Home › Forums › BulletProof Security Pro › Whitelist Rule: /hello.php
- This topic has 12 replies, 4 voices, and was last updated 7 years ago by AITpro Admin.
-
AuthorPosts
-
Hassan AliParticipant
Can someone please explain to me the following log i found in my security log and i checked there is actually a file which exists as a plugin
[Plugin Firewall AutoPilot Mode New Whitelist Rule(s) Created: July 14, 2015 - 10:47 pm] Whitelist Rule: /hello.php [Plugin Firewall AutoPilot Mode New Whitelist Rule(s) Created: July 14, 2015 - 11:02 pm] Whitelist Rule: /hello.php [Plugin Firewall AutoPilot Mode New Whitelist Rule(s) Created: July 14, 2015 - 11:17 pm] Whitelist Rule: /hello.php [Plugin Firewall AutoPilot Mode New Whitelist Rule(s) Created: July 14, 2015 - 11:33 pm] Whitelist Rule: /hello.php
AITpro AdminKeymasterHmm that is an odd issue/problem that I have not seen before. What version of BPS Pro do you have installed? Is the hello.php file the standard Hello Dolly plugin file or is it for another plugin? If the hello.php is for another plugin then what is that plugin’s name.
VictorParticipanthello
To me it’s happening to me as well.
I have installed the BPS PRO version 10.6AITpro AdminKeymaster@ Victor – Check your BPS Security Log and post the Security Log entry for this. What I suspect is happening is that this is some sort of hacker probe that is being blocked and AutoPilot Mode is trying to create a whitelist rule for this. Not really sure since I was not able to recreate this problem.
VictorParticipant[Plugin Firewall AutoPilot Mode New Whitelist Rule(s) Created: 21 julio 2015 - 15:40] Whitelist Rule: /hello.php [Plugin Firewall AutoPilot Mode New Whitelist Rule(s) Created: 21 julio 2015 - 15:55] Whitelist Rule: /hello.php
AITpro AdminKeymaster@ Victor – What I am looking for is the Security Log entry for this. It will look something like this example log entry below. Check your Security Log and look for a Security Log entry that looks like the example I posted. The key thing to look for is hello.php in one of the Security Log entries. Once you find the Security Log entry then copy and paste it in your forum reply.
[403 GET / HEAD Request: July 20, 2015 - 8:56 pm] Event Code: BFHS - Blocked/Forbidden Hacker or Spammer Solution: N/A - Hacker/Spammer Blocked/Forbidden REMOTE_ADDR: 52.8.249.75 Host Name: ec2-52-8-249-75.us-west-1.compute.amazonaws.com SERVER_PROTOCOL: HTTP/1.1 HTTP_CLIENT_IP: HTTP_FORWARDED: HTTP_X_FORWARDED_FOR: HTTP_X_CLUSTER_CLIENT_IP: REQUEST_METHOD: GET HTTP_REFERER: REQUEST_URI: /hello.php QUERY_STRING: HTTP_USER_AGENT: Opera/9.80 (Windows NT 6.0) Presto/2.12.388 Version/12.14
VictorParticipant[403 GET / HEAD Request: 12 junio 2015 - 13:55] Event Code: PFWR-PSBR-HPR Solution: http://forum.ait-pro.com/forums/topic/security-log-event-codes/ REMOTE_ADDR: 91.200.13.64 Host Name: dedic336.hidehost.net SERVER_PROTOCOL: HTTP/1.1 HTTP_CLIENT_IP: HTTP_FORWARDED: HTTP_X_FORWARDED_FOR: HTTP_X_CLUSTER_CLIENT_IP: REQUEST_METHOD: GET HTTP_REFERER: http://www.kiwinho.com/ REQUEST_URI: /wp-content/plugins/hello.php QUERY_STRING: HTTP_USER_AGENT: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.66 Safari/535.11
AITpro AdminKeymasterPerfect. Thanks. This is what I expected to see. So what we will do to prevent this issue/problem from happening is to add another filter to Plugin Firewall AutoPilot Mode for this condition/error log entry. For now you can either click the Security Log Delete Log button to clear your Security Log file or just ignore this issue/problem. This issue/problem is not critical or important and is a nuisance issue/problem. This will be added/done in BPS Pro 10.7. Thanks.
IP address: 91.200.13.64 belongs to a known Ukrainian hacker/spammer group/gang. So this is some sort of probe/recon on the hello.php file.
AITpro AdminKeymasterWhat is important to note is that a Plugin Firewall whitelist rule is NOT actually being created by the Plugin Firewall AutoPilot Mode for the hello.php file so it is still protected. The nuisance is that AutoPilot Mode is attempting to process this Security Log entry over and over, but will not actually create a whitelist rule for the hello.php file since that would allow external access to that file. A new AutoPilot Mode filter has been added and tested working for this nuisance issue/problem. We will upload a new BPS Pro zip file with this BugFix at 1pm today if you would like to download it from the AIT-pro.com BPS Pro Secure Download Area and install it using the BPS Pro Upload Zip installer. Or you can just ignore this nuisance issue/problem until BPS Pro 10.7 is released.
AITpro AdminKeymasterA new BPS Pro zip file with this BugFix is available for download and installation if you would like to download it from the AIT-pro.com BPS Pro Secure Download Area. Use the BPS Pro Upload zip installer to install the new zip file. The BPS Pro Upload zip installer is under the BPS Pro Setup Main menu.
VictorParticipantthanks
JohnS168ParticipantHi,
I know you put this issue to bed a while ago but the nuisance with AutoPilot Mode seems to be back with the latest version. Hacker attempt is blocked but autopilot thinks it needs to add a whitelist rule. I realize that no rule is actually created but the notice creates a concern. Just thought I would let you know so it could be addressed in the next version.
Thanks
[Plugin Firewall AutoPilot Mode New Whitelist Rule(s) Created: March 25, 2017 - 7:54 am] BPS Pro: 12.8 WP: 4.7.3 Whitelist Rule: /myshe.php [403 POST Request: March 25, 2017 - 7:42 am] BPS Pro: 12.8 WP: 4.7.3 Event Code: PFWR-PSBR-HPRA Solution: https://forum.ait-pro.com/forums/topic/security-log-event-codes/ REMOTE_ADDR: 188.165.221.42 Host Name: ns345300.ip-188-165-221.eu SERVER_PROTOCOL: HTTP/1.1 HTTP_CLIENT_IP: HTTP_FORWARDED: HTTP_X_FORWARDED_FOR: HTTP_X_CLUSTER_CLIENT_IP: REQUEST_METHOD: POST HTTP_REFERER: http://mysite.com/plus/mytag_js.php?aid=9527 REQUEST_URI: /wp-content/plugins/myshe.php QUERY_STRING: HTTP_USER_AGENT: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1) REQUEST BODY: h=@eval(get_magic_quotes_gpc()?stripslashes($_POST[chr(122).chr(48)]):$_POST[chr(122).chr(48)]);&z0=603403%3b%40ini_set(%22display_errors%22%2c%220%22)%3b%40set_time_limit(0)%3b%40set_magic_quotes_runtime(0)%3becho(%22-%3e%7c%22)%3b%3b%24D%3ddirname(%24_SERVER%5b%22SCRIPT_FILENAME%22%5d)%3bif(%24D%3d%3d%22%22)%24D%3ddirname(%24_SERVER%5b%22PATH_TRANSLATED%22%5d)%3b%24root%3disset(%24_SERVER%5b%27DOCUMENT_ROOT%27%5d)%3f%24_SERVER%5b%27DOCUMENT_ROOT%27%5d%3a(isset(%24_SERVER%5b%27APPL_PHYSICAL_PAT
AITpro AdminKeymaster@ JohnS168 – Yep we are aware of these types of nuisance AutoPilot log entries and are working on a fix for this.
-
AuthorPosts
- You must be logged in to reply to this topic.