DB "aiowps_events" Table

  • Resolved JP

    (@jpress)


    9 years, 1 month ago

    Hello,

    A few days ago, we discovered a minor compromise on one of our websites (at least, we think it was minor). We were already using AIOWPS, but increased our security measures after cleaning out the hack. However, I just took a backup of our DB, opened it, and noticed that the first approx. 1500 lines all looked like the following (xxxxxx substituted for our custom DB prefix):

    INSERT INTO wp_xxxxxx_aiowps_events VALUES('1489', '404', '', '0', '2015-10-15 08:23:08', '100.43.90.13', '', '/tobizuev/gmbar-ngenntot.html', '');

    Most of the lines are a bit more “vulgar” in place of where it refers to the “/tobizuev/gmbar-ngenntot.html” file, but they all seem to indicate paths with .html files and they all come from the same IPs (about 10 different IPs in total). I went ahead and blacklisted the IP addresses, but am uncertain if these “events” are showing up in the DB due to a change I made the other day in the AIOWPS settings, or if this is a more serious issue that needs to be addressed (possibly by restoring a backup of our DB from an earlier date).

    Could you tell me if this is something that we should be concerned about?

    Thank you,
    JP

    https://www.ads-software.com/plugins/all-in-one-wp-security-and-firewall/

Viewing 7 replies - 1 through 7 (of 7 total)
  • Plugin Contributor mbrsolution

    (@mbrsolution)

    Hi, it does look a bit suspicious. What you can do is create a database backup of one of your other websites. Then check the database to see if there are similar entries.

    If you don’t find any similar entries, I suggest that you completely delete the plugin and reinstall it again.

    Thread Starter JP

    (@jpress)

    Thank you for the response,

    I checked it against another DB, and the other one didn’t have any similar entries. So I took your advice and deleted the plugin. However, I’m not certain whether I’m going to re-install it, especially since I don’t really know where those entries came from.

    What is the purpose of that “aiowps_events” table? Do you think the plugin itself got hacked somehow?

    Plugin Contributor mbrsolution

    (@mbrsolution)

    No, I don’t think the plugin got hacked. The hackers got in from somewhere else. Did you check the server log files? Did you by any chance enable File Change Detection?

    Thread Starter JP

    (@jpress)

    I unfortunately don’t have access to the log files. This is a GoDaddy Managed WordPress site and the only real option they’re suggesting is that I restore the site from an older backup.

    I actually did have File Change Detection enabled, but unfortunately I had the interval set to 4 weeks, so I don’t think it helps in this case.

    After I deleted AIOWPS earlier, I also deleted the related DB tables. However, when I re-installed it (just now), it somehow remembered all my settings (and asked if I wanted to re-input my original info/settings into my .htaccess file as well). Do you have any idea how that is possible? Ideally, it would be nice to know that the new installation of the plugin was completely “fresh”, so to speak.

    Appreciating your help,
    JP

    Plugin Contributor mbrsolution

    (@mbrsolution)

    Hi follow these instructions.

    Plugin Contributor wpsolutions

    (@wpsolutions)

    hi jpress,
    those entries you are seeing in the events table are simply 404 (page not found) events being captured by the AIOWPS plugin. They are not suspicious in the sense that they are being inserted by this plugin. The reason these items are being recorded in the database is because you have most probably enabled the “Enable IP Lockout For 404 Events” feature.

    Thread Starter JP

    (@jpress)

    Ah yes, that makes sense. I did indeed enable that feature.

    Thank you!

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘DB "aiowps_events" Table’ is closed to new replies.