Prevent POST request to w3-total-cache folder

  • Resolved DKQ

    (@deepakkumarq)


    2 years, 2 months ago

    I may be wrong but it looks like an attacker is trying to play with w3-total-cache files by making a post request and also attacking other cache files.

    Snapshot of some of the requests that I found in the logs:

    POST /wp-content/plugins/w3-total-cache/vendor/aws/aws-sdk-php/src/Arn/Exception/sqlupdate.php HTTP/1.1 200 31

    POST /wp-content/plugins/w3-total-cache/vendor/aws/aws-sdk-php/src/data/appstream/2016-12-01/smoke.json.php HTTP/1.1 405

    GET /wp-content/cache/db/singletables/f28/346/phd_buttonsEN.php HTTP/1.1" 200

    One of the scans found a coinminer in the cache on this path:
    wp-content/cache/db/singletables

    Any particulars or details on how to manage/prevent this will be helpful.

    • This topic was modified 2 years, 2 months ago by DKQ.
Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Contributor Marko Vasiljevic

    (@vmarko)

    Hello @deepakkumarq

    Thank you for reaching out and I am happy to assist you with this.
    Can you please share which log you are referring to, and what you are using to scan the files?
    Also please share where do you see:
    POST /wp-content/plugins/w3-total-cache/vendor/aws/aws-sdk-php/src/Arn/Exception/sqlupdate.php HTTP/1.1 200 31

    Thanks!

    Thread Starter DKQ

    (@deepakkumarq)

    Hi @vmarko

    These are the server logs. We are using a endpoint security software (can’t disclose the name) which monitors our server for any malicious file and it found a coinminer in this path:

    wp-content/cache/db/singletables

    The request that you see was found in my server logs.

    Thanks

    • This reply was modified 2 years, 2 months ago by DKQ.
    Plugin Contributor Marko Vasiljevic

    (@vmarko)

    Hello @deepakkumarq

    Thank you for your feedback.
    W3 Total Cache caches the files, it does not cache POST requests.
    Can you please try to delete the /singletables manually and let me know when re-generated if the problem still occurs?
    This also may be unrelated, however, I would advise not to use Disk: for Database Caching and use Redis or Memcached instead. It’s recommended to use memory-based caching for DB and object Caching.

    Thanks!

    Thread Starter DKQ

    (@deepakkumarq)

    Thanks, @vmarko. The last thing I wanted to know is whether these cache files can be targeted/exploited in any way by an attacker because I see multiple post requests to these files and a few of them returned HTTP 200 on my server. And this is the same time my website starts showing error and in my server logs I can see this kind of error:

    <trimmed> FastCGI sent in stderr "PHP message: PHP Fatal error: Uncaught Error: Function name must be a string <trimmed>

    My website goes offline until I restart my PHP fpm service and every request to my website generates the above error.

    And, I will work on your feedback on using memory-based caching.

    Thanks!

    • This reply was modified 2 years, 2 months ago by DKQ.
    • This reply was modified 2 years, 2 months ago by DKQ.
    Plugin Contributor Marko Vasiljevic

    (@vmarko)

    Hello @deepakkumarq

    Thank you for your feedback.

    You can use .htaccess for Apache or another config file for other web servers to deny requests for the wp-content/cache directory.

    <Location /wp-content/cache>
Deny All
</Location>

    The Location and Directory directives are not allowed in .htaccess. You can go in the main config file or virtual host configs.
    https://httpd.apache.org/docs/2.4/mod/core.html#location
    In Nginx:

    location /wp-content/cache {
   deny all;
   return 406;
}

    For Apache, the you can create wp-content/cache/.htaccess with contents Deny All
    https://httpd.apache.org/docs/2.4/mod/mod_access_compat.html#deny

    I hope this helps!

    Thanks!

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Prevent POST request to w3-total-cache folder’ is closed to new replies.