customer&first_name=[FirstnameChanged]&last_name=[LastnameChanged]&nickname=[NicknameChanged]&display_name=[DisplayNameChanged]&email=[EmailChanged]%40gmai

[AITpro Admin]

@ bbmedia – What was blocked was the literal string “order” in the Query String.  It triggered this wp-admin htaccess SQL Injection Query String rule below to block that POST Request.  What is unusual to me is the Request itself.  Are you using a particular plugin that handles WP User Accounts in a way that editing a User Acccount would be done in this way? You can safely comment out this Query String rule for the wp-admin htaccess file and your WP backend without reducing your overall website security by doing the steps below.

RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]

1. Copy the modified wp-admin htaccess code below to this BPS wp-admin Custom Code text box: 4. CUSTOM CODE BPSQSE-check BPS QUERY STRING EXPLOITS AND FILTERS
2. Click the Save wp-admin Custom Code button.
3. Go to the Security Modes page and click the wp-admin BulletProof Mode Activate button.

# BEGIN BPSQSE-check BPS QUERY STRING EXPLOITS AND FILTERS
# WORDPRESS WILL BREAK IF ALL THE BPSQSE FILTERS ARE DELETED
# Use BPS wp-admin Custom Code to modify/edit/change this code and to save it permanently.
RewriteCond %{HTTP_USER_AGENT} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
RewriteCond %{THE_REQUEST} (\?|\*|%2a)+(%20+|\\s+|%20+\\s+|\\s+%20+|\\s+%20+\\s+)(http|https)(:/|/) [NC,OR]
RewriteCond %{THE_REQUEST} etc/passwd [NC,OR]
RewriteCond %{THE_REQUEST} cgi-bin [NC,OR]
RewriteCond %{THE_REQUEST} (%0A|%0D) [NC,OR]
RewriteCond %{REQUEST_URI} owssvr\.dll [NC,OR]
RewriteCond %{HTTP_REFERER} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{HTTP_REFERER} \.opendirviewer\. [NC,OR]
RewriteCond %{HTTP_REFERER} users\.skynet\.be.* [NC,OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(http|https):// [NC,OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [NC,OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR]
RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR]
RewriteCond %{QUERY_STRING} (\.\./|%2e%2e%2f|%2e%2e/|\.\.%2f|%2e\.%2f|%2e\./|\.%2e%2f|\.%2e/) [NC,OR]
RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
RewriteCond %{QUERY_STRING} (http|https)\: [NC,OR] 
RewriteCond %{QUERY_STRING} \=\|w\| [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)cPath=(http|https)://(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR] 
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} ^.*(\(|\)|<|>).* [NC,OR]
RewriteCond %{QUERY_STRING} (NULL|OUTFILE|LOAD_FILE) [OR]
RewriteCond %{QUERY_STRING} (\.{1,}/)+(motd|etc|bin) [NC,OR]
RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR]
RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]
RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR]
#RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]
RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
RewriteRule ^(.*)$ - [F]
# END BPSQSE-check BPS QUERY STRING EXPLOITS AND FILTERS

[bbmedia]

OK thanks.
Gathered it was essentially was a character string issue.

As far as I can tell this is a very typical edit page within WP. Apart from the basic edit screen, Yoast, BackWPup and Woocommerce add their usual sections to the page. Only the Woocomerce billing address contains information, and that is obviously the same for all of the customers we are editing. Happy to provide admin access if you email me an admin email you want me to use, if you wish to view it yourself.

[Pako]

.

[AITpro Admin]

@ bbmedia – Yeah, not a big deal either way.  Years ago the BPS wp-admin htaccess file was actually important, but these days it is just a redundant level of security protection.  Basically not really that important overall now. 😉

[AW]

Hi BPS

ERROR Encounter and I could not restore the WP-Config and it keep on Generating Few WP-config.

Error Log as below

[403 POST Request: May 9, 2017 - 2:10 pm]
BPS Pro: 12.9.1
WP: 4.7.4
Event Code: WPADMIN-SBR
Solution: https://forum.ait-pro.com/forums/topic/security-log-event-codes/
REMOTE_ADDR: 183.78.63.40
Host Name: 183.78.63.40
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR: 183.78.63.40
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: POST
HTTP_REFERER: http://pinnaclefc.com/wp-admin/admin.php?page=bulletproof-security%2Fadmin%2Fquarantine%2Fquarantine.php
REQUEST_URI: /wp-admin/admin.php?page=bulletproof-security/admin/quarantine/quarantine.php
QUERY_STRING: page=bulletproof-security/admin/quarantine/quarantine.php
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.81 Safari/537.36
REQUEST BODY: _wpnonce=051b441b9d&_wp_http_referer=%2Fwp-admin%2Fadmin.php%3Fpage%3Dbulletproof-security%2Fadmin%2Fquarantine%2Fquarantine.php&qradio%5B%2Fhome%2Fsabaubew%2Fpinnaclefc.com%2Fwp-config.php%5D=restorefile&qradio%5B%2Fhome%2Fsabaubew%2Fpinnaclefc.com%2Fwp-config.php%5D=restorefile&qradio%5B%2Fhome%2Fsabaubew%2Fpinnaclefc.com%2Fwp-config.php%5D=restorefile&qradio%5B%2Fhome%2Fsabaubew%2Fpinnaclefc.com%2Fwp-config.php%5D=restorefile&Submit-ARQ-Quarantine-Radio=Submit

I follow your advise as in the forum above

___

Advise

Try an admin-ajax.php skip/bypass rule first.  It is possible there are several problems going on since the Request URI Query string is a mess. If this code below does not work then I will need to know the name of the plugin or theme that is causing the error.

1. Add the admin-ajax.php skip/bypass rule below to this wp-admin Custom Code text box: CUSTOM CODE WPADMIN PLUGIN/FILE SKIP RULES
2. Click the Save wp-admin Custom Code button.
3. Go to the Security Modes page and Activate wp-admin Folder BulletProof Mode.

Note:  The skip rule must be [S=2] because it will be written to your wp-admin .htaccess file above skip / bypass rule [S=1].  If you have other wp-admin skip/bypass rules already then either combine them or add this skip/bypass rule separately above the other rules and change the skip #.  Example:  If you already have skip #’s 2 and 3 then this rule would be skip rule #4.
# admin-ajax.php skip/bypass rule
RewriteCond %{REQUEST_URI} (admin-ajax\.php) [NC]
RewriteRule . - [S=2]

____

But it doesn seem to solve. Now i disable the ARQ while waiting for your guide.
Thanks

[AITpro Admin]

@ AW – I checked your site and you are minifying .js scripts, which is breaking the BPS Pro Plugin Firewall.  See the Plugin Firewall forum topic for more detailed help info about either not minifying .js scripts or you can choose not to use the BPS Pro Plugin Firewall feature and leave it deactivated:   https://forum.ait-pro.com/forums/topic/plugin-firewall-read-me-first-troubleshooting/ Do these steps to fix the wp-config.php restore problem:

1. Turn Off AutoRestore.
2. Deactivate the Plugin Firewall.
3. Restore the wp-config.php file from Quarantine.

[AW]

@BPS,

I did as advise on below

@ AW – I checked your site and you are minifying .js scripts, which is breaking the BPS Pro Plugin Firewall.  See the Plugin Firewall forum topic for more detailed help info about either not minifying .js scripts or you can choose not to use the BPS Pro Plugin Firewall feature and leave it deactivated:   https://forum.ait-pro.com/forums/topic/plugin-firewall-read-me-first-troubleshooting/ Do these steps to fix the wp-config.php restore problem:

1. Turn Off AutoRestore.
2. Deactivate the Plugin Firewall.
3. Restore the wp-config.php file from Quarantine.

Note:

1. I deactivate the plugin firewall
2. Go to restore the wp-config.php file
3. When click submit wp-config file, it lead to a 403 page error note as below:___pinnaclefc.com 403 Forbidden Error PageIf you arrived here due to a search or clicking on a link click your Browser’s back button to return to the previous page. Thank you.IP Address: 183.78.63.78

___

• If it is minify that caused the error, So if i remove the Wp Fastest Cache minify settings > replace with the new WP Fastest cache code in the Custom Code > Root htaccess File Custom Code. and Save
• Then go to quarantined and restore the wp-config.php ( no error 403? )
• Then go to Autorestore > Delete Backup Files > then click and recreate backup files
• Then go to BCore and click > Activate Root Folder Bulletproof and Activate Plugin Firewall Folder

Is the steps above correct?
. About Minify, isnt will be better for speed wise if minify is use?
. IF the Plugin Firewall deactivated, then what could be the possibility of attacks/hacks that vulnerable to?

Looking forward for your reply, at the time being the ARQ is off and WP-.config(4 of them in quarantine list generated automatically by ARQ)

Web-
http://pinnaclefc.com

[AITpro Admin]

@ AW – Personally I recommend that you do not minify .js scripts.  Typically that does not really improve website load speed in my own personal experiences with testing .js minification.  So the best option to choose would be to not minify .js scripts and activate the BPS Pro Plugin Firewall.  You can of course choose to use .js minification and not activate the Plugin Firewall, but that would decrease your overall website security protection.

[AW]

Hi BPS,

Thanks for your advise as below :-

@ AW – Personally I recommend that you do not minify .js scripts.  Typically that does not really improve website load speed in my own personal experiences with testing .js minification.  So the best option to choose would be to not minify .js scripts and activate the BPS Pro Plugin Firewall.  You can of course choose to use .js minification and not activate the Plugin Firewall, but that would decrease your overall website security protection.

I took your advice, and remove the minify. Below i copy the new wp fastest cache settings for your reference. In addition I will write the progress of overall.

# BEGIN WpFastestCache
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_HOST} ^www.pinnaclefc.com [NC]
RewriteRule ^(.*)$ http\:\/\/pinnaclefc\.com\/$1 [R=301,L]
# Start WPFC Exclude
# End WPFC Exclude
RewriteCond %{HTTP_HOST} ^pinnaclefc.com
RewriteCond %{HTTP_USER_AGENT} !(facebookexternalhit|WhatsApp|Mediatoolkitbot)
RewriteCond %{REQUEST_METHOD} !POST
RewriteCond %{HTTPS} !=on
RewriteCond %{REQUEST_URI} !(\/){2}$
RewriteCond %{REQUEST_URI} \/$
RewriteCond %{QUERY_STRING} !.+
RewriteCond %{HTTP:Cookie} !wordpress_logged_in
RewriteCond %{HTTP:Cookie} !comment_author_
RewriteCond %{HTTP:Cookie} !wp_woocommerce_session
RewriteCond %{HTTP:Cookie} !safirmobilswitcher=mobil
RewriteCond %{HTTP:Profile} !^[a-z0-9\"]+ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(Vivaldi|\bCrMo\b|CriOS|Android.*Chrome\/[.0-9]*\s(Mobile)?|\bDolfin\b|Opera.*Mini|Opera.*Mobi|Android.*Opera|Mobile.*OPR\/[0-9.]+|Coast\/[0-9.]+|Skyfire|Mobile\sSafari\/[.0-9]*\sEdge|IEMobile|MSIEMobile|fennec|firefox.*maemo|(Mobile|Tablet).*Firefox|Firefox.*Mobile|bolt|teashark|Blazer|Version.*Mobile.*Safari|Safari.*Mobile|MobileSafari|Tizen|UC.*Browser|UCWEB|baiduboxapp|baidubrowser|DiigoBrowser|Puffin|\bMercury\b|Obigo|NF-Browser|NokiaBrowser|OviBrowser|OneBrowser|TwonkyBeamBrowser|SEMC.*Browser|FlyFlow|Minimo|NetFront|Novarra-Vision|MQQBrowser|MicroMessenger|Android.*PaleMoon|Mobile.*PaleMoon|Android|blackberry|\bBB10\b|rim\stablet\sos|PalmOS|avantgo|blazer|elaine|hiptop|palm|plucker|xiino|Symbian|SymbOS|Series60|Series40|SYB-[0-9]+|\bS60\b|Windows\sCE.*(PPC|Smartphone|Mobile|[0-9]{3}x[0-9]{3})|Window\sMobile|Windows\sPhone\s[0-9.]+|WCE;|Windows\sPhone\s10.0|Windows\sPhone\s8.1|Windows\sPhone\s8.0|Windows\sPhone\sOS|XBLWP7|ZuneWP7|Windows\sNT\s6\.[23]\;\sARM\;|\biPhone.*Mobile|\biPod|\biPad|MeeGo|Maemo|J2ME\/|\bMIDP\b|\bCLDC\b|webOS|hpwOS|\bBada\b|BREW).*$ [NC]
RewriteCond %{DOCUMENT_ROOT}/wp-content/cache/all/$1/index.html -f [or]
RewriteCond /home/sabaubew/pinnaclefc.com/wp-content/cache/all/$1/index.html -f
RewriteRule ^(.*) "/wp-content/cache/all/$1/index.html" [L]
</IfModule>
<FilesMatch "index\.(html|htm)$">
AddDefaultCharset UTF-8
<ifModule mod_headers.c>
FileETag None
Header unset ETag
Header set Cache-Control "max-age=0, no-cache, no-store, must-revalidate"
Header set Pragma "no-cache"
Header set Expires "Mon, 29 Oct 1923 20:30:00 GMT"
</ifModule>
</FilesMatch>
# END WpFastestCache
# BEGIN GzipWpFastestCache
<IfModule mod_deflate.c>
AddType x-font/woff .woff
AddOutputFilterByType DEFLATE image/svg+xml
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE text/xml
AddOutputFilterByType DEFLATE text/css
AddOutputFilterByType DEFLATE text/javascript
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE application/rss+xml
AddOutputFilterByType DEFLATE application/javascript
AddOutputFilterByType DEFLATE application/x-javascript
AddOutputFilterByType DEFLATE application/x-font-ttf
AddOutputFilterByType DEFLATE application/vnd.ms-fontobject
AddOutputFilterByType DEFLATE font/opentype font/ttf font/eot font/otf
</IfModule>
# END GzipWpFastestCache

PROCESS and PROGRESS that i took as below.

1. I unlock .htaccess in F-Lock
2. Copy the new WP Fastest Cache code and paste it into B-Core > Custom Code > Root htaccess File Custom Code > Custom Code Top Php > Save
3. Then go to Quarantine and restore the 4 files ( all WP-config generated by ARG )
4. When I click Restore in Quarantine, it bring me to a page error 403 disallow by bps

Please advise on the quarantine files and action needed to be done. If you would want to login my admin, do let me know.

Regards,
Alex

[AITpro Admin]

@ AW – Ok well most things looks good/correct when I check your website.  So send me a WP Administrator login to this site so I can figure out why you are still seeing a 403 when trying to restore a file from Quarantine.  The login will need to be done between 9am to 11am tomorrow due to current high workload.  😉

UPDATE:  The root problem with the POST Request errors when trying to restore files from Quarantine had to do with a problem on the host server.  Most likely a mod_security SecRule/SecFilter that was blocking all BPS Pro POST forms.  Detailed info about the exact problem that was occurring was sent to the host and the host fixed whatever was causing the problem.

[AW]

Hello BPS,

Emailed to you, take your time as not urgent.

Yeh thanks man. I believe the settings is quite perfect-as spend some time download your installation and setting guide and re-study again before i set it again.

Appreciate it if you could add another few inches of knowledge for me when ya login to the website and see whatever other security code that I should apply on BPS setting.

Thanks mate.

Aegards,

Alex

[bbmedia]

As of this month after redoing the BPS prep & setup wizard the site is again blocking links in Mailchimp emails which include the following added custom user tag: (AUG_2017), with the original URL including ct=t(AUG_2017) as part of the tag.  As soon as I remove (AUG_2017) from this URL it works fine.

The strange thing is that before (see this same topic back in May 2017) we already included custom code to remove the following line from the htaccess root and admin to solve this.

RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]

I also notice your previous comment about minification of css and scripts, so turend off Autoptimize and cleared cache and disabled the plugin, but that didn’t change anything either.

I included this in both root and admin htaccess custom code. But it no longer seems to have the desired effect. Each time it gives me the
<span style=”color: blue;”>BPS Setup Wizard AutoFix (AutoWhitelist|AutoSetup|AutoCleanup) Notice</span>
which tells me to run the prep and setup wizard. No dice.

Do I need to do something different now?

NOTE: Every time I run the prep and setup wizard it turns JTC login security for Woocommerce back on. While the “Enable JTC for Woocommerce” remains unchecked, it added checks to the checkboxes for the section below: “Check to enable. Uncheck to Disable” and checks the Login form, Register form and Lost Password form.

This is mightly annoying since, if I forget to turn them off, then we have clients being affected by this and then the client understandably gets dirty with me.

Please fix this.

[AITpro Admin]

@ bbmedia – Copy and paste your custom code so I can take a look at it.  The JTC login security for Woocommerce checkbox option bug was fixed in BPS Pro 13.2.  Upgrade BPS Pro to 13.2.

[Author]

Posts