GET /index.php – Access to a script modified/created less than 10 hour(s) ago

  • Resolved ziegel

    (@ziegel)


    4 years ago

    Hi,

    I got alert email and also can see on the log file, such events:

    17/Feb/21 10:33:10 #2465301 INFO – 34.255.198.166 GET /index.php – Access to a script modified/created less than 10 hour(s) ago – [/var/www/vhosts/example.com/staging.example.com/index.php] – staging.example.com

    My index.php file content is:
    <?php

    /**
    * Front to the WordPress application. This file doesn’t do anything, but loads
    * wp-blog-header.php which does and tells WordPress to load the theme.
    *
    * @package WordPress
    */

    /**
    * Tells WordPress to load the WordPress theme and output it.
    *
    * @var bool
    */
    define( ‘WP_USE_THEMES’, true );

    /** Loads the WordPress Environment and Template */
    require __DIR__ . ‘/wp-blog-header.php’;

    May I ask:
    1. What is special/risky in the event reported by you?
    2. Was any attack blocked?
    3. Could it be a false report generated as a result of a backup restore process, making the index.php file “new” with a new date?
    4. Should the index.php content be modified?
    5. Should the index.php file be somehow white-listed?
    6. Should I take any other protection measurements?
    7. I saw on testing I can NOT use the trick of:
    if (!defined(‘ABSPATH’)) exit;
    Can it be otherwise defined to block direct access to this index.php file which is not part of legtimate request for this file as part as legitimate request to GET access to the website itself?

Viewing 3 replies - 1 through 3 (of 3 total)
  • Thread Starter ziegel

    (@ziegel)

    Below are possibly related parts of the .htaccess file:

    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteRule .* – [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
    RewriteBase /
    RewriteRule ^index\.php$ – [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
    </IfModule>

    Options +FollowSymLinks
    RewriteEngine On
    RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
    RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})
    RewriteRule ^(.*)$ index.php [F,L]

    <IfModule mod_rewrite.c>

    RewriteCond %{REMOTE_ADDR} !^MY IPS

    RewriteCond %{REQUEST_URI} ([a-z0-9]{2000,}) [NC,OR]
    RewriteCond %{REQUEST_URI} (=?\\(\’|%27)/?)(\.) [NC,OR]
    RewriteCond %{REQUEST_URI} (\^|`|<|>|%|\\|\{|\}|\|) [NC,OR]
    RewriteCond %{REQUEST_URI} (/)(\*|\”|\’|\.|,|&|&?)/?$ [NC,OR]
    RewriteCond %{REQUEST_URI} (\.)(php)(\()?([0-9]+)(\))?(/)?$ [NC,OR]
    RewriteCond %{REQUEST_URI} (/)(vbulletin|boards|vbforum)(/)? [NC,OR]
    RewriteCond %{REQUEST_URI} (\.(s?ftp-?)config|(s?ftp-?)config\.) [NC,OR]
    RewriteCond %{REQUEST_URI} (\{0\}|\”?0\”?=\”?0|\(/\(|\.\.\.|\+\+\+|\\\”) [NC,OR]
    RewriteCond %{REQUEST_URI} (thumbs?(_editor|open)?|tim(thumbs?)?)(\.php) [NC,OR]
    RewriteCond %{REQUEST_URI} (/)(fck|ckfinder|fullclick|ckfinder|fckeditor) [NC,OR]
    RewriteCond %{REQUEST_URI} (\.|20)(get|the)(_)(permalink|posts_page_url)(\() [NC,OR]
    RewriteCond %{REQUEST_URI} (///|\?\?|/&&|/\*(.*)\*/|/:/|\\\\|0x00|%00|%0d%0a) [NC,OR]
    RewriteCond %{REQUEST_URI} (/%7e)(root|ftp|bin|nobody|named|guest|logs|sshd)(/) [NC,OR]
    RewriteCond %{REQUEST_URI} (/)(etc|var)(/)(hidden|secret|shadow|ninja|passwd|tmp)(/)?$ [NC,OR]
    RewriteCond %{REQUEST_URI} (s)?(ftp|http|inurl|php)(s)?(:(/|%2f|%u2215)(/|%2f|%u2215)) [NC,OR]
    RewriteCond %{REQUEST_URI} (/)(=|\$&?|&?(pws|rk)=0|_mm|_vti_|cgi(\.|-)?|(=|/|;|,)nt\.) [NC,OR]
    RewriteCond %{REQUEST_URI} (\.)(ds_store|htaccess|htpasswd|init?|mysql-select-db)(/)?$ [NC,OR]
    RewriteCond %{REQUEST_URI} (/)(bin)(/)(cc|chmod|chsh|cpp|echo|id|kill|mail|nasm|perl|ping|ps|python|tclsh)(/)?$ [NC,OR]
    RewriteCond %{REQUEST_URI} (/)(::[0-9999]|%3a%3a[0-9999]|127\.0\.0\.1|localhost|loopback|makefile|pingserver|wwwroot)(/)? [NC,OR]
    RewriteCond %{REQUEST_URI} (\(null\)|\{\$itemURL\}|cAsT\(0x|echo(.*)kae|etc/passwd|eval\(|self/environ|\+union\+all\+select) [NC,OR]
    RewriteCond %{REQUEST_URI} (/)(awstats|(c99|php|web)shell|document_root|error_log|listinfo|muieblack|remoteview|site((.){0,2})copier|sqlpatch|sux0r) [NC,OR]
    RewriteCond %{REQUEST_URI} (/)((php|web)?shell|crossdomain|fileditor|locus7|nstview|php(get|remoteview|writer)|r57|remview|sshphp|storm7|webadmin)(.*)(\.|\() [NC,OR]
    RewriteCond %{REQUEST_URI} (/)(author-panel|bitrix|class|database|(db|mysql)-?admin|filemanager|htdocs|httpdocs|https?|mailman|mailto|msoffice|mysql|_?php-?my-?admin(.*)|tmp|undefined|usage|var|vhosts|webmaster|www)(/) [NC,OR]
    RewriteCond %{REQUEST_URI} (\.)(7z|ab4|afm|aspx?|bash|ba?k?|bz2|cfg|cfml?|cgi|ctl|dat|db|dll|eml|et2|exe|fec|fla|hg|inc|ini|inv|jsp|log|lqd|mbf|mdb|mmw|mny|old|one|out|passwd|pdb|pl|psd|pst|ptdb|pwd|py|qbb|qdf|rar|rdf|sdb|sql|sh|soa|swf|swl|swp|stx|tar|tax|tgz|tls|tmd|wow|zlib)$ [NC,OR]
    RewriteCond %{REQUEST_URI} (base64_(en|de)code|benchmark|child_terminate|curl_exec|e?chr|eval|function|fwrite|(f|p)open|html|leak|passthru|p?fsockopen|phpinfo|posix_(kill|mkfifo|setpgid|setsid|setuid)|proc_(close|get_status|nice|open|terminate)|(shell_)?exec|system)(.*)(\()(.*)(\)) [NC,OR]
    RewriteCond %{REQUEST_URI} (/)(^$|00.temp00|0day|3xp|70bex?|admin_events|bkht|(php|web)?shell|configbak|curltest|db|dompdf|filenetworks|hmei7|index\.php/index\.php/index|jahat|kcrew|keywordspy|mobiquo|mysql|nessus|php-?info|racrew|sql|vuln|webconfig|(wp-)?conf(ig)?(uration)?|xertive)(\.php) [NC]

    # RewriteRule .* – [F,L]

    RewriteRule .* /7G_log.php?log [END,NE,E=7G_REQUEST_URI:%1___%2___%3]

    </IfModule>

    Thread Starter ziegel

    (@ziegel)

    .htninja file content (file is placed one folder “above” root folder):

    <?php
    /*
    +=====================================================================+
    | NinjaFirewall optional configuration file |
    | |
    | See: https://nintechnet.com/ninjafirewall/wp-edition/help/?htninja |
    | |
    +=====================================================================+
    */

    // =======================================================
    // Single IPv4 and IPv6:
    $ip_array = array( ‘IP LIST’ );
    if ( in_array( $_SERVER[“REMOTE_ADDR”], $ip_array ) ) {
    // white list it:
    return ‘ALLOW’;
    }

    // =======================================================
    // CIDR (IPv4 **only**):
    $cidr_array = array( ‘CIDE LIST’ );
    // Loop through the array:
    foreach ( $cidr_array as $cidr ) {
    // Check IP vs CIDR:
    if ( ipCIDRCheck( $_SERVER[‘REMOTE_ADDR’], $cidr ) ) {
    // IP matches, white list it:
    return ‘ALLOW’;
    }
    }
    function ipCIDRCheck( $IP, $CIDR ) {
    list ( $subnet, $bits ) = explode( ‘/’, $CIDR );
    $ip = ip2long( $IP );
    $subnet = ip2long( $subnet );
    $mask = -1 << ( 32 – $bits );
    $subnet &= $mask;
    return ( $ip & $mask ) == $subnet;
    }
    // =======================================================

    // To tell NinjaFirewall where you moved your WP config file,
    // use the ‘$wp_config’ variable :
    // ** NOTE: Deprecated since NinjaFirewall 3.0.1 **
    // $wp_config = ‘/foo/bar/wp-config.php’;

    // Users of Cloudflare CDN:
    // if (! empty($_SERVER[“HTTP_CF_CONNECTING_IP”]) &&
    // filter_var($_SERVER[“HTTP_CF_CONNECTING_IP”], FILTER_VALIDATE_IP) ) {
    // $_SERVER[“REMOTE_ADDR”] = $_SERVER[“HTTP_CF_CONNECTING_IP”];
    // }

    // Users of Incapsula CDN:
    // if (! empty($_SERVER[“HTTP_INCAP_CLIENT_IP”]) &&
    // filter_var($_SERVER[“HTTP_INCAP_CLIENT_IP”], FILTER_VALIDATE_IP) ) {
    // $_SERVER[“REMOTE_ADDR”] = $_SERVER[“HTTP_INCAP_CLIENT_IP”];
    // }

    // Whitelist/blacklist whatever you want:
    //
    // Return codes:
    // ‘ALLOW’ == Allow and stop filtering (whitelist).
    // ‘BLOCK’ == Reject immediately (blacklist).
    //
    // Any other return code will be ignored
    //
    // Note that if you use ‘ALLOW’/’BLOCK’, nothing will be written
    // to the firewall log.

    // Whitelist single IP 1.2.3.4:
    // if ( $_SERVER[“REMOTE_ADDR”] == ‘1.2.3.4’ ) {
    // return ‘ALLOW’; // whitelist
    // }

    // Whitelist SINGLE IPs 1.1.1.1, 2.2.2.2 and 3.3.3.3:
    //$ip_array = array( Seperate IP LIST AGAIN );
    //if ( in_array( $_SERVER[“REMOTE_ADDR”], $ip_array ) ) {
    // return ‘ALLOW’; // whitelist
    // }

    // Whitelist all IPs from 1.1.1.1 to 1.1.1.255:
    // if ( preg_match( ‘/^1\.1\.1\.\d+$/’, $_SERVER[“REMOTE_ADDR”] ) ) {
    // return ‘ALLOW’; // whitelist
    // }

    // Blacklist single IP 1.2.3.4:
    // if ( $_SERVER[“REMOTE_ADDR”] == ‘1.2.3.4’ ) {
    // return ‘BLOCK’; // blacklist
    // }

    // Blacklist IPs 1.1.1.1, 2.2.2.2 and 3.3.3.3:
    // $ip_array = array( ‘1.1.1.1’ , ‘2.2.2.2’ , ‘3.3.3.3’ );
    // if ( in_array( $_SERVER[“REMOTE_ADDR”], $ip_array ) ) {
    // return ‘BLOCK’; // blacklist
    // }

    // Blacklist all IPs from 1.1.1.1 to 1.1.1.255:
    // if ( preg_match( ‘/^1\.1\.1\.\d+$/’, $_SERVER[“REMOTE_ADDR”] ) ) {
    // return ‘BLOCK’; // blacklist
    // }

    // Do not filter any HTTP request sent to a script located inside the /myfolder/ directory:
    // if (strpos($_SERVER[‘SCRIPT_FILENAME’], ‘/myfolder/’) !== FALSE) {
    // return ‘ALLOW’;
    // }

    // Advanced filtering :
    // Block immediately a POST request if it contains a ‘whatever’ variable
    // sent to a script named ‘script.php’ :
    // if ( isset($_POST[‘whatever’]) && strpos($_SERVER[‘SCRIPT_NAME’], ‘script.php’) !== FALSE ) {
    // return ‘BLOCK’;
    // }

    // do not add anything below this line.

    • This reply was modified 4 years ago by ziegel.
    Plugin Author nintechnet

    (@nintechnet)

    1. What is special/risky in the event reported by you?
    2. Was any attack blocked?

    It’s just a real-time monitoring process. The file was changed or modified, but that doesn’t necessarily mean that you’ve been hacked or attacked

    3. Could it be a false report generated as a result of a backup restore process, making the index.php file “new” with a new date?

    Yes.

    4. Should the index.php content be modified?

    No, unless there’s a WordPress update.

    5. Should the index.php file be somehow white-listed?

    Hackers often add malicious code to the index.php, so I don’t recommend to whitelist it.

    6. Should I take any other protection measurements?

    No.

    7. I saw on testing I can NOT use the trick of:
    if (!defined(‘ABSPATH’)) exit;
    Can it be otherwise defined to block direct access to this index.php file which is not part of legtimate request for this file as part as legitimate request to GET access to the website itself?

    It is always called when accessing the blog (that’s the WordPress rewrite rules in your .htaccess). There’s no need to try to modify it.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘GET /index.php – Access to a script modified/created less than 10 hour(s) ago’ is closed to new replies.