Attacks not prevented

  • Resolved scott8035

    (@scott8035)


    1 year, 6 months ago

    Hi. I found traces of three attacks in my wp-content/debug.log file on a development system we have. They are shown below. My concern is: why didn’t the WAF catch these? They were eventually detected by the scanner.

    [22-May-2023 21:51:08 UTC] PHP Warning: file_put_contents(/www/devph_206/public/wp-content/cache/flying-press/www.acornfinance.com//devmode.actionindex-debug=command-expression=(#_memberAccess[“allowStaticMethodAccess”]=true,#foo=new java.lang.Boolean(“false”) ,#context[“xwork.MethodAccessor.denyMethodExecution”]=#foo,@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec(‘cat /etc/passwd’).getInputStream())).html): Failed to open stream: File name too long in /www/devph_206/public/wp-content/plugins/flying-press/src/Caching.php on line 106

    [22-May-2023 21:52:58 UTC] PHP Warning: file_put_contents(/www/devph_206/public/wp-content/cache/flying-press/www.acornfinance.com//index.actionindex-cmd=cat /etc/passwd-encoding=UTF-8-method:#_memberAccess=@ognl_OgnlContext@DEFAULT_MEMBER_ACCESS,#res=@org_apache_struts2_ServletActionContext@getResponse(),#res_setCharacterEncoding(#parameters_encoding=Array-ppp= .html): Failed to open stream: No such file or directory in /www/devph_206/public/wp-content/plugins/flying-press/src/Caching.php on line 106

    [22-May-2023 21:53:03 UTC] PHP Warning: file_put_contents(/www/devph_206/public/wp-content/cache/flying-press/www.acornfinance.com//api/pingindex-count=5-host=cat /etc/passwd-port=80-source=1.1.1.1-type=icmp.html): Failed to open stream: No such file or directory in /www/devph_206/public/wp-content/plugins/flying-press/src/Caching.php on line 106

    The page I need help with: [log in to see the link]

Viewing 4 replies - 1 through 4 (of 4 total)
  • dimal

    (@dimalifragis)

    Those are not attacks. They are warnings from PHP, coming from that plugin (flying-press). And keep in mind that page caching and Wordfence do not play well together.

    Thread Starter scott8035

    (@scott8035)

    @dimalifragis, if you look a little closer you can see the payload that was delivered past Wordfence and into the FlyingPress plugin, namely “cat /etc/passwd”. Also, I’ve had cached sites using Wordfence for years with no issues, so I don’t know where all that’s coming from.

    dimal

    (@dimalifragis)

    @scott8035 I’m not familiar with that caching/optimizing plugin, still page caching doesn’t work right with Wordfence, especially if page caching is using “mod_rewrite” and not “php”.

    I have checked your posted logs and i don’t believe this is an attack or anything to do with WF.

    • This reply was modified 1 year, 6 months ago by dimal.
    Plugin Support wfpeter

    (@wfpeter)

    Hi @scott8035, thanks for your message.

    We did recently see a similar case of this recently. We believe your caching plugin is trying to use part of the URL as a filename, but it was an invalid filename based on where the error occurred in Caching.php. It doesn’t point to an external request probing for a vulnerability.

    Many thanks,
    Peter.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Attacks not prevented’ is closed to new replies.