Security Log Event Codes

Home Forums BulletProof Security Pro Security Log Event Codes

This topic contains 78 replies, has 16 voices, and was last updated by  AITpro Admin 2 weeks, 1 day ago.

Viewing 15 posts - 61 through 75 (of 79 total)
  • Author
    Posts
  • #33780

    bbmedia
    Participant

    It is version 13.2, this site is always updated the day updates become available.

    As mentioned in the above post…
    “The strange thing is that before (see this same topic back in May 2017) we already included custom code to remove the following line from the htaccess root and admin to solve this.”
    …It is the same code as that. I’ll paste it again.

    # BEGIN BPSQSE-check BPS QUERY STRING EXPLOITS AND FILTERS
    # WORDPRESS WILL BREAK IF ALL THE BPSQSE FILTERS ARE DELETED
    # Use BPS wp-admin Custom Code to modify/edit/change this code and to save it permanently.
    RewriteCond %{HTTP_USER_AGENT} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} (libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
    RewriteCond %{THE_REQUEST} (\?|\*|%2a)+(%20+|\\s+|%20+\\s+|\\s+%20+|\\s+%20+\\s+)(http|https)(:/|/) [NC,OR]
    RewriteCond %{THE_REQUEST} etc/passwd [NC,OR]
    RewriteCond %{THE_REQUEST} cgi-bin [NC,OR]
    RewriteCond %{THE_REQUEST} (%0A|%0D) [NC,OR]
    RewriteCond %{REQUEST_URI} owssvr\.dll [NC,OR]
    RewriteCond %{HTTP_REFERER} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
    RewriteCond %{HTTP_REFERER} \.opendirviewer\. [NC,OR]
    RewriteCond %{HTTP_REFERER} users\.skynet\.be.* [NC,OR]
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(http|https):// [NC,OR]
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [NC,OR]
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR]
    RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR]
    RewriteCond %{QUERY_STRING} (\.\./|%2e%2e%2f|%2e%2e/|\.\.%2f|%2e\.%2f|%2e\./|\.%2e%2f|\.%2e/) [NC,OR]
    RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
    RewriteCond %{QUERY_STRING} (http|https)\: [NC,OR] 
    RewriteCond %{QUERY_STRING} \=\|w\| [NC,OR]
    RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]
    RewriteCond %{QUERY_STRING} ^(.*)cPath=(http|https)://(.*)$ [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR] 
    RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
    RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [NC,OR]
    RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
    RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
    RewriteCond %{QUERY_STRING} ^.*(\(|\)|<|>).* [NC,OR]
    RewriteCond %{QUERY_STRING} (NULL|OUTFILE|LOAD_FILE) [OR]
    RewriteCond %{QUERY_STRING} (\.{1,}/)+(motd|etc|bin) [NC,OR]
    RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
    RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]
    RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]
    RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR]
    #RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]
    RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
    RewriteRule ^(.*)$ - [F]
    # END BPSQSE-check BPS QUERY STRING EXPLOITS AND FILTERS
    

    Whereas before it seemed to solve the issue, it no longer does. I have this in both root and wp-admin sections.

    #33782

    AITpro Admin
    Keymaster

    @ bbmedia – Do these steps in this exact order.  This is a one-time fix that will be saved permanently after doing these steps.

    1. Delete your custom code in this Root Custom Code text box: 12. CUSTOM CODE BPSQSE BPS QUERY STRING EXPLOITS
    2. Click the Save Root Custom Code button.
    3. Delete your custom code in this wp-admin Custom Code text box: 4. CUSTOM CODE BPSQSE-check BPS QUERY STRING EXPLOITS AND FILTERS
    4. Click the Save wp-admin Custom Code button.
    5. Run the Pre-Installation Wizard and Setup Wizard again.  Note:  I have confirmed that there is a bug with the Setup Wizard JTC option settings that is rechecking the JTC Form checkboxes on Wizard re-runs.  So you will need to uncheck the JTC Form checkboxes again.
    6. Edit your new custom code that was created by Setup Wizard AutoFix in this Custom Code text box:   12. CUSTOM CODE BPSQSE BPS QUERY STRING EXPLOITS and delete this code:  “|order”.
    7. Click the Save Root Custom Code button.
    8. Edit your new custom code that was created by Setup Wizard AutoFix in this Custom Code text box:  4. CUSTOM CODE BPSQSE-check BPS QUERY STRING EXPLOITS AND FILTERS and delete this code:  “|order”.

    Important Note:  If Setup Wizard AutoFix does not create new custom code in this Custom Code text box: 4. CUSTOM CODE BPSQSE-check BPS QUERY STRING EXPLOITS AND FILTERS then go to the BPS htaccess File Editor page> click the “Your Current wp-admin htaccess File” tab > scroll down in the file contents > copy the entire block of BEGIN BPSQSE-check BPS QUERY STRING EXPLOITS AND FILTERS htaccess code into the 4. CUSTOM CODE BPSQSE-check BPS QUERY STRING EXPLOITS AND FILTERS and delete this code: “|order”.

    9. Click the Save wp-admin Custom Code button.
    10. Go to the Security Modes page and click the Root and wp-admin BulletProof Mode Activate buttons.

    The Setup Wizard JTC Form checkbox setting bug will be fixed in BPS Pro 13.3.

    #33858

    bbmedia
    Participant

    I did this to the letter but it hasn’t worked. Still getting the same 403 error from our Mailchimp emailout links which include (OurChosenCampaignTitle) in the link for tracking purposes. I ended up uninstalling the plugin and started it from scratch again. Checked the custom code that the 2-step Setup Wizard process made and removed the |order as discussed, and when that didn’t work I even removed the whole line:
    RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|script|set|md5|benchmark|encode) [NC,OR]
    but that didn’t work either.

    #33862

    AITpro Admin
    Keymaster

    @ bbmedia – The code you posted above is not related to round bracket code characters:  ( and ).  Not sure why Setup Wizard AutoFix is not automatically fixing the mailchimp issue on your particular website.  I just retested AutoFix on a test site with mailchimp installed and AutoFix worked perfectly.  You can of course do this manually instead by doing the steps in this forum topic > https://forum.ait-pro.com/forums/topic/mailchimp-tracking-code-causing-403/#post-13778 Note: If your mailchimp links are sending someone to your wp-admin URI then you may need to also remove round bracket code characters:  ( and ) from the wp-admin htaccess file Query String Exploits code and save it in BPS wp-admin Custom Code. That is not likely going to be needed, but it is possible depending on what types of mailchimp links you are sending to people.

    Also I wanted to point out that the “order” fix is done in your wp-admin Query String Exploits htaccess file/code for a different issue/problem and not your root Query String Exploits htaccess file/code.  The wp-admin and root Query String Exploits htaccess file/code is not interchangeable.  They are slightly different.  So you need to use the standard BPS root or wp-admin Query String Exploits htaccess file/code depending on which BPS htaccess file you are adding whitelisting/rules to. Make sure you are using the correct wp-admin or root file Query String Exploits code for each separate issue/problem.

    #33883

    bbmedia
    Participant

    thanks.

    OK I’ll put it back. So which is the code relating to ( and ) ?

    Yes, the user is being taken to my-account (which probably invokes wp-admin folder stuff) and it includes ( and )

    And no, none of these fixes are working on it. I have had to deactivate both Root and Admin firewalls a the moment because the client is running a Mailchimp campaign. Not a good solution. I need to get the firewalls back up and running.

    I will continue testing on the dev server to see if I can get the appropriate code.

    #33884

    AITpro Admin
    Keymaster

    @ bbmedia  – You also want to check to see if any other dangerous code characters are being used in email URL’s such as apostrophes/single quote code character ‘ which is the #1 most dangerous code character to use in URL’s. Round brackets ( and ) are in the top 10 most dangerous code characters to use in URL’s. By default WordPress strips out dangerous code characters from URL’s: ‘ and ( and ) and < and >, etc.

    Root htaccess file code:  RewriteCond %{QUERY_STRING} ^.*(\(|\)|<|>|%3c|%3e).* [NC,OR]
    wp-admin htaccess file code:  RewriteCond %{QUERY_STRING} ^.*(\(|\)|<|>).* [NC,OR]

    You can just not use any of the BPS Query String Exploits code by adding this in the appropriate root and wp-admin Custom Code text boxes:

    Note: basically by doing this you are allowing all/any dangerous code characters to be used in URL’s
    wp-admin Query String Exploits htaccess code:

    # BEGIN BPSQSE-check BPS QUERY STRING EXPLOITS AND FILTERS
    RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
    RewriteRule ^(.*)$ - [F]
    # END BPSQSE-check BPS QUERY STRING EXPLOITS AND FILTERS

    root Query String Exploits htaccess code:

    # BEGIN BPSQSE BPS QUERY STRING EXPLOITS
    RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
    RewriteRule ^(.*)$ - [F]
    #33885

    bbmedia
    Participant

    Damn forum logged me out after only 6 hours. Wasted 10 minutes typing up an answer prior to your and now I’ve lost it.

    Nutshell, as I can’t be bothered re-writing it in full. Nothing I did on the live server helped – after each restup attempt it continued to show the alert saying I should run pre-wizard/setup again even after immeditely running it and also refreshing the page – maybe that was just caching.

    But got Dev server working with the Mailchimp lin so I’ve copied the stuff from there to the Live server.

    Problem solved.

    #33886

    bbmedia
    Participant
    #33887

    AITpro Admin
    Keymaster

    Great!  And yep I only see the round bracket dangerous code characters used in that URL and not any other dangerous code characters.

    #35322

    Felipe Araneda
    Participant

    Hi everyone,

    I was trying to resolve the problem by my own (using the information available in this forum). However, I still get same message:

     [403 POST Request: January 31, 2018 8:56 pm]
    BPS: 2.9
    WP: 4.7.9
    Event Code: WPADMIN-SBR
    Solution: https://forum.ait-pro.com/forums/topic/security-log-event-codes/
    REMOTE_ADDR: xxx.xx.xxx.xx
    Host Name: someting-something
    SERVER_PROTOCOL: HTTP/1.0
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR: 190.45.141.132
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER: http://www.genericwebsite.com/wp-admin/post.php?post=605&action=edit
    REQUEST_URI: /wp-admin/post.php
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36
    REQUEST BODY: _wpnonce=34f272b6c8&_wp_http_referer=%2Fwp-admin%2Fpost.php%3Fpost%3D605%26action%3Dedit&user_ID=3&action=editpost&originalaction=editpost&post_author=1&post_type=page&original_post_status=publish&referredby=http%3A%2F%2Fwww.revistacontenido.com%2Fwp-admin%2Fedit.php%3Fpost_type%3Dpage%26orderby%3Ddate%26order%3Ddesc&_wp_original_http_referer=http%3A%2F%2Fwww.revistacontenido.com%2Fwp-admin%2Fedit.php%3Fpost_type%3Dpage%26orderby%3Ddate%26order%3Ddesc&post_ID=605&meta-box-order-nonce=416956ff1e&

    What should I do?

    Any information you can provide me would be greatly appreciated.

    Regards,

    F.

    #35323

    AITpro Admin
    Keymaster

    @ Felipe Araneda – Try creating a wp-admin Custom Code whitelist rule for the post.php file.

    1. Add the post.php skip/bypass rule below to this wp-admin Custom Code text box: CUSTOM CODE WPADMIN PLUGIN/FILE SKIP RULES
    2. Click the Save wp-admin Custom Code button.
    3. Go to the Security Modes page and Activate wp-admin Folder BulletProof Mode.

    # post.php skip/bypass rule
    RewriteCond %{REQUEST_URI} (post\.php) [NC]
    RewriteRule . - [S=2]
    #35540

    Bub
    Participant

    So I got “[BPS Pro Plugin Deactivated: March 28, 2018 – 3:02 am]
    This Security Log entry is created when the BPS Pro plugin is deactivated. An email alert is also sent to you when the BPS Pro plugin is deactivated.” and a quarantined php_mail.log and no email sent to me in the middle of the night without my interaction. Anybody have any idea as to what this might mean????

    #35541

    Bub
    Participant

    I did get an email: “The BPS Pro plugin has been deactivated on website: https://...........”  although BPS does not actually seem to be deactivated. What would cause BPS to be indicated as deactivated?????

    #35542

    AITpro Admin
    Keymaster

    @ Bub – A logical guess is that your web host was doing some sort of MySQL DB and/or PHP server work (MySQL/PHP migration, MySQL/PHP upgrade, etc.) during the middle of the night.  2 things suggest this as a very likely possibility.  #1 the time this occurred:  server admins usually schedule major upgrades, etc. during the lowest customer usage times.  #2 the php_mail.log was changed, which probably indicates a change to something regarding your PHP server.

    You can create an AutoRestore single file exclude rule for the php_mail.log file so that it is not checked by AutoRestore|Quarantine.

    1. Go to AutoRestore and turn Off AutoRestore.
    2. Go to Quarantine and restore the php_mail.log file from Quarantine.
    3. Go to AutoRestore > Add|Exclude Other Folders & Files tab > under Exclude Folders & Files > select Exclude An Individual File > Enter an Exclude Folder or File Path in the text box (you can get that path from your Quarantine Log) and click the Exclude button.
    4. Turn AutoRestore back On.

    Other Help Info:  AutoRestore|Quarantine Exclude Folders & Files Video Tutorial:  http://forum.ait-pro.com/video-tutorials/#autorestore-quarantine

    #35543

    AbZu2
    Participant

    Great support

Viewing 15 posts - 61 through 75 (of 79 total)

You must be logged in to reply to this topic.