Whitelist Rule: /hello.php

Home Forums BulletProof Security Pro Whitelist Rule: /hello.php

This topic contains 12 replies, has 4 voices, and was last updated by  AITpro Admin 1 year, 3 months ago.

Viewing 13 posts - 1 through 13 (of 13 total)
  • Author
    Posts
  • #24009

    Hassan Ali
    Participant

    Can someone please explain to me the following log i found in my security log and i checked there is actually a file which exists as a plugin

    [Plugin Firewall AutoPilot Mode New Whitelist Rule(s) Created: July 14, 2015 - 10:47 pm]
    Whitelist Rule: /hello.php
    
    [Plugin Firewall AutoPilot Mode New Whitelist Rule(s) Created: July 14, 2015 - 11:02 pm]
    Whitelist Rule: /hello.php
    
    [Plugin Firewall AutoPilot Mode New Whitelist Rule(s) Created: July 14, 2015 - 11:17 pm]
    Whitelist Rule: /hello.php
    
    [Plugin Firewall AutoPilot Mode New Whitelist Rule(s) Created: July 14, 2015 - 11:33 pm]
    Whitelist Rule: /hello.php
    
    #24015

    AITpro Admin
    Keymaster

    Hmm that is an odd issue/problem that I have not seen before.   What version of BPS Pro do you have installed?  Is the hello.php file the standard Hello Dolly plugin file or is it for another plugin?  If the hello.php is for another plugin then what is that plugin’s name.

    #24027

    Victor
    Participant

    hello
    To me it’s happening to me as well.
    I have installed the BPS PRO version 10.6

    #24028

    AITpro Admin
    Keymaster

    @ Victor – Check your BPS Security Log and post the Security Log entry for this.  What I suspect is happening is that this is some sort of hacker probe that is being blocked and AutoPilot Mode is trying to create a whitelist rule for this.  Not really sure since I was not able to recreate this problem.

    #24080

    Victor
    Participant
    [Plugin Firewall AutoPilot Mode New Whitelist Rule(s) Created: 21 julio 2015 - 15:40]
    Whitelist Rule: /hello.php
    
    [Plugin Firewall AutoPilot Mode New Whitelist Rule(s) Created: 21 julio 2015 - 15:55]
    Whitelist Rule: /hello.php
    
    #24090

    AITpro Admin
    Keymaster

    @ Victor – What I am looking for is the Security Log entry for this.  It will look something like this example log entry below. Check your Security Log and look for a Security Log entry that looks like the example I posted.  The key thing to look for is hello.php in one of the Security Log entries.  Once you find the Security Log entry then copy and paste it in your forum reply.

    [403 GET / HEAD Request: July 20, 2015 - 8:56 pm]
    Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
    Solution: N/A - Hacker/Spammer Blocked/Forbidden
    REMOTE_ADDR: 52.8.249.75
    Host Name: ec2-52-8-249-75.us-west-1.compute.amazonaws.com
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER:
    REQUEST_URI: /hello.php
    QUERY_STRING:
    HTTP_USER_AGENT: Opera/9.80 (Windows NT 6.0) Presto/2.12.388 Version/12.14
    #24097

    Victor
    Participant
    [403 GET / HEAD Request: 12 junio 2015 - 13:55]
    Event Code: PFWR-PSBR-HPR
    Solution: http://forum.ait-pro.com/forums/topic/security-log-event-codes/
    REMOTE_ADDR: 91.200.13.64
    Host Name: dedic336.hidehost.net
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER: http://www.kiwinho.com/
    REQUEST_URI: /wp-content/plugins/hello.php
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.66 Safari/535.11
    #24098

    AITpro Admin
    Keymaster

    Perfect.  Thanks.  This is what I expected to see.  So what we will do to prevent this issue/problem from happening is to add another filter to Plugin Firewall AutoPilot Mode for this condition/error log entry.  For now you can either click the Security Log Delete Log button to clear your Security Log file or just ignore this issue/problem.  This issue/problem is not critical or important and is a nuisance issue/problem.  This will be added/done in BPS Pro 10.7.  Thanks.

    IP address:  91.200.13.64 belongs to a known Ukrainian hacker/spammer group/gang.  So this is some sort of probe/recon on the hello.php file.

    #24105

    AITpro Admin
    Keymaster

    What is important to note is that a Plugin Firewall whitelist rule is NOT actually being created by the Plugin Firewall AutoPilot Mode for the hello.php file so it is still protected.  The nuisance is that AutoPilot Mode is attempting to process this Security Log entry over and over, but will not actually create a whitelist rule for the hello.php file since that would allow external access to that file.  A new AutoPilot Mode filter has been added and tested working for this nuisance issue/problem.  We will upload a new BPS Pro zip file with this BugFix at 1pm today if you would like to download it from the AIT-pro.com BPS Pro Secure Download Area and install it using the BPS Pro Upload Zip installer.  Or you can just ignore this nuisance issue/problem until BPS Pro 10.7 is released.

    #24117

    AITpro Admin
    Keymaster

    A new BPS Pro zip file with this BugFix is available for download and installation if you would like to download it from the AIT-pro.com BPS Pro Secure Download Area.  Use the BPS Pro Upload zip installer to install the new zip file.  The BPS Pro Upload zip installer is under the BPS Pro Setup Main menu.

    #24171

    Victor
    Participant

    thanks

    #32801

    JohnS168
    Participant

    Hi,

    I know you put this issue to bed a while ago but the nuisance with AutoPilot Mode seems to be back with the latest version.   Hacker attempt is blocked but autopilot thinks it needs to add a whitelist rule.  I realize that no rule is actually created but the notice creates a concern.  Just thought I would let you know so it could be addressed in the next version.

    Thanks

    [Plugin Firewall AutoPilot Mode New Whitelist Rule(s) Created: March 25, 2017 - 7:54 am]
    BPS Pro: 12.8
    WP: 4.7.3
    Whitelist Rule: /myshe.php
    
    [403 POST Request: March 25, 2017 - 7:42 am]
    BPS Pro: 12.8
    WP: 4.7.3
    Event Code: PFWR-PSBR-HPRA
    Solution: https://forum.ait-pro.com/forums/topic/security-log-event-codes/
    REMOTE_ADDR: 188.165.221.42
    Host Name: ns345300.ip-188-165-221.eu
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: POST
    HTTP_REFERER: http://mysite.com/plus/mytag_js.php?aid=9527
    REQUEST_URI: /wp-content/plugins/myshe.php
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
    REQUEST BODY: h=@eval(get_magic_quotes_gpc()?stripslashes($_POST[chr(122).chr(48)]):$_POST[chr(122).chr(48)]);&z0=603403%3b%40ini_set(%22display_errors%22%2c%220%22)%3b%40set_time_limit(0)%3b%40set_magic_quotes_runtime(0)%3becho(%22-%3e%7c%22)%3b%3b%24D%3ddirname(%24_SERVER%5b%22SCRIPT_FILENAME%22%5d)%3bif(%24D%3d%3d%22%22)%24D%3ddirname(%24_SERVER%5b%22PATH_TRANSLATED%22%5d)%3b%24root%3disset(%24_SERVER%5b%27DOCUMENT_ROOT%27%5d)%3f%24_SERVER%5b%27DOCUMENT_ROOT%27%5d%3a(isset(%24_SERVER%5b%27APPL_PHYSICAL_PAT
    #32802

    AITpro Admin
    Keymaster

    @ JohnS168 – Yep we are aware of these types of nuisance AutoPilot log entries and are working on a fix for this.

Viewing 13 posts - 1 through 13 (of 13 total)

You must be logged in to reply to this topic.