Log shows suspicious file uploaded

Hi,

What that means is that NinjaFirewall did not prevent PHP from forwarding the file to your index.php script because you allow uploads. However, that does not mean that your script processed it!
That can be very confusing and you would need to read the following discussion (specially my second message where I explained how PHP handled uploads): Understanding the the file uploads rule.

You can use the “File Check” menu to check if there was any changes done to your file system and, if you haven’t done so yet, enable “File Guard” which is a very powerful and useful option in this kind of situation.

That just looks like a bot probing WP vulnerabilities.

Hi Nintechnet,

Thanks for your fast response. I read the thread previously – which was very detailed – but unfortunately, it doesn’t quite help me. I’m not able to use File Check because I have not created any snapshots.

The log details I posted above (re wp-xml.php), happened a few days ago. A week earlier, there were two other file uploads:

upload – 78.85.166.43 POST /wp-admin/admin-post.php – Uploading file – [Debug.zip, 24,758 bytes]

upload – 78.85.166.43 POST /index.php – Uploading file – [scripts.zip, 24,750 bytes]

How can I disable file uploads? The thread mentions that uploads can be disabled for everyone except administrators but I’m unable to find this setting.

I scanned my website using sucuri and isithacked and they seem to suggest my site is fine.

Is there anything else you can advise? I can block the IP Address, but I’m concerned about the uploads.

Fiona

Hi,

You can disable uploads from “NinjaFirewall > Firewall Policies > File Uploads”. The admin will still be able to upload any file.

I think they are just checking for potential vulnerabilities, we can see that quite often in our own server logs too.

Cheers, I’ve disabled file upload.

Thank you for looking into this.

Fiona