WP-login.php – Attack or not? What next?

Home Forums BulletProof Security Pro WP-login.php – Attack or not? What next?

Viewing 4 posts - 1 through 4 (of 4 total)
  • Author
    Posts
  • October 15, 2013 at 9:46 am #10558
    Kathy
    Participant

    I have been getting a lot of 403 errors with “REQUEST_URI: /wp-login.php” in the security log.  I followed the directions here: http://forum.ait-pro.com/forums/topic/protect-login-page-from-brute-force-login-attacks/.  I also set up JTC Anti-Spam.  Even after that, I still receive weird things in my security log. Is there something else I need to do?

    Here is a sample of the errors. I have removed my domain name and other extra unhelpful lines. Below the errors I have listed the changes I made in the Custom Code area.

    >>>>>>>>>>> 403 GET or HEAD Request Error Logged - 10/15/2013 - 4:41 am <<<<<<<<<<<
REMOTE_ADDR: 151.237.186.63
Host Name: 151.237.186.63
SERVER_PROTOCOL: HTTP/1.0
REQUEST_METHOD: GET
HTTP_REFERER: https: //MYSITE/aMember/login?amember_redirect_url=%2FaMember%2Fsignup
REQUEST_URI: /wp-login.php?redirect_to=https%3A%2F%2MYSITE%2Fwp-admin%2Fpost-new.php&reauth=1
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1

>>>>>>>>>>> 403 GET or HEAD Request Error Logged - 10/15/2013 - 5:33 am <<<<<<<<<<<
REMOTE_ADDR: 72.167.191.18
Host Name: p3plssscan014.prod.phx3.secureserver.net
SERVER_PROTOCOL: HTTP/1.1
REQUEST_METHOD: GET
REQUEST_URI: /.cobalt
HTTP_USER_AGENT: Nessus

>>>>>>>>>>> 403 GET or HEAD Request Error Logged - 10/15/2013 - 6:28 am <<<<<<<<<<<
REMOTE_ADDR: 171.4.250.128
Host Name: mx-ll-171.4.250-128.dynamic.3bb.co.th
SERVER_PROTOCOL: HTTP/1.0
REQUEST_METHOD: GET
REQUEST_URI: /wp-login.php
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko/20100101 Firefox/25.0

>>>>>>>>>>> 403 GET or HEAD Request Error Logged - 10/15/2013 - 6:28 am <<<<<<<<<<<
REMOTE_ADDR: 171.4.250.128
Host Name: mx-ll-171.4.250-128.dynamic.3bb.co.th
SERVER_PROTOCOL: HTTP/1.0
REQUEST_METHOD: GET
REQUEST_URI: /wp-login.php
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko/20100101 Firefox/25.0

>>>>>>>>>>> 403 GET or HEAD Request Error Logged - 10/15/2013 - 6:28 am <<<<<<<<<<<
REMOTE_ADDR: 171.4.250.128
Host Name: mx-ll-171.4.250-128.dynamic.3bb.co.th
SERVER_PROTOCOL: HTTP/1.0
REQUEST_METHOD: GET
REQUEST_URI: /wp-login.php
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko/20100101 Firefox/25.0

    CUSTOM CODE BPSQSE BPS QUERY STRING EXPLOITS:

    # BEGIN BPSQSE BPS QUERY STRING EXPLOITS
...
...
...
# END BPSQSE BPS QUERY STRING EXPLOITS

    CUSTOM CODE BOTTOM HOTLINKING/FORBID COMMENT SPAMMERS/BLOCK BOTS/BLOCK IP/REDIRECT CODE:

    RewriteCond %{REQUEST_URI} ^(/wp-login\.php|.*wp-login\.php.*)$
RewriteCond %{HTTP_USER_AGENT} ^(|-?)$ [NC,OR]
RewriteCond %{THE_REQUEST} HTTP/1\.0$ [OR]
RewriteCond %{SERVER_PROTOCOL} HTTP/1\.0$
RewriteRule ^(.*)$ - [F,L]
    October 15, 2013 at 9:58 am #10560
    AITpro Admin
    Keymaster

    Any Security Log entry with Server Protocol HTTP/1.0 is a blocked hacker bot or spambot.  We get around 300,000 of these blocked hacker and spammer log entries per month.

    This log entry looks like a typical hacker recon/probe looking for a file that is exploitable.  The file may or may not actually exist on your website.

    >>>>>>>>>>> 403 GET or HEAD Request Error Logged - 10/15/2013 - 5:33 am <<<<<<<<<<<
REMOTE_ADDR: 72.167.191.18
Host Name: p3plssscan014.prod.phx3.secureserver.net
SERVER_PROTOCOL: HTTP/1.1
REQUEST_METHOD: GET
REQUEST_URI: /.cobalt
HTTP_USER_AGENT: Nessus

    If this is a legitimate file  – /.cobalt – then let me know and I will tell you why it is being blocked and what to do next.  Most likely it is not an actual file on your website and is just a standard hacker recon/probe.

    In general, BPS automatically handles everything including zipping and emailing your log files to you.  BPS is doing its job so you can check your Security log for any HTTP errors that would indicate that BPS is blocking something legitimate, but as far as Security Log entries go for blocked hackers, spammers, scrapers, etc. you do not need to spend a lot of time looking at those.

    This video tutorial link below explains what to check for to ensure that BPS is not blocking anything legitimate.

    http://forum.ait-pro.com/video-tutorials/#security-log-firewall

    October 15, 2013 at 10:02 am #10562
    Kathy
    Participant

    Thank you for your quick reply. Thank you for a great product!

    .cobalt is not a legitimate file.

    October 15, 2013 at 10:06 am #10565
    AITpro Admin
    Keymaster

    Very welcome.  After a while you will see the scope/magnitude of automated spammer/hacker activity and at first it seems very worrisome, but you get used to it after a while.  It’s just the way things are these days on the Internet.  😉

  • Author
    Posts
Viewing 4 posts - 1 through 4 (of 4 total)
  • You must be logged in to reply to this topic.