Attack or just fishing

  • Resolved hiflyman

    (@hiflyman)


    4 years, 5 months ago

    Hi thank you for your plugin and support and all seems to work well. During lockdown I have seen a spike in a bot,visitor or hacker trying various non existant pages pages on my site and whilst i have blocked various ip addresses via Cloudflare they keep on coming daily. Any recommendations or information to determine iF i should be concerned or does everyone get the same rubbish daily?

    Thanks in advance and a few examples of the type of spike and what NijaFirewall shows:

    165
    Threats level
    Critical: 9.09%
    High: 54.55%
    Medium: 36.36%

    MEDIUM – 82.165.224.208 GET /wp-admin/admin-ajax.php – Blocked access to admin-ajax.php – [bot detection is enabled]
    HIGH – 34.107.106.217 GET /index.php – WordPress: Blocked access to the WP REST API

    webpage addresses used daily:

    permalink equals /?plugin=all-in-one-event-calendar&controller=ai1ec_exporter_controller&action=export_events&no_html=true&ai1ec_cat_ids=15

    permalink equals /?plugin=all-in-one-event-calendar&controller=ai1ec_exporter_controller&action=export_events&no_html=true&ai1ec_cat_ids=16

    That search for page extension web page seems to be tried every minute or two:

    [iPhone OS] [Mobile Device] 142.114.69.64
    /?plugin=all-in-one-event-calendar&controller=ai1ec_exporter_controller&action=export_events&no_html=true&ai1ec_cat_ids=16 page June 15, 2020 11:42 am
    [iOS dataaccessd 1] [iPhone OS] [Mobile Device] [Unknown] 72.141.114.122

    /?plugin=all-in-one-event-calendar&controller=ai1ec_exporter_controller&action=export_events&no_html=true&ai1ec_cat_ids=15 page June 15, 2020 11:39 am

    ip – 2607:fea8:44a0:224b:64b2:9817:8c51:1274
    /?plugin=all-in-one-event-calendar&controller=ai1ec_exporter_controller&action=export_events&no_html=true&ai1ec_cat_ids=15 page June 15, 2020 11:32 am

    ip -2607:fea8:44a0:30e7:74c5:a4e:c327:e4e3
    /?plugin=all-in-one-event-calendar&controller=ai1ec_exporter_controller&action=export_events&no_html=true&ai1ec_cat_ids=17 page June 15, 2020 11:26

    Top Search Terms
    /Index/\\\\think\\\\app/invokefunction

    Any comments appreciated, thanks

Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Author nintechnet

    (@nintechnet)

    does everyone get the same rubbish daily?

    Yes, more or less. If it’s in the firewall log, it means it was blocked and that’s fine. Your log shows only 165 blocked attempts, that’s still a low number.

    Thread Starter hiflyman

    (@hiflyman)

    Unless of course the 1200 page views of this url for example all get through the firewall…

    permalink equals /?plugin=all-in-one-event-calendar&controller=ai1ec_exporter_controller&action=export_events&no_html=true&ai1ec_cat_ids=15

    Not sure what they or the bot would find on a photo orientated site and i don’t have an all in one plugin calendar plugin.

    Very odd but thanks for your feedback so far.

    I wonder what the bots are lookimg for?

    13/Jun/20 09:03:42 #6248031 HIGH – 132.232.225.43 GET /index.php – User enumeration scan (author archives) – [author=1]
    13/Jun/20 09:03:46 #5119399 HIGH – 132.232.225.43 GET /index.php – User enumeration scan (author archives) – [author=2] –
    13/Jun/20 09:03:49 #1787511 HIGH – 132.232.225.43 GET /index.php – User enumeration scan (author archives) – [author=3] –
    13/Jun/20 09:03:51 #5990904 HIGH – 132.232.225.43 GET /index.php – User enumeration scan (author archives) – [author=4]
    13/Jun/20 09:03:54 #3066867 HIGH – 132.232.225.43 GET /index.php – User enumeration scan (author archives) – [author=5] –
    13/Jun/20 09:03:57 #7452523 HIGH – 132.232.225.43 GET /index.php – User enumeration scan (author archives) – [author=6] –
    13/Jun/20 09:03:59 #5074063 HIGH – 132.232.225.43 GET /index.php – User enumeration scan (author archives) – [author=7]
    13/Jun/20 09:04:03 #1613789 HIGH – 132.232.225.43 GET /index.php – User enumeration scan (author archives) – [author=8] –
    13/Jun/20 09:04:25 #8231601 HIGH – 132.232.225.43 GET /index.php – User enumeration scan (author archives) – [author=9] –
    13/Jun/20 09:04:28 #6426889 HIGH – 132.232.225.43 GET /index.php – User enumeration scan (author archives) – [author=10]
    13/Jun/20 09:04:31 #4958484 HIGH – 132.232.225.43 GET /index.php – User enumeration scan (author archives) – [author=11] –
    13/Jun/20 09:04:34 #8050907 HIGH – 132.232.225.43 GET /index.php – User enumeration scan (author archives) – [author=12] –
    13/Jun/20 09:04:37 #1314234 HIGH – 132.232.225.43 GET /index.php – User enumeration scan (author archives) – [author=13]
    13/Jun/20 09:04:39 #7649583 HIGH – 132.232.225.43 GET /index.php – User enumeration scan (author archives) – [author=14] –
    13/Jun/20 09:04:42 #5304945 HIGH – 132.232.225.43 GET /index.php – User enumeration scan (author archives) – [author=15] –
    13/Jun/20 09:04:49 #1185336 HIGH – 132.232.225.43 GET /index.php – User enumeration scan (author archives) – [author=16] –
    13/Jun/20 09:04:51 #4386489 HIGH – 132.232.225.43 GET /index.php – User enumeration scan (author archives) – [author=17] –
    13/Jun/20 09:04:53 #1031345 HIGH – 132.232.225.43 GET /index.php – User enumeration scan (author archives) – [author=18] –
    13/Jun/20 09:04:56 #7846567 HIGH – 132.232.225.43 GET /index.php – User enumeration scan (author archives) – [author=19] –
    13/Jun/20 09:04:58 #5839677 HIGH – 132.232.225.43 GET /index.php – User enumeration scan (author archives) – [author=20] –
    13/Jun/20 17:12:09 #6540167 HIGH – 158.69.158.101 GET /index.php – User enumeration scan (author archives) – [author=1] –
    13/Jun/20 17:12:10 #2124946 HIGH – 158.69.158.101 GET /index.php – User enumeration scan (author archives) – [author=2] –

    Plugin Author nintechnet

    (@nintechnet)

    Consider blocking the request. I think Cloudflare can let you block the URI/query string or a part of it. You could block for instance action=export_events. It’s not unusual to see a bot attempting to attack an non-existent plugin or application. A few weeks ago we caught a large brute-force attack targeting Joomla on our website. But we don’t have Joomla installed ??

    The “User enumeration scan” is used by hackers to retrieve all usernames registered on the blog in order to run brute-force attacks.

    Thread Starter hiflyman

    (@hiflyman)

    Interesting. I’ll give it a go and thanks again for your help appreciated.

    that was very appreciated thing.

    • This reply was modified 4 years, 3 months ago by jhhyy6.
    • This reply was modified 4 years, 3 months ago by jhhyy6.
Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Attack or just fishing’ is closed to new replies.