Security Log Event Codes

Home Forums BulletProof Security Pro Security Log Event Codes

This topic contains 78 replies, has 16 voices, and was last updated by  AITpro Admin 2 months, 1 week ago.

Viewing 15 posts - 46 through 60 (of 79 total)
  • Author
    Posts
  • #31746

    AbZu2
    Participant

    GREAT. Thanks. That did the trick. Very appreciative of the excellent and rapid response.

    #33099

    bbmedia
    Participant

    Interesting case…

    We were updating passwords for some new users and found that one password 4$nub(WvHytinC@%@C)1vK2T was being blocked by the htaccess firewall. I have changed personal details but left the log entry otherwise exact. Other passwords obviously had no issues and on editing this password to 4nubWvHytinC@C1vK2T the edit worked fine.

    [403 POST Request: April 27, 2017 - 12:14 pm]
    BPS Pro: 12.9.1
    WP: 4.7.4
    Event Code: WPADMIN-SBR
    Solution: https://forum.ait-pro.com/forums/topic/security-log-event-codes/
    REMOTE_ADDR: 118.208.168.203
    Host Name: ppp118-208-168-203.lns20.bne4.internode.on.net
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR: 118.208.168.203
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: POST
    HTTP_REFERER: https://[mydomainname]/wp-admin/user-edit.php?user_id=104387&wp_http_referer=%2Fwp-admin%2Fusers.php%3Forderby%3Dregistered%26order%3Ddesc%26paged%3D2
    REQUEST_URI: /wp-admin/user-edit.php
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:53.0) Gecko/20100101 Firefox/53.0
    REQUEST BODY: _wpnonce=87a31bbb69&_wp_http_referer=%2Fwp-admin%2Fuser-edit.php%3Fuser_id%3D104387%26wp_http_referer%3D%252Fwp-admin%252Fusers.php%253Forderby%253Dregistered%2526order%253Ddesc%2526paged%253D2&wp_http_referer=%2Fwp-admin%2Fusers.php%3Forderby%3Dregistered%26order%3Ddesc%26paged%3D2&from=profile&checkuser_id=2&color-nonce=5411506b94&admin_color=fresh&admin_bar_front=1&locale=site-default&role=customer&first_name=[FirstnameChanged]&last_name=[LastnameChanged]&nickname=[NicknameChanged]&display_name=[DisplayNameChanged]&email=[EmailChanged]%40gmai
    #33100

    AITpro Admin
    Keymaster

    @ bbmedia – What was blocked was the literal string “order” in the Query String.  It triggered this wp-admin htaccess SQL Injection Query String rule below to block that POST Request.  What is unusual to me is the Request itself.  Are you using a particular plugin that handles WP User Accounts in a way that editing a User Acccount would be done in this way? You can safely comment out this Query String rule for the wp-admin htaccess file and your WP backend without reducing your overall website security by doing the steps below.

    RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]

    1. Copy the modified wp-admin htaccess code below to this BPS wp-admin Custom Code text box: 4. CUSTOM CODE BPSQSE-check BPS QUERY STRING EXPLOITS AND FILTERS
    2. Click the Save wp-admin Custom Code button.
    3. Go to the Security Modes page and click the wp-admin BulletProof Mode Activate button.

    # BEGIN BPSQSE-check BPS QUERY STRING EXPLOITS AND FILTERS
    # WORDPRESS WILL BREAK IF ALL THE BPSQSE FILTERS ARE DELETED
    # Use BPS wp-admin Custom Code to modify/edit/change this code and to save it permanently.
    RewriteCond %{HTTP_USER_AGENT} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} (libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
    RewriteCond %{THE_REQUEST} (\?|\*|%2a)+(%20+|\\s+|%20+\\s+|\\s+%20+|\\s+%20+\\s+)(http|https)(:/|/) [NC,OR]
    RewriteCond %{THE_REQUEST} etc/passwd [NC,OR]
    RewriteCond %{THE_REQUEST} cgi-bin [NC,OR]
    RewriteCond %{THE_REQUEST} (%0A|%0D) [NC,OR]
    RewriteCond %{REQUEST_URI} owssvr\.dll [NC,OR]
    RewriteCond %{HTTP_REFERER} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
    RewriteCond %{HTTP_REFERER} \.opendirviewer\. [NC,OR]
    RewriteCond %{HTTP_REFERER} users\.skynet\.be.* [NC,OR]
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(http|https):// [NC,OR]
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [NC,OR]
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR]
    RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR]
    RewriteCond %{QUERY_STRING} (\.\./|%2e%2e%2f|%2e%2e/|\.\.%2f|%2e\.%2f|%2e\./|\.%2e%2f|\.%2e/) [NC,OR]
    RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
    RewriteCond %{QUERY_STRING} (http|https)\: [NC,OR] 
    RewriteCond %{QUERY_STRING} \=\|w\| [NC,OR]
    RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]
    RewriteCond %{QUERY_STRING} ^(.*)cPath=(http|https)://(.*)$ [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR] 
    RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
    RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [NC,OR]
    RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
    RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
    RewriteCond %{QUERY_STRING} ^.*(\(|\)|<|>).* [NC,OR]
    RewriteCond %{QUERY_STRING} (NULL|OUTFILE|LOAD_FILE) [OR]
    RewriteCond %{QUERY_STRING} (\.{1,}/)+(motd|etc|bin) [NC,OR]
    RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
    RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]
    RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]
    RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR]
    #RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]
    RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
    RewriteRule ^(.*)$ - [F]
    # END BPSQSE-check BPS QUERY STRING EXPLOITS AND FILTERS
    #33101

    bbmedia
    Participant

    OK thanks.
    Gathered it was essentially was a character string issue.

    As far as I can tell this is a very typical edit page within WP. Apart from the basic edit screen, Yoast, BackWPup and Woocommerce add their usual sections to the page. Only the Woocomerce billing address contains information, and that is obviously the same for all of the customers we are editing. Happy to provide admin access if you email me an admin email you want me to use, if you wish to view it yourself.

    #33102

    Pako
    Participant

    .

    #33103

    AITpro Admin
    Keymaster

    @ bbmedia – Yeah, not a big deal either way.  Years ago the BPS wp-admin htaccess file was actually important, but these days it is just a redundant level of security protection.  Basically not really that important overall now. 😉

    #33158

    AW
    Participant

    Hi BPS

    ERROR Encounter and I could not restore the WP-Config and it keep on Generating Few WP-config.

    Error Log as below

    [403 POST Request: May 9, 2017 - 2:10 pm]
    BPS Pro: 12.9.1
    WP: 4.7.4
    Event Code: WPADMIN-SBR
    Solution: https://forum.ait-pro.com/forums/topic/security-log-event-codes/
    REMOTE_ADDR: 183.78.63.40
    Host Name: 183.78.63.40
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR: 183.78.63.40
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: POST
    HTTP_REFERER: http://pinnaclefc.com/wp-admin/admin.php?page=bulletproof-security%2Fadmin%2Fquarantine%2Fquarantine.php
    REQUEST_URI: /wp-admin/admin.php?page=bulletproof-security/admin/quarantine/quarantine.php
    QUERY_STRING: page=bulletproof-security/admin/quarantine/quarantine.php
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.81 Safari/537.36
    REQUEST BODY: _wpnonce=051b441b9d&_wp_http_referer=%2Fwp-admin%2Fadmin.php%3Fpage%3Dbulletproof-security%2Fadmin%2Fquarantine%2Fquarantine.php&qradio%5B%2Fhome%2Fsabaubew%2Fpinnaclefc.com%2Fwp-config.php%5D=restorefile&qradio%5B%2Fhome%2Fsabaubew%2Fpinnaclefc.com%2Fwp-config.php%5D=restorefile&qradio%5B%2Fhome%2Fsabaubew%2Fpinnaclefc.com%2Fwp-config.php%5D=restorefile&qradio%5B%2Fhome%2Fsabaubew%2Fpinnaclefc.com%2Fwp-config.php%5D=restorefile&Submit-ARQ-Quarantine-Radio=Submit

    I follow your advise as in the forum above

    ___

    Advise

    Try an admin-ajax.php skip/bypass rule first.  It is possible there are several problems going on since the Request URI Query string is a mess. If this code below does not work then I will need to know the name of the plugin or theme that is causing the error.

    1. Add the admin-ajax.php skip/bypass rule below to this wp-admin Custom Code text box: CUSTOM CODE WPADMIN PLUGIN/FILE SKIP RULES
    2. Click the Save wp-admin Custom Code button.
    3. Go to the Security Modes page and Activate wp-admin Folder BulletProof Mode.

    Note:  The skip rule must be [S=2] because it will be written to your wp-admin .htaccess file above skip / bypass rule [S=1].  If you have other wp-admin skip/bypass rules already then either combine them or add this skip/bypass rule separately above the other rules and change the skip #.  Example:  If you already have skip #’s 2 and 3 then this rule would be skip rule #4.
    # admin-ajax.php skip/bypass rule
    RewriteCond %{REQUEST_URI} (admin-ajax\.php) [NC]
    RewriteRule . - [S=2]

    ____

    But it doesn seem to solve. Now i disable the ARQ while waiting for your guide.
    Thanks

    #33159

    AITpro Admin
    Keymaster

    @ AW – I checked your site and you are minifying .js scripts, which is breaking the BPS Pro Plugin Firewall.  See the Plugin Firewall forum topic for more detailed help info about either not minifying .js scripts or you can choose not to use the BPS Pro Plugin Firewall feature and leave it deactivated:   https://forum.ait-pro.com/forums/topic/plugin-firewall-read-me-first-troubleshooting/ Do these steps to fix the wp-config.php restore problem:

    1. Turn Off AutoRestore.
    2. Deactivate the Plugin Firewall.
    3. Restore the wp-config.php file from Quarantine.

    #33163

    AW
    Participant

    @BPS,

    I did as advise on below

    @ AW – I checked your site and you are minifying .js scripts, which is breaking the BPS Pro Plugin Firewall.  See the Plugin Firewall forum topic for more detailed help info about either not minifying .js scripts or you can choose not to use the BPS Pro Plugin Firewall feature and leave it deactivated:   https://forum.ait-pro.com/forums/topic/plugin-firewall-read-me-first-troubleshooting/ Do these steps to fix the wp-config.php restore problem:

    1. Turn Off AutoRestore.
    2. Deactivate the Plugin Firewall.
    3. Restore the wp-config.php file from Quarantine.

    Note:

    1. I deactivate the plugin firewall
    2. Go to restore the wp-config.php file
    3. When click submit wp-config file, it lead to a 403 page error note as below:___pinnaclefc.com 403 Forbidden Error PageIf you arrived here due to a search or clicking on a link click your Browser’s back button to return to the previous page. Thank you.IP Address: 183.78.63.78

    ___

    • If it is minify that caused the error, So if i remove the Wp Fastest Cache minify settings > replace with the new WP Fastest cache code in the Custom Code > Root htaccess File Custom Code. and Save
    • Then go to quarantined and restore the wp-config.php ( no error 403? )
    • Then go to Autorestore > Delete Backup Files > then click and recreate backup files
    • Then go to BCore and click > Activate Root Folder Bulletproof and Activate Plugin Firewall Folder

    Is the steps above correct?
    . About Minify, isnt will be better for speed wise if minify is use?
    . IF the Plugin Firewall deactivated, then what could be the possibility of attacks/hacks that vulnerable to?

    Looking forward for your reply, at the time being the ARQ is off and WP-.config(4 of them in quarantine list generated automatically by ARQ)

    Web-
    http://pinnaclefc.com

    #33164

    AITpro Admin
    Keymaster

    @ AW – Personally I recommend that you do not minify .js scripts.  Typically that does not really improve website load speed in my own personal experiences with testing .js minification.  So the best option to choose would be to not minify .js scripts and activate the BPS Pro Plugin Firewall.  You can of course choose to use .js minification and not activate the Plugin Firewall, but that would decrease your overall website security protection.

    #33165

    AW
    Participant

    Hi BPS,

    Thanks for your advise as below :-

    @ AW – Personally I recommend that you do not minify .js scripts.  Typically that does not really improve website load speed in my own personal experiences with testing .js minification.  So the best option to choose would be to not minify .js scripts and activate the BPS Pro Plugin Firewall.  You can of course choose to use .js minification and not activate the Plugin Firewall, but that would decrease your overall website security protection.

    I took your advice, and remove the minify. Below i copy the new wp fastest cache settings for your reference. In addition I will write the progress of overall.

    # BEGIN WpFastestCache
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteCond %{HTTP_HOST} ^www.pinnaclefc.com [NC]
    RewriteRule ^(.*)$ http\:\/\/pinnaclefc\.com\/$1 [R=301,L]
    # Start WPFC Exclude
    # End WPFC Exclude
    RewriteCond %{HTTP_HOST} ^pinnaclefc.com
    RewriteCond %{HTTP_USER_AGENT} !(facebookexternalhit|WhatsApp|Mediatoolkitbot)
    RewriteCond %{REQUEST_METHOD} !POST
    RewriteCond %{HTTPS} !=on
    RewriteCond %{REQUEST_URI} !(\/){2}$
    RewriteCond %{REQUEST_URI} \/$
    RewriteCond %{QUERY_STRING} !.+
    RewriteCond %{HTTP:Cookie} !wordpress_logged_in
    RewriteCond %{HTTP:Cookie} !comment_author_
    RewriteCond %{HTTP:Cookie} !wp_woocommerce_session
    RewriteCond %{HTTP:Cookie} !safirmobilswitcher=mobil
    RewriteCond %{HTTP:Profile} !^[a-z0-9\"]+ [NC]
    RewriteCond %{HTTP_USER_AGENT} !^.*(Vivaldi|\bCrMo\b|CriOS|Android.*Chrome\/[.0-9]*\s(Mobile)?|\bDolfin\b|Opera.*Mini|Opera.*Mobi|Android.*Opera|Mobile.*OPR\/[0-9.]+|Coast\/[0-9.]+|Skyfire|Mobile\sSafari\/[.0-9]*\sEdge|IEMobile|MSIEMobile|fennec|firefox.*maemo|(Mobile|Tablet).*Firefox|Firefox.*Mobile|bolt|teashark|Blazer|Version.*Mobile.*Safari|Safari.*Mobile|MobileSafari|Tizen|UC.*Browser|UCWEB|baiduboxapp|baidubrowser|DiigoBrowser|Puffin|\bMercury\b|Obigo|NF-Browser|NokiaBrowser|OviBrowser|OneBrowser|TwonkyBeamBrowser|SEMC.*Browser|FlyFlow|Minimo|NetFront|Novarra-Vision|MQQBrowser|MicroMessenger|Android.*PaleMoon|Mobile.*PaleMoon|Android|blackberry|\bBB10\b|rim\stablet\sos|PalmOS|avantgo|blazer|elaine|hiptop|palm|plucker|xiino|Symbian|SymbOS|Series60|Series40|SYB-[0-9]+|\bS60\b|Windows\sCE.*(PPC|Smartphone|Mobile|[0-9]{3}x[0-9]{3})|Window\sMobile|Windows\sPhone\s[0-9.]+|WCE;|Windows\sPhone\s10.0|Windows\sPhone\s8.1|Windows\sPhone\s8.0|Windows\sPhone\sOS|XBLWP7|ZuneWP7|Windows\sNT\s6\.[23]\;\sARM\;|\biPhone.*Mobile|\biPod|\biPad|MeeGo|Maemo|J2ME\/|\bMIDP\b|\bCLDC\b|webOS|hpwOS|\bBada\b|BREW).*$ [NC]
    RewriteCond %{DOCUMENT_ROOT}/wp-content/cache/all/$1/index.html -f [or]
    RewriteCond /home/sabaubew/pinnaclefc.com/wp-content/cache/all/$1/index.html -f
    RewriteRule ^(.*) "/wp-content/cache/all/$1/index.html" [L]
    </IfModule>
    <FilesMatch "index\.(html|htm)$">
    AddDefaultCharset UTF-8
    <ifModule mod_headers.c>
    FileETag None
    Header unset ETag
    Header set Cache-Control "max-age=0, no-cache, no-store, must-revalidate"
    Header set Pragma "no-cache"
    Header set Expires "Mon, 29 Oct 1923 20:30:00 GMT"
    </ifModule>
    </FilesMatch>
    # END WpFastestCache
    # BEGIN GzipWpFastestCache
    <IfModule mod_deflate.c>
    AddType x-font/woff .woff
    AddOutputFilterByType DEFLATE image/svg+xml
    AddOutputFilterByType DEFLATE text/plain
    AddOutputFilterByType DEFLATE text/html
    AddOutputFilterByType DEFLATE text/xml
    AddOutputFilterByType DEFLATE text/css
    AddOutputFilterByType DEFLATE text/javascript
    AddOutputFilterByType DEFLATE application/xml
    AddOutputFilterByType DEFLATE application/xhtml+xml
    AddOutputFilterByType DEFLATE application/rss+xml
    AddOutputFilterByType DEFLATE application/javascript
    AddOutputFilterByType DEFLATE application/x-javascript
    AddOutputFilterByType DEFLATE application/x-font-ttf
    AddOutputFilterByType DEFLATE application/vnd.ms-fontobject
    AddOutputFilterByType DEFLATE font/opentype font/ttf font/eot font/otf
    </IfModule>
    # END GzipWpFastestCache

    PROCESS and PROGRESS that i took as below.

    1. I unlock .htaccess in F-Lock
    2. Copy the new WP Fastest Cache code and paste it into B-Core > Custom Code > Root htaccess File Custom Code > Custom Code Top Php > Save
    3. Then go to Quarantine and restore the 4 files ( all WP-config generated by ARG )
    4. When I click Restore in Quarantine, it bring me to a page error 403 disallow by bps

    Please advise on the quarantine files and action needed to be done. If you would want to login my admin, do let me know.

    Regards,
    Alex

    #33166

    AITpro Admin
    Keymaster

    @ AW – Ok well most things looks good/correct when I check your website.  So send me a WP Administrator login to this site so I can figure out why you are still seeing a 403 when trying to restore a file from Quarantine.  The login will need to be done between 9am to 11am tomorrow due to current high workload.  😉

    UPDATE:  The root problem with the POST Request errors when trying to restore files from Quarantine had to do with a problem on the host server.  Most likely a mod_security SecRule/SecFilter that was blocking all BPS Pro POST forms.  Detailed info about the exact problem that was occurring was sent to the host and the host fixed whatever was causing the problem.

    #33167

    AW
    Participant

    Hello BPS,

    Emailed to you, take your time as not urgent.

    Yeh thanks man. I believe the settings is quite perfect-as spend some time download your installation and setting guide and re-study again before i set it again.

    Appreciate it if you could add another few inches of knowledge for me when ya login to the website and see whatever other security code that I should apply on BPS setting.

    Thanks mate.

    Aegards,

    Alex

    #33775

    bbmedia
    Participant

    As of this month after redoing the BPS prep & setup wizard the site is again blocking links in Mailchimp emails which include the following added custom user tag: (AUG_2017), with the original URL including ct=t(AUG_2017) as part of the tag.  As soon as I remove (AUG_2017) from this URL it works fine.

    The strange thing is that before (see this same topic back in May 2017) we already included custom code to remove the following line from the htaccess root and admin to solve this.

    RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]
    

    I also notice your previous comment about minification of css and scripts, so turend off Autoptimize and cleared cache and disabled the plugin, but that didn’t change anything either.

    I included this in both root and admin htaccess custom code. But it no longer seems to have the desired effect. Each time it gives me the
    <span style=”color: blue;”>BPS Setup Wizard AutoFix (AutoWhitelist|AutoSetup|AutoCleanup) Notice</span>
    which tells me to run the prep and setup wizard. No dice.

    Do I need to do something different now?

    NOTE: Every time I run the prep and setup wizard it turns JTC login security for Woocommerce back on. While the “Enable JTC for Woocommerce” remains unchecked, it added checks to the checkboxes for the section below: “Check to enable. Uncheck to Disable” and checks the Login form, Register form and Lost Password form.

    This is mightly annoying since, if I forget to turn them off, then we have clients being affected by this and then the client understandably gets dirty with me.

    Please fix this.

    #33776

    AITpro Admin
    Keymaster

    @ bbmedia – Copy and paste your custom code so I can take a look at it.  The JTC login security for Woocommerce checkbox option bug was fixed in BPS Pro 13.2.  Upgrade BPS Pro to 13.2.

Viewing 15 posts - 46 through 60 (of 79 total)

You must be logged in to reply to this topic.