Request to wp-config using the landing_site cookie

  • Resolved dimi993

    (@dimi993)


    1 year, 5 months ago

    Hi,
    Latelly I’ve been facing a problem with a website. Checking the logs, I found the following:

    2023-09-13 17:09:24.449414 [NOTICE] [2651111] [T4] [185.220.101.10:15646:HTTP2-1#APVH_shop.com:443:MODSEC] mod_security rule [id “77350212”] at [/etc/httpd/conf/modsecurity.d/rules/custom/007_i360_4_wordpress.conf:2721] triggered!
    [Wed Sep 13 17:09:24.447126 2023] [error] [client 185.220.101.10] ModSecurity: Access denied with code 403, [Rule: ‘REQUEST_FILENAME’ ‘\/[.#]?wp-config[.-][\w._-]*(?:[#~]|(?:inc|txt|tar|xml|zip|bak|old|orig(?:inal)?|save|\d|sw(?:p|o)))$’] [id “77350212”] [msg “IM360 WAF: Information Disclosure Attempt in WordPress||MV:/wp-config.inc||T:LITESPEED||REQUEST_URI:/wp-config.inc||”] [severity “CRITICAL”] [tag “wp_core”] [hostname “shop.com”] [uri “/wp-config.inc”]
    2023-09-13 17:09:24.449440 [NOTICE] [2651111] [T4] [185.220.101.10:15646:HTTP2-1#APVH_shop.com:443] Content len: 0, Request line: ‘GET /wp-config.inc HTTP/1.1’
    2023-09-13 17:09:24.449445 [INFO] [2651111] [T4] [185.220.101.10:15646:HTTP2-1#APVH_shop.com:443] Cookie len: 139, mailchimp_landing_site=https%3A%2F%2Fshop.com%2Fblog%2Fwp-config; pbid=8db2b8ce1cfe4710035e9cf74386e1024f6cbc408729d133a978dfc7616ec1d8
    2023-09-13 17:09:24.449448 [NOTICE] [2651111] [T4] [185.220.101.10:15646:HTTP2-1#APVH_shop.com.gr:443] Redirect: #1, URL: /index.php

    This set of errors gets repeated multiple times in just a few seconds, each time trying to access a different version/name of wp-config.

    Is it a possible vulnerability in the Mailchimp plugin code or settings? Because everytime this request happens, ModSecurity rules arre triggered.

    Any ideas could really help.
    Thank you.

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Contributor Lap

    (@lapzor)

    Please note we are not Mailchimp. We are a different company called “ibericode” that develops plugins such as “Mailchimp for WordPress“. I’m sorry to tell you I am not able to help you with this question as it is not related to our plugin but to Mailchimp itself. My advice to you is to contact Mailchimp directly as they would be the best people to answer any query related to your Mailchimp.com account. 

    You can contact Mailchimp trough https://mailchimp.com/contact/support/

    I hope that helps. If you have any queries specific to our plugin please let us know!

    Thread Starter dimi993

    (@dimi993)

    Hi Lap, thank you for your reply.

    I’m sorry, I didn’t explain my problem in the question and my request was not clear.

    For the past two weeks, files of our website disappear and we are trying to figure out what is happening. Most of our clues and people we have asked, suggest the site is being attacked.

    We noticed this strange url that I wrote in the first post and we are thinking if there is a possible vulnerability in?MC4WP plugin. We are using version 4.9.6 of the plugin.

    Plugin Contributor Lap

    (@lapzor)

    Maybe I’m overlooking it, can you please point out to me exactly what part of that log message refers to our plugin or why you think this is related to the MC4WP plugin?

    Thanks for letting me know.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Request to wp-config using the landing_site cookie’ is closed to new replies.