Download logs?

Viewing 6 replies - 1 through 6 (of 6 total)
  • Plugin Author nintechnet

    (@nintechnet)

    Hi,

    We do not have any plan to include such a feature in the WP Edition, but writing a small PHP script to do it should be easy.
    The log has 12 fields enclosed by square brackets and space-separated:

    [epoch time] [processing time] [host name] [#incident number] [Rule number] [level/info*] [IPv4/IPv6] [HTTP ret. code] [Request method] [script name] [Description] [blocked request]

    *level/info:
    [1] = medium severity
    [2] = high severity
    [3] = critical severity
    [4] = error
    [5] = upload
    [6] = info
    [7] = debugging mode ON.

    Thread Starter Howard Harkness

    (@chltx)

    Actually, I was able to most of what I wanted by downloading all of the php files, and processing them in a bash script. That was slightly complicated by the fact that NFW uses the same file names on each site, but I was able to get around that, too.

    However, I ran into a really puzzling thing when I examined the logs — there were dozens of attacks (of severities 1-3) in all of the scripts from all of my sites FROM MY OWN IP ADDRESS!!!

    O. M. G.

    Is this a new thing? Are the scriptkiddies now able to spoof arbitrary IP addresses without even using a proxy? Or is there a proxy that can do that for them? Or is this evidence of something even worse?

    I’m not understanding how this is possible. Please enlighten me if possible.

    Plugin Author nintechnet

    (@nintechnet)

    You would need to paste here some of those log lines so that I can check them.

    Thread Starter Howard Harkness

    (@chltx)

    The log file is too big to cut and paste here. I ran a script to excerpt just the severity [1-3] attacks coming from my own IP address (presumably spoofed). I sanitized the excerpt to remove my site name and IP address. This is from just one of my sites. I have seen similar attacks on all of them.

    Is this sufficient? If not, I can email you a complete logfile.

    <br />
./SubDirBB/firewall_2015-09.php:[1442691706] [0.00034] [<MY WP SITE>] [#6537287] [0] [3] [<MY IP ADDR>] [401] [GET] [/wp-login.php] [Brute-force attack detected on wp-login.php] [enabling HTTP authentication for 10mn]<br />
./SubDirBB/firewall_2015-09.php:[1442695459] [0.00036] [<MY WP SITE>] [#3246905] [0] [3] [<MY IP ADDR>] [401] [GET] [/wp-login.php] [Brute-force attack detected on wp-login.php] [enabling HTTP authentication for 10mn]<br />
./SubDirBB/firewall_2015-09.php:[1443140739] [0.00033] [<MY WP SITE>] [#2410739] [0] [3] [<MY IP ADDR>] [401] [GET] [/wp-login.php] [Brute-force attack detected on wp-login.php] [enabling HTTP authentication for 10mn]<br />
./SubDirBB/firewall_2015-09.php:[1443280651] [0.00033] [<MY WP SITE>] [#4487426] [0] [3] [<MY IP ADDR>] [401] [GET] [/wp-login.php] [Brute-force attack detected on wp-login.php] [enabling HTTP authentication for 10mn]<br />
./SubDirBB/firewall_2015-09.php:[1443363104] [0.00032] [<MY WP SITE>] [#2865134] [0] [3] [<MY IP ADDR>] [401] [GET] [/wp-login.php] [Brute-force attack detected on wp-login.php] [enabling HTTP authentication for 10mn]<br />
./SubDirBB/firewall_2015-10.php:[1443663493] [0.0003] [<MY WP SITE>] [#3407022] [0] [3] [<MY IP ADDR>] [401] [POST] [/wp-login.php] [Brute-force attack detected on wp-login.php] [enabling HTTP authentication for 10mn]<br />
./SubDirBB/firewall_2015-10.php:[1443663796] [0.17417] [<MY WP SITE>] [#3487408] [0] [2] [<MY IP ADDR>] [403] [GET] [/wp-includes/js/tinymce/wp-tinymce.php] [Forbidden direct access to PHP script] [/wp-includes/js/tinymce/wp-tinymce.php]<br />
./SubDirBB/firewall_2015-10.php:[1443663796] [0.00194] [<MY WP SITE>] [#5299576] [0] [2] [<MY IP ADDR>] [403] [GET] [/wp-includes/js/tinymce/wp-tinymce.php] [Forbidden direct access to PHP script] [/wp-includes/js/tinymce/wp-tinymce.php]<br />
./SubDirBB/firewall_2015-10.php:[1444002569] [0.68417] [<MY WP SITE>] [#5342692] [0] [3] [<MY IP ADDR>] [403] [POST] [/wp-admin/async-upload.php] [Blocked file upload attempt] [follow-846171_640.jpg, 13,714 bytes]<br />
./SubDirBB/firewall_2015-10.php:[1444002580] [0.00202] [<MY WP SITE>] [#6030739] [0] [3] [<MY IP ADDR>] [403] [POST] [/wp-admin/async-upload.php] [Blocked file upload attempt] [follow-846171_640.jpg, 13,714 bytes]<br />
./SubDirBB/firewall_2015-10.php:[1444002587] [0.00198] [<MY WP SITE>] [#2866876] [0] [3] [<MY IP ADDR>] [403] [POST] [/wp-admin/async-upload.php] [Blocked file upload attempt] [follow-846171_640.png, 43,540 bytes]<br />
./SubDirBB/firewall_2015-10.php:[1444002629] [0.00195] [<MY WP SITE>] [#4387677] [0] [3] [<MY IP ADDR>] [403] [POST] [/wp-admin/async-upload.php] [Blocked file upload attempt] [follow-846171_640.jpg, 13,714 bytes]<br />
./SubDirBB/firewall_2015-10.php:[1444002699] [0.00192] [<MY WP SITE>] [#4237533] [0] [3] [<MY IP ADDR>] [403] [POST] [/wp-admin/async-upload.php] [Blocked file upload attempt] [follow-846171_640.jpg, 13,714 bytes]<br />
./SubDirBB/firewall_2015-10.php:[1444002729] [0.00191] [<MY WP SITE>] [#7302174] [0] [3] [<MY IP ADDR>] [403] [POST] [/wp-admin/async-upload.php] [Blocked file upload attempt] [Follow.jpg, 13,714 bytes]<br />
./SubDirBB/firewall_2015-10.php:[1444002767] [0.00197] [<MY WP SITE>] [#5486425] [0] [3] [<MY IP ADDR>] [403] [POST] [/wp-admin/async-upload.php] [Blocked file upload attempt] [Follow.jpg, 13,714 bytes]<br />
./SubDirBB/firewall_2015-10.php:[1444002803] [0.00296] [<MY WP SITE>] [#4979701] [0] [3] [<MY IP ADDR>] [403] [POST] [/wp-admin/async-upload.php] [Blocked file upload attempt] [Follow.jpg, 13,714 bytes]<br />
./SubDirBB/firewall_2015-10.php:[1444002930] [0.00187] [<MY WP SITE>] [#1874878] [0] [3] [<MY IP ADDR>] [403] [POST] [/wp-admin/async-upload.php] [Blocked file upload attempt] [Follow.jpg, 13,714 bytes]<br />
./SubDirBB/firewall_2015-10.php:[1444002938] [0.00036] [<MY WP SITE>] [#5335372] [0] [3] [<MY IP ADDR>] [401] [GET] [/wp-login.php] [Brute-force attack detected on wp-login.php] [enabling HTTP authentication for 10mn]<br />
    Plugin Author nintechnet

    (@nintechnet)

    It is your IP. IPs cannot be spoofed when a connection needs to be established.

    You were blocked when trying to upload files: were you logged in as an admin or user (publisher, editor…)?

    This line is odd:

    [403] [GET] [/wp-includes/js/tinymce/wp-tinymce.php] [Forbidden direct access to PHP script] [/wp-includes/js/tinymce/wp-tinymce.php]<br />

    You should never be blocked when accessing ‘/wp-tinymce.php’ even if you aren’t the admin. Can you go to “Firewall Policies”, scroll down to the bottom of the page and click “Save Firewall Policies”? That may fix a configuration issue.

    Thread Starter Howard Harkness

    (@chltx)

    Well, that’s interesting…

    I may have triggered the file upload block when I was testing some settings while logged in as a contributor. I dimly recall my guest authors having problems with image uploads, which I managed to fix.

    As for the tinymce problem, I also dimly recall having some problems with that, but only while logged in as a contributor.

    So, I’m guessing this is a false alarm. I will be monitoring the logs a bit more closely in the future.

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Download logs?’ is closed to new replies.