Stop Access to Files Created Less than 24 Hours Ago

  • Resolved kcwebguy

    (@kcwebguy)


    6 years, 9 months ago

    I am seeing in the logs where the hacker is able to access files that have been created less than 24 hours ago. How do I stop this using the free version of the software?

    Note that I am using the FULL WAF and not the WP WAF.

    I realize the goal is to remove the offending scripts. But until I have found those, how can I stop them from accessing these new files?

    15/Jun/18 17:50:44 #1583765 INFO – 163.172.43.3 GET /wp-content/plugins/pluginname/destinations/_s3lib3/Aws/CognitoIdentity/Exception/filename.php – Access to a script modified/created less than 24 hour(s) ago – [/home/domain/public_html/wp-content/plugins/pluginname/destinations/_s3lib3/Aws/CognitoIdentity/Exception/filename.php] – https://www.domain.com

    15/Jun/18 17:50:44 #4295467 HIGH 309 163.172.43.3 GET /wp-content/plugins/pluginname/destinations/_s3lib3/Aws/CognitoIdentity/Exception/filename.php – PHP predefined variables – [COOKIE:Z = call_user_func(create_function($Y,gzuncompress(base64_decode($_COOKIE[CODE]))));] – https://www.domain.com

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Author nintechnet

    (@nintechnet)

    File Guard warns you, but doesn’t block the request.
    If you want to temporarily modify the firewall code to force File Guard to block, you need to edit the “/ninjafirewall/lib/fw_fileguard.php” script:

    1. Locate lines 62 to 68:

                   // Remember it so that we don't spam the admin each time the script is requested :
               touch($nfw_['log_dir'] . '/cache/fg_' . $nfw_['nfw_options']['fg_stat']['ino'] . '.php');
            }
         }
      }
   }
}

    2. Insert the following two lines between line 64 and 65 :

                   // Remember it so that we don't spam the admin each time the script is requested :
               touch($nfw_['log_dir'] . '/cache/fg_' . $nfw_['nfw_options']['fg_stat']['ino'] . '.php');
            }
            nfw_log('File Guard: blocked request', $_SERVER['SCRIPT_FILENAME'], 6, 0); // Log the request....
            nfw_block(); // ...and block it.
         }
      }
   }
}

    The nfw_log... line will log it, and the nfw_block... will block it.
    Don’t forget to undo those changes when you don’t need them, because you could block legitimate users (e.g., after a core or themes updates).

    Thread Starter kcwebguy

    (@kcwebguy)

    Thank you very much for this. You have an amazing plugin. After trying so many other alternatives, yours is the one that I’m sticking with. Very powerful and very good at protecting sites.

    Thanks so much!

    • This reply was modified 6 years, 9 months ago by kcwebguy.
Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Stop Access to Files Created Less than 24 Hours Ago’ is closed to new replies.