Huge escalation in blocked threats – why?

  • Resolved oxonbees

    (@oxonbees)


    4 years, 1 month ago

    I’ve been using Ninja Firewall WP edition to protect the website of the Oxfordshire Beekeepers Association for some 18 months.

    Ninja firewall daily report normally shows it has blocked around 25 attacks of which the majority are ‘medium’ with one or two Critical and High ‘blocks’.

    On 6 Jan it blocked Critical: 2 High: 8 Medium: 11

    on 7th Jan this jumped to Critical: 4 High: 819 Medium: 23

    and the High figure has varied between 650 and 1300 every day since.

    I’m not convinced that the website of the Oxfordshire Beekeepers Association has become of that interest to would-be hackers so I’m wondering if these high numbers of blocked attacks are an artefact of a configuration issue?

    Thanks
    Gary Thomas
    Webmaster OBKA

    The page I need help with: [log in to see the link]

Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Author nintechnet

    (@nintechnet)

    Can you go to the “Logs” page, copy and paste here some of those log lines so that I can see what they are?
    Maybe it’s a bot or a scrapper/scanner.

    Thread Starter oxonbees

    (@oxonbees)

    Hello,

    Went to log in to get the logs and got a screen that said in effect can’t login as wp-login.php script is under a heavy brute force attack’ (which I presume is a message from Ninja Firewall?). Perhaps that does answer the question someone is hammering the website trying to get in?

    Logs below:

    DATE INCIDENT LEVEL RULE IP REQUEST
    18/Jan/21 17:14:22 #7480258 HIGH – 86.182.46.204 GET /wp-content/cache/autoptimize/autoptimize_single_7bf96cb6ecc88f0f048e49d882f86ed8.php – Forbidden direct access to PHP script – [/wp-content/cache/autoptimize/autoptimize_single_7bf96cb6ecc88f0f048e49d882f86ed8.php] – obka.org.uk
    18/Jan/21 17:14:22 #2523505 HIGH – 86.182.46.204 GET /wp-content/cache/autoptimize/autoptimize_single_ad81e5ac3af09705100d6eb2aca46cd8.php – Forbidden direct access to PHP script – [/wp-content/cache/autoptimize/autoptimize_single_ad81e5ac3af09705100d6eb2aca46cd8.php] – obka.org.uk
    18/Jan/21 17:14:23 #3139990 HIGH – 86.182.46.204 GET /wp-content/cache/autoptimize/autoptimize_single_cabf33db444541a84cfb31ca3a3b81b0.php – Forbidden direct access to PHP script – [/wp-content/cache/autoptimize/autoptimize_single_cabf33db444541a84cfb31ca3a3b81b0.php] – obka.org.uk
    18/Jan/21 17:14:23 #3850244 HIGH – 86.182.46.204 GET /wp-content/cache/autoptimize/autoptimize_single_e8724f28e1a904a1f508db7bef3842e4.php – Forbidden direct access to PHP script – [/wp-content/cache/autoptimize/autoptimize_single_e8724f28e1a904a1f508db7bef3842e4.php] – obka.org.uk
    18/Jan/21 17:14:23 #4132339 HIGH – 86.182.46.204 GET /wp-content/cache/autoptimize/autoptimize_single_5a6999a011c22bbc138e38fcd3fc67ec.php – Forbidden direct access to PHP script – [/wp-content/cache/autoptimize/autoptimize_single_5a6999a011c22bbc138e38fcd3fc67ec.php] – obka.org.uk
    18/Jan/21 17:14:46 #5921339 HIGH – 86.182.46.204 GET /wp-content/cache/autoptimize/autoptimize_single_95a3971667742843ad9d6b1d188db602.php – Forbidden direct access to PHP script – [/wp-content/cache/autoptimize/autoptimize_single_95a3971667742843ad9d6b1d188db602.php] – obka.org.uk
    18/Jan/21 17:14:46 #5415696 HIGH – 86.182.46.204 GET /wp-content/cache/autoptimize/autoptimize_single_806d43d6490c9f1bcca7ddbca0b74515.php – Forbidden direct access to PHP script – [/wp-content/cache/autoptimize/autoptimize_single_806d43d6490c9f1bcca7ddbca0b74515.php] – obka.org.uk
    18/Jan/21 17:14:46 #7139720 HIGH – 86.182.46.204 GET /wp-content/cache/autoptimize/autoptimize_single_7bf96cb6ecc88f0f048e49d882f86ed8.php – Forbidden direct access to PHP script – [/wp-content/cache/autoptimize/autoptimize_single_7bf96cb6ecc88f0f048e49d882f86ed8.php] – obka.org.uk
    18/Jan/21 17:14:46 #4732422 HIGH – 86.182.46.204 GET /wp-content/cache/autoptimize/autoptimize_single_cee4b9c27729851c088c85bd60be800e.php – Forbidden direct access to PHP script – [/wp-content/cache/autoptimize/autoptimize_single_cee4b9c27729851c088c85bd60be800e.php] – obka.org.uk
    18/Jan/21 17:14:46 #1736566 HIGH – 86.182.46.204 GET /wp-content/cache/autoptimize/autoptimize_single_cabf33db444541a84cfb31ca3a3b81b0.php – Forbidden direct access to PHP script – [/wp-content/cache/autoptimize/autoptimize_single_cabf33db444541a84cfb31ca3a3b81b0.php] – obka.org.uk

    Plugin Author nintechnet

    (@nintechnet)

    It looks like you have enabled a policy to block direct access to PHP script in a /cache/ folder, but you’re using the “autoptimize” plugin and that policy should not be enabled.
    Go to “Firewall Policies > Basic Policies > Block direct access to any PHP file located in one of these directories” and disable the last one (*/cache/*), then scroll down to the bottom of the page and click “Save firewall policies”.
    Wait an hour or so and check the firewall log again to make sure those requests are not block any longer.

    Thread Starter oxonbees

    (@oxonbees)

    Thank-you.

    Spot on, disabled the */cache/* option as you described and the alerts have all stopped.

    To summarise as I understand it, I’d enable a cache via Autoptimize and then told Ninja Firewall to regard anything accessing the cache as a hacking attempt. Doh!

    Thanks again.

    Thread Starter oxonbees

    (@oxonbees)

    And satisfactorily resolved!

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Huge escalation in blocked threats – why?’ is closed to new replies.