Injection Blocked?

  • Resolved awakegal

    (@awakegal)


    8 years, 9 months ago

    This showed up in my log tonight:
    24/Feb/16 17:59:31 #3855502 critical – 192.185.4.18 POST /index.php – BASE64-encoded injection – [POST:z0 = ZXZhbCgiZWNobygxMjM0NTQzMjArMSk7ZXhpdCgpOyIp]

    and this is from Wordfence:
    File appears to be malicious: wp-content/nfwlog/firewall_2016-02.php
    Filename: wp-content/nfwlog/firewall_2016-02.php
    File type: Not a core, theme or plugin file.
    Issue first detected: 1 hour 6 mins ago.
    Severity: Critical
    Status New
    This file appears to be installed by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The text we found in this file that matches a known malicious file is: “ZXZhbC”.

    I am hoping that NF blocked the injection and WF is flagging the log because it contains the name “ZXZhbC”.

    Is this true?

    Thanks!

    https://www.ads-software.com/plugins/ninjafirewall/

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Author nintechnet

    (@nintechnet)

    Hi,

    That’s right.
    NinjaFirewall blocked that hacking attempt (“ZXZhbCgiZWNobygxMjM0NTQzMjArMSk7ZXhpdCgpOyIp” is the base64-encoded string for eval("echo(123454320+1);exit();")) and it wrote the incident to its log.
    The log contains samples of each blocked threat, thus I don’t recommend to scan it.

    Thread Starter awakegal

    (@awakegal)

    thank you !

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Injection Blocked?’ is closed to new replies.