WP-login.php – Attack or not? What next?

Home Forums BulletProof Security Pro WP-login.php – Attack or not? What next?

Viewing 4 posts - 1 through 4 (of 4 total)
  • Author
    Posts
  • #10558
    Kathy
    Participant

    I have been getting a lot of 403 errors with “REQUEST_URI: /wp-login.php” in the security log.  I followed the directions here: http://forum.ait-pro.com/forums/topic/protect-login-page-from-brute-force-login-attacks/.  I also set up JTC Anti-Spam.  Even after that, I still receive weird things in my security log. Is there something else I need to do?

    Here is a sample of the errors. I have removed my domain name and other extra unhelpful lines. Below the errors I have listed the changes I made in the Custom Code area.

    >>>>>>>>>>> 403 GET or HEAD Request Error Logged - 10/15/2013 - 4:41 am <<<<<<<<<<<
    REMOTE_ADDR: 151.237.186.63
    Host Name: 151.237.186.63
    SERVER_PROTOCOL: HTTP/1.0
    REQUEST_METHOD: GET
    HTTP_REFERER: https: //MYSITE/aMember/login?amember_redirect_url=%2FaMember%2Fsignup
    REQUEST_URI: /wp-login.php?redirect_to=https%3A%2F%2MYSITE%2Fwp-admin%2Fpost-new.php&reauth=1
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
    
    >>>>>>>>>>> 403 GET or HEAD Request Error Logged - 10/15/2013 - 5:33 am <<<<<<<<<<<
    REMOTE_ADDR: 72.167.191.18
    Host Name: p3plssscan014.prod.phx3.secureserver.net
    SERVER_PROTOCOL: HTTP/1.1
    REQUEST_METHOD: GET
    REQUEST_URI: /.cobalt
    HTTP_USER_AGENT: Nessus
    
    >>>>>>>>>>> 403 GET or HEAD Request Error Logged - 10/15/2013 - 6:28 am <<<<<<<<<<<
    REMOTE_ADDR: 171.4.250.128
    Host Name: mx-ll-171.4.250-128.dynamic.3bb.co.th
    SERVER_PROTOCOL: HTTP/1.0
    REQUEST_METHOD: GET
    REQUEST_URI: /wp-login.php
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko/20100101 Firefox/25.0
    
    >>>>>>>>>>> 403 GET or HEAD Request Error Logged - 10/15/2013 - 6:28 am <<<<<<<<<<<
    REMOTE_ADDR: 171.4.250.128
    Host Name: mx-ll-171.4.250-128.dynamic.3bb.co.th
    SERVER_PROTOCOL: HTTP/1.0
    REQUEST_METHOD: GET
    REQUEST_URI: /wp-login.php
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko/20100101 Firefox/25.0
    
    >>>>>>>>>>> 403 GET or HEAD Request Error Logged - 10/15/2013 - 6:28 am <<<<<<<<<<<
    REMOTE_ADDR: 171.4.250.128
    Host Name: mx-ll-171.4.250-128.dynamic.3bb.co.th
    SERVER_PROTOCOL: HTTP/1.0
    REQUEST_METHOD: GET
    REQUEST_URI: /wp-login.php
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko/20100101 Firefox/25.0

    CUSTOM CODE BPSQSE BPS QUERY STRING EXPLOITS:

    # BEGIN BPSQSE BPS QUERY STRING EXPLOITS
    ...
    ...
    ...
    # END BPSQSE BPS QUERY STRING EXPLOITS

    CUSTOM CODE BOTTOM HOTLINKING/FORBID COMMENT SPAMMERS/BLOCK BOTS/BLOCK IP/REDIRECT CODE:

    RewriteCond %{REQUEST_URI} ^(/wp-login\.php|.*wp-login\.php.*)$
    RewriteCond %{HTTP_USER_AGENT} ^(|-?)$ [NC,OR]
    RewriteCond %{THE_REQUEST} HTTP/1\.0$ [OR]
    RewriteCond %{SERVER_PROTOCOL} HTTP/1\.0$
    RewriteRule ^(.*)$ - [F,L]
    #10560
    AITpro Admin
    Keymaster

    Any Security Log entry with Server Protocol HTTP/1.0 is a blocked hacker bot or spambot.  We get around 300,000 of these blocked hacker and spammer log entries per month.

    This log entry looks like a typical hacker recon/probe looking for a file that is exploitable.  The file may or may not actually exist on your website.

    >>>>>>>>>>> 403 GET or HEAD Request Error Logged - 10/15/2013 - 5:33 am <<<<<<<<<<<
    REMOTE_ADDR: 72.167.191.18
    Host Name: p3plssscan014.prod.phx3.secureserver.net
    SERVER_PROTOCOL: HTTP/1.1
    REQUEST_METHOD: GET
    REQUEST_URI: /.cobalt
    HTTP_USER_AGENT: Nessus

    If this is a legitimate file  – /.cobalt – then let me know and I will tell you why it is being blocked and what to do next.  Most likely it is not an actual file on your website and is just a standard hacker recon/probe.

    In general, BPS automatically handles everything including zipping and emailing your log files to you.  BPS is doing its job so you can check your Security log for any HTTP errors that would indicate that BPS is blocking something legitimate, but as far as Security Log entries go for blocked hackers, spammers, scrapers, etc. you do not need to spend a lot of time looking at those.

    This video tutorial link below explains what to check for to ensure that BPS is not blocking anything legitimate.

    http://forum.ait-pro.com/video-tutorials/#security-log-firewall

    #10562
    Kathy
    Participant

    Thank you for your quick reply. Thank you for a great product!

    .cobalt is not a legitimate file.

    #10565
    AITpro Admin
    Keymaster

    Very welcome.  After a while you will see the scope/magnitude of automated spammer/hacker activity and at first it seems very worrisome, but you get used to it after a while.  It’s just the way things are these days on the Internet.  😉

Viewing 4 posts - 1 through 4 (of 4 total)
  • You must be logged in to reply to this topic.