jackelliott

yorman, thanks. I’ve deleted the file.

For future reference, you wrote “However, if you really want to keep that file in your website you can click the checkbox on the side of the table then execute the action `Mark as Fixed’.”

The side of what table? I didn’t just pop online here to ask before seeing if I could sort this out myself. I didn’t find the correct page to tell Sucuri to consider the file as safe.

Thanks. From a high of over a thousand attempts a few days ago, the daily report has dropped back down to the normal range of fewer than 20 per day. I guess our site was looking particularly tasty then.

The levels, “critical”, “high” and “medium” are there to give an indication of how badly things might have gotten messed up if the exploits had worked?

Followup: this morning’s report paints an entirely different picture:

Blocked hacking attempts: 28 (critical: 0, high: 0, medium: 28)
Blocked brute-force attacks: 0

If what we were seeing on yesterday’s report was random activity, then the randomness has quite a broad range from lots and lots of attacks, and hardly any.

Thank you. Is there anything to be done about these “critical” attempts?

The blocked attempts are many and varied. It’s quite exciting.

Here’s the log for today:

      DATE         INCIDENT  LEVEL     RULE     IP            REQUEST
10/Apr/17 03:22:21  #5794472  critical     -  198.204.253.58   POST /index.php - BASE64-encoded injection - [POST:z0 = QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApOyRucGF0aD0kX1NFUlZFUlsnRE9DVU1FTlRfUk9PVCddLkJhU0U2NF9kRWNPZEUoJF9HRVRbJ3o0J10pO2Z1bm...] - centerforcardonations.com
10/Apr/17 03:22:30  #1467878  critical     -  198.204.253.58   POST /index.php - BASE64-encoded injection - [POST:z0 = QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApOyRucGF0aD0kX1NFUlZFUlsnRE9DVU1FTlRfUk9PVCddLkJhU0U2NF9kRWNPZEUoJF9HRVRbJ3o0J10pO2Z1bm...] - centerforcardonations.com
10/Apr/17 03:28:13  #5678456  critical     -  198.204.253.58   POST /index.php - BASE64-encoded injection - [POST:z0 = QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApOyRucGF0aD0kX1NFUlZFUlsnRE9DVU1FTlRfUk9PVCddLkJhU0U2NF9kRWNPZEUoJF9HRVRbJ3o0J10pO2Z1bm...] - centerforcardonations.com
10/Apr/17 03:28:16  #5257193  critical     -  198.204.253.58   POST /index.php - BASE64-encoded injection - [POST:z0 = QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApOyRucGF0aD0kX1NFUlZFUlsnRE9DVU1FTlRfUk9PVCddLkJhU0U2NF9kRWNPZEUoJF9HRVRbJ3o0J10pO2Z1bm...] - centerforcardonations.com
10/Apr/17 03:28:31  #8086004  critical     -  198.204.253.58   POST /index.php - BASE64-encoded injection - [POST:z0 = 

[long post truncated: please use gist.github.com for pastes.]

• This reply was modified 7 years, 7 months ago by Steven Stern (sterndata).

Nope, okay, I guess a long 1500-line blockquote is not cool. So, the blocked attempts are many and varied. It’s quite exciting. Here’s a snippet of the log:

       DATE         INCIDENT  LEVEL     RULE     IP            REQUEST
10/Apr/17 03:28:31  #8086004  critical     -  198.204.253.58   POST /index.php - BASE64-encoded injection - [POST:z0 = QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApOyRucGF0aD0kX1NFUlZFUlsnRE9DVU1FTlRfUk9PVCddLkJhU0U2NF9kRWNPZEUoJF9HRVRbJ3o0J10pO2Z1bm...] - SiteNameObfuscated.com
10/Apr/17 03:35:56  #4492585  critical     -  198.204.253.58   POST /index.php - Blocked file upload attempt - [W1NCoi.php (245 bytes)] - SiteNameObfuscated.com
10/Apr/17 03:36:09  #1150614  critical     -  198.204.253.58   POST /wp-admin/admin-ajax.php - Blocked file upload attempt - [W1NCoi.php (245 bytes)] - SiteNameObfuscated.com
10/Apr/17 03:36:19  #8839776  critical     -  198.204.253.58   POST /index.php - Blocked file upload attempt - [W1NCoi.php (245 bytes)] - SiteNameObfuscated.com
10/Apr/17 05:51:03  #1961817  medium     306  93.175.200.164   GET /index.php - Bogus user-agent signature - [SERVER:HTTP_USER_AGENT = Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt; DTS Agent] - SiteNameObfuscated.com
10/Apr/17 06:32:05  #1739609  medium     531  104.131.97.106   HEAD /index.php - Suspicious bots/scanners - [SERVER:HTTP_USER_AGENT = Mozilla/4.0 (compatible; Netcraft Web Server Survey)] - SiteNameObfuscated.com
10/Apr/17 09:11:37  #7278797  medium     306  46.119.112.125   GET /index.php - Bogus user-agent signature - [SERVER:HTTP_USER_AGENT = Mozilla/4.0 (compatible; MSIE 5.5; Windows 95; BCD2000)] - SiteNameObfuscated.com
10/Apr/17 09:21:24  #7124075  info         -  67.5.197.239     POST /wp-login.php - Logged in user - [Jack (administrator)] - SiteNameObfuscated.com
10/Apr/17 09:43:51  #6142082  medium     531  138.197.73.125   HEAD /index.php - Suspicious bots/scanners - [SERVER:HTTP_USER_AGENT = Mozilla/4.0 (compatible; Netcraft Web Server Survey)] - SiteNameObfuscated.com
10/Apr/17 09:55:50  #0000000  info         -  184.154.76.10    GET /sitelock_find_11294533.php - Access to a script modified/created less than 10 hour(s) ago - [/var/chroot/home/content/23/2507923/html/sitelock_find_11294533.php] - SiteNameObfuscated.com
10/Apr/17 10:09:58  #2896606  medium     306  195.154.216.86   GET /index.php - Bogus user-agent signature - [SERVER:HTTP_USER_AGENT = Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)] - www.SiteNameObfuscated.com
10/Apr/17 10:24:42  #3595533  medium     306  46.119.118.191   GET /index.php - Bogus user-agent signature - [SERVER:HTTP_USER_AGENT = Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; FREE; .NET CLR 1.1.4322)] - SiteNameObfuscated.com
10/Apr/17 10:24:43  #6686262  medium     306  46.119.118.191   GET /index.php - Bogus user-agent signature - [SERVER:HTTP_USER_AGENT = Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; FREE; .NET CLR 1.1.4322)] - SiteNameObfuscated.com
10/Apr/17 11:20:10  #2341314  medium     531  138.197.38.160   HEAD /index.php - Suspicious bots/scanners - [SERVER:HTTP_USER_AGENT = Mozilla/4.0 (compatible; Netcraft Web Server Survey)] - SiteNameObfuscated.com
10/Apr/17 11:31:27  #3048772  medium     306  195.154.199.226  GET /index.php - Bogus user-agent signature - [SERVER:HTTP_USER_AGENT = Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)] - www.SiteNameObfuscated.com
10/Apr/17 12:41:44  #7173026  critical  1017  36.235.197.121   GET /index.php - Apache Struts2 remote code execution - [SERVER:CONTENT_TYPE = %{(#[email protected]@DEFAULT_MEMBER_ACCESS).(#wmres=#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse']).(#wmres.getWriter().print("S2-045 dir--***"...] - 50.62.53.29
10/Apr/17 12:56:26  #4662296  medium     531  159.203.137.250  HEAD /index.php - Suspicious bots/scanners - [SERVER:HTTP_USER_AGENT = Mozilla/4.0 (compatible; Netcraft Web Server Survey)] - SiteNameObfuscated.com
10/Apr/17 13:06:29  #2681936  medium     306  27.159.194.151   GET /index.php - Bogus user-agent signature - [SERVER:HTTP_USER_AGENT = Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)] - www.SiteNameObfuscated.com
10/Apr/17 13:41:50  #6958489  medium     306  195.154.199.226  GET /index.php - Bogus user-agent signature - [SERVER:HTTP_USER_AGENT = Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)] - www.SiteNameObfuscated.com
10/Apr/17 13:58:02  #7817119  high       310  5.135.22.249     GET /wp-admin/admin.php - Access to a configuration file - [GET:item = wp-config.php] - SiteNameObfuscated.com
10/Apr/17 13:58:02  #8692913  critical     1  5.135.22.249     GET /wp-admin/tools.php - Directory traversal - [GET:download_backup_file = oldBackups/../../wp-config.php] - SiteNameObfuscated.com
10/Apr/17 13:58:05  #5992399  high       310  5.135.22.249     GET /wp-admin/admin.php - Access to a configuration file - [GET:item = wp-config.php] - SiteNameObfuscated.com
10/Apr/17 13:58:05  #1525732  high       310  5.135.22.249     GET /wp-admin/tools.php - Access to a configuration file - [GET:download_backup_file = ../wp-config.php] - SiteNameObfuscated.com
10/Apr/17 18:00:45  #7787871  medium     306  195.154.199.226  GET /index.php - Bogus user-agent signature - [SERVER:HTTP_USER_AGENT = Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)] - www.SiteNameObfuscated.com
10/Apr/17 20:35:29  #5659381  medium     306  46.118.115.123   GET /index.php - Bogus user-agent signature - [SERVER:HTTP_USER_AGENT = Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)] - SiteNameObfuscated.com
10/Apr/17 21:44:07  #1769139  medium     306  46.119.118.191   GET /index.php - Bogus user-agent signature - [SERVER:HTTP_USER_AGENT = Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; MRA 4.6 (build 01425))] - SiteNameObfuscated.com
10/Apr/17 22:28:47  #1151102  medium     531  65.156.232.10    HEAD /index.php - Suspicious bots/scanners - [SERVER:HTTP_USER_AGENT = Mozilla/5.0 (textmode; U; Linux i386; en-US; rv:3.0.110.0) Gecko/20101006 EzineArticlesLinkScanner/3.0.0g] - SiteNameObfuscated.com
11/Apr/17 01:17:38  #7183408  high       307  35.184.159.186   GET /index.php - Excessive user-agent string length (300+ characters) - [SERVER:HTTP_USER_AGENT = Mozilla/5.0 (iPhone; U; CPU iPhone OS 3_0 like Mac OS X; en-us) AppleWebKit/528.18 (KHTML, like Gecko) Version/4.0 Mobile/7A341 Safari/528.16 Mozilla/5.0 (Linux; U; Android 2....] - SiteNameObfuscated.com
11/Apr/17 01:17:49  #4908695  high       307  35.184.159.186   GET /index.php - Excessive user-agent string length (300+ characters) - [SERVER:HTTP_USER_AGENT = Mozilla/5.0 (iPhone; U; CPU iPhone OS 3_0 like Mac OS X; en-us) AppleWebKit/528.18 (KHTML, like Gecko) Version/4.0 Mobile/7A341 Safari/528.16 Mozilla/5.0 (Linux; U; Android 2....] - SiteNameObfuscated.com
11/Apr/17 02:10:11  #1903814  medium     531  65.156.232.10    HEAD /index.php - Suspicious bots/scanners - [SERVER:HTTP_USER_AGENT = Mozilla/5.0 (textmode; U; Linux i386; en-US; rv:3.0.110.0) Gecko/20101006 EzineArticlesLinkScanner/3.0.0g] - www.SiteNameObfuscated.com
11/Apr/17 04:11:49  #1917257  medium     306  46.118.115.123   GET /index.php - Bogus user-agent signature - [SERVER:HTTP_USER_AGENT = Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)] - SiteNameObfuscated.com
11/Apr/17 04:57:43  #8316900  high         -  192.169.201.15   POST /wordpress/xmlrpc.php - Access to WordPress XML-RPC API (system.multicall method) - [/wordpress/xmlrpc.php] - SiteNameObfuscated.com
11/Apr/17 07:04:20  #7499137  info         -  67.5.197.239     POST /wp-login.php - Logged in user - [Jack (administrator)] - SiteNameObfuscated.com
11/Apr/17 07:26:10  #1810643  medium     306  115.221.19.209   GET /index.php - Bogus user-agent signature - [SERVER:HTTP_USER_AGENT = Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)] - www.SiteNameObfuscated.com
13/Apr/17 05:26:53  #7560268  medium     531  46.229.168.69    GET /index.php - Suspicious bots/scanners - [SERVER:HTTP_USER_AGENT = Mozilla/5.0 (compatible; SemrushBot/1.2~bl; +https://www.semrush.com/bot.html)] - www.SiteNameObfuscated.com
13/Apr/17 05:27:02  #8293904  medium     531  46.229.168.70    GET /index.php - Suspicious bots/scanners - [SERVER:HTTP_USER_AGENT = Mozilla/5.0 (compatible; SemrushBot/1.2~bl; +https://www.semrush.com/bot.html)] - www.SiteNameObfuscated.com
13/Apr/17 05:27:10  #1736237  medium     531  46.229.168.68    GET /index.php - Suspicious bots/scanners - [SERVER:HTTP_USER_AGENT = Mozilla/5.0 (compatible; SemrushBot/1.2~bl; +https://www.semrush.com/bot.html)] - www.SiteNameObfuscated.com
13/Apr/17 05:27:24  #3463168  medium     531  46.229.168.74    GET /index.php - Suspicious bots/scanners - [SERVER:HTTP_USER_AGENT = Mozilla/5.0 (compatible; SemrushBot/1.2~bl; +https://www.semrush.com/bot.html)] - www.SiteNameObfuscated.com
13/Apr/17 05:27:25  #7034438  medium     531  46.229.168.69    GET /index.php - Suspicious bots/scanners - [SERVER:HTTP_USER_AGENT = Mozilla/5.0 (compatible; SemrushBot/1.2~bl; +https://www.semrush.com/bot.html)] - www.SiteNameObfuscated.com
13/Apr/17 05:27:38  #8787944  medium     531  46.229.168.66    GET /index.php - Suspicious bots/scanners - [SERVER:HTTP_USER_AGENT = Mozilla/5.0 (compatible; SemrushBot/1.2~bl; +https://www.semrush.com/bot.html)] - www.SiteNameObfuscated.com

Huh. I posted the contents of my log in <blockquotes> and the post did not appear here. 1500 lines, no error though. Maybe held up in moderation? If it doesn’t surface in a few minutes I’ll try again.

This makes sense. Thank you.

Upvote. I had to google “WordPress File Change Warning” to determine that it was iThemes Security that sent the alert.

Excellent — thank you.

Thank you, Logan. Good to hear that this is expected behavior.

The suspicious attempts from that netrange triggers iThemes Security which sends out a few of these notifications a week:

Site Lockout Notification
Host/User 	Lockout in Effect Until 	Reason
Host: 184.154.139.52 	Permanently 	too many attempts to access a file that does not exist

Is that also you guys?

Thank you. It can’t be easy to teach machines how to tell the difference between malware that uses the same coding technique that legitimate code uses. It’s also tough for the site admin to determine what bit of code in the file may have triggered the alarm.

The folk at WP-Rocket figured it might be a false positive, I sent them your comment.

(Edit: to mark this as resolved)

• This reply was modified 7 years, 7 months ago by jackelliott. Reason: Wanted to mark it resolved

Many thanks! Better the occasional false positive than a miss.

And now I know that the error message I received was not a found string in the target file, but the name of the rule. Does NFW have a “How to interpret results” FAQ this newbie can look at?

Or could you add a “whitelist unless the file changes” option […]

Wouldn’t it be better to fix the scanner so it doesn’t return this false positive? I just got the exact same “{REX}PHP.array.concatenation.1:” on a wp-rocket .php library file, and that file is clean.

• This reply was modified 7 years, 7 months ago by jackelliott.