Website Security Protection – Upgrade to BPS Pro During an Attack

[Julia]

My site is currently being constantly beseiged by this low level attack.  At least I guess it is low level, I am not sure what they are trying to accomplish.  Here is one example – my  security log fills up about once an hour.

My question is – what happens if I upgrade to Pro while this is going on since there will be a 30 second or  more gap from removing the free version until Pro is installed?  If there is a risk, how can I address it?

Here is an example of an entry in the log

[403 GET / HEAD Request: November 19, 2014 7:20 am]
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: 24.68.69.39
Host Name: S010690b134fc3e83.gv.shawcable.net
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER: http://www.meditateinvictoria.org/
REQUEST_URI: /wp-content/themes/infocus/lib/scripts/timthumb/thumb.php?src=http://meditatevancouverisland.org/wp-content/uploads/2014/10/Kids-Class-Banner.jpg&w=960&h=340&zc=1&q=100
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.74.9 (KHTML, like Gecko) Version/6.1.2 Safari/537.74.9

Thanks
Julia

[AITpro Admin]

This does not look like an attack and instead looks like this site:  meditateinvictoria.org is trying to retrieve an image file from this site: meditatevancouverisland.org.  The way the image file is being retrieved simulates an RFI hacking attempt.  If the meditatevancouverisland.org is your website, which it appears to be since the domain names are very similar then you would just need to whitelist the meditatevancouverisland.org domain to allow this type of image retrieval.

1.  Copy the modified (your domains have been added to the code below) TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE code below to this BPS Root Custom Code text box:  CUSTOM CODE TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE
2. Click the Save Root Custom Code button.
3. Go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.

# TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE
# Use BPS Custom Code to modify/edit/change this code and to save it permanently.
# Remote File Inclusion (RFI) security rules
# Note: Only whitelist your additional domains or files if needed - do not whitelist hacker domains or files
RewriteCond %{QUERY_STRING} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC,OR]
RewriteCond %{THE_REQUEST} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC]
RewriteRule .* index.php [F]
#
# Example: Whitelist additional misc files: (example\.php|another-file\.php|phpthumb\.php|thumb\.php|thumbs\.php)
RewriteCond %{REQUEST_URI} (timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]
# Example: Whitelist additional website domains: RewriteCond %{HTTP_REFERER} ^.*(YourWebsite.com|AnotherWebsite.com).*
RewriteCond %{HTTP_REFERER} ^.*(meditateinvictoria.org|meditatevancouverisland.org).*
RewriteRule . - [S=1]

[AITpro Admin]

And yes if your site is under attack, which is pretty much a constant thing for all websites these days on the Internet, then upgrading from BPS free to Pro does not remove your website security protection during the upgrade from free to Pro.

[Author]

Posts