Whitelist Rule: /hello.php

Home Forums BulletProof Security Pro Whitelist Rule: /hello.php

Viewing 13 posts - 1 through 13 (of 13 total)
  • Author
    Posts
  • July 15, 2015 at 3:39 am #24009
    Hassan Ali
    Participant

    Can someone please explain to me the following log i found in my security log and i checked there is actually a file which exists as a plugin

    [Plugin Firewall AutoPilot Mode New Whitelist Rule(s) Created: July 14, 2015 - 10:47 pm]
Whitelist Rule: /hello.php

[Plugin Firewall AutoPilot Mode New Whitelist Rule(s) Created: July 14, 2015 - 11:02 pm]
Whitelist Rule: /hello.php

[Plugin Firewall AutoPilot Mode New Whitelist Rule(s) Created: July 14, 2015 - 11:17 pm]
Whitelist Rule: /hello.php

[Plugin Firewall AutoPilot Mode New Whitelist Rule(s) Created: July 14, 2015 - 11:33 pm]
Whitelist Rule: /hello.php
    July 15, 2015 at 10:36 am #24015
    AITpro Admin
    Keymaster

    Hmm that is an odd issue/problem that I have not seen before.   What version of BPS Pro do you have installed?  Is the hello.php file the standard Hello Dolly plugin file or is it for another plugin?  If the hello.php is for another plugin then what is that plugin’s name.

    July 16, 2015 at 9:17 pm #24027
    Victor
    Participant

    hello
    To me it’s happening to me as well.
    I have installed the BPS PRO version 10.6

    July 16, 2015 at 10:58 pm #24028
    AITpro Admin
    Keymaster

    @ Victor – Check your BPS Security Log and post the Security Log entry for this.  What I suspect is happening is that this is some sort of hacker probe that is being blocked and AutoPilot Mode is trying to create a whitelist rule for this.  Not really sure since I was not able to recreate this problem.

    July 21, 2015 at 8:15 am #24080
    Victor
    Participant
    [Plugin Firewall AutoPilot Mode New Whitelist Rule(s) Created: 21 julio 2015 - 15:40]
Whitelist Rule: /hello.php

[Plugin Firewall AutoPilot Mode New Whitelist Rule(s) Created: 21 julio 2015 - 15:55]
Whitelist Rule: /hello.php
    July 21, 2015 at 8:37 am #24090
    AITpro Admin
    Keymaster

    @ Victor – What I am looking for is the Security Log entry for this.  It will look something like this example log entry below. Check your Security Log and look for a Security Log entry that looks like the example I posted.  The key thing to look for is hello.php in one of the Security Log entries.  Once you find the Security Log entry then copy and paste it in your forum reply.

    [403 GET / HEAD Request: July 20, 2015 - 8:56 pm]
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: 52.8.249.75
Host Name: ec2-52-8-249-75.us-west-1.compute.amazonaws.com
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER:
REQUEST_URI: /hello.php
QUERY_STRING:
HTTP_USER_AGENT: Opera/9.80 (Windows NT 6.0) Presto/2.12.388 Version/12.14
    July 21, 2015 at 9:45 am #24097
    Victor
    Participant
    [403 GET / HEAD Request: 12 junio 2015 - 13:55]
Event Code: PFWR-PSBR-HPR
Solution: http://forum.ait-pro.com/forums/topic/security-log-event-codes/
REMOTE_ADDR: 91.200.13.64
Host Name: dedic336.hidehost.net
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER: http://www.kiwinho.com/
REQUEST_URI: /wp-content/plugins/hello.php
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.66 Safari/535.11
    July 21, 2015 at 9:54 am #24098
    AITpro Admin
    Keymaster

    Perfect.  Thanks.  This is what I expected to see.  So what we will do to prevent this issue/problem from happening is to add another filter to Plugin Firewall AutoPilot Mode for this condition/error log entry.  For now you can either click the Security Log Delete Log button to clear your Security Log file or just ignore this issue/problem.  This issue/problem is not critical or important and is a nuisance issue/problem.  This will be added/done in BPS Pro 10.7.  Thanks.

    IP address:  91.200.13.64 belongs to a known Ukrainian hacker/spammer group/gang.  So this is some sort of probe/recon on the hello.php file.

    July 21, 2015 at 10:22 am #24105
    AITpro Admin
    Keymaster

    What is important to note is that a Plugin Firewall whitelist rule is NOT actually being created by the Plugin Firewall AutoPilot Mode for the hello.php file so it is still protected.  The nuisance is that AutoPilot Mode is attempting to process this Security Log entry over and over, but will not actually create a whitelist rule for the hello.php file since that would allow external access to that file.  A new AutoPilot Mode filter has been added and tested working for this nuisance issue/problem.  We will upload a new BPS Pro zip file with this BugFix at 1pm today if you would like to download it from the AIT-pro.com BPS Pro Secure Download Area and install it using the BPS Pro Upload Zip installer.  Or you can just ignore this nuisance issue/problem until BPS Pro 10.7 is released.

    July 21, 2015 at 11:45 am #24117
    AITpro Admin
    Keymaster

    A new BPS Pro zip file with this BugFix is available for download and installation if you would like to download it from the AIT-pro.com BPS Pro Secure Download Area.  Use the BPS Pro Upload zip installer to install the new zip file.  The BPS Pro Upload zip installer is under the BPS Pro Setup Main menu.

    July 24, 2015 at 8:13 pm #24171
    Victor
    Participant

    thanks

    March 25, 2017 at 2:20 pm #32801
    JohnS168
    Participant

    Hi,

    I know you put this issue to bed a while ago but the nuisance with AutoPilot Mode seems to be back with the latest version.   Hacker attempt is blocked but autopilot thinks it needs to add a whitelist rule.  I realize that no rule is actually created but the notice creates a concern.  Just thought I would let you know so it could be addressed in the next version.

    Thanks

    [Plugin Firewall AutoPilot Mode New Whitelist Rule(s) Created: March 25, 2017 - 7:54 am]
BPS Pro: 12.8
WP: 4.7.3
Whitelist Rule: /myshe.php

[403 POST Request: March 25, 2017 - 7:42 am]
BPS Pro: 12.8
WP: 4.7.3
Event Code: PFWR-PSBR-HPRA
Solution: https://forum.ait-pro.com/forums/topic/security-log-event-codes/
REMOTE_ADDR: 188.165.221.42
Host Name: ns345300.ip-188-165-221.eu
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: POST
HTTP_REFERER: http://mysite.com/plus/mytag_js.php?aid=9527
REQUEST_URI: /wp-content/plugins/myshe.php
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
REQUEST BODY: h=@eval(get_magic_quotes_gpc()?stripslashes($_POST[chr(122).chr(48)]):$_POST[chr(122).chr(48)]);&z0=603403%3b%40ini_set(%22display_errors%22%2c%220%22)%3b%40set_time_limit(0)%3b%40set_magic_quotes_runtime(0)%3becho(%22-%3e%7c%22)%3b%3b%24D%3ddirname(%24_SERVER%5b%22SCRIPT_FILENAME%22%5d)%3bif(%24D%3d%3d%22%22)%24D%3ddirname(%24_SERVER%5b%22PATH_TRANSLATED%22%5d)%3b%24root%3disset(%24_SERVER%5b%27DOCUMENT_ROOT%27%5d)%3f%24_SERVER%5b%27DOCUMENT_ROOT%27%5d%3a(isset(%24_SERVER%5b%27APPL_PHYSICAL_PAT
    March 25, 2017 at 2:30 pm #32802
    AITpro Admin
    Keymaster

    @ JohnS168 – Yep we are aware of these types of nuisance AutoPilot log entries and are working on a fix for this.

  • Author
    Posts
Viewing 13 posts - 1 through 13 (of 13 total)
  • You must be logged in to reply to this topic.