WordPress.org

1. Haser76
   Member
   Posted 11 months ago #

   Hi, I use wp-Sentinel pleased, but I have a compatibility problem with the plugin jetpack.
   It sends me a lot of mail with the following details:

   Attack details follow :

   - Variable '<?xml_version' of the POST method triggered the filter 'script or html injection' for the content '\&quot;1.0\&quot;?>
   <methodCall>
   <methodName>jetpack.getPosts</methodName>
   <params>
   <param><value><array><data>
    <value><array><data>
    <value><int>2684</int></value>
   </data></array></value>
   </data></array></value></param>
   </params></methodCall>'.

   I have tried to enter the Settings page and to add a new whitelisted variables. i have tired with '<?xml_version' end 'xml_version' unsuccessfully.

   Anyone have a solution to my problem?
   thanks

   http://wordpress.org/extend/plugins/wp-sentinel/

2. sciamannikoo
   Member
   Posted 5 months ago #

   Same problem here

3. Haser76
   Member
   Posted 5 months ago #

   My problem is presented because my blog was compromised.
   Check if your installation of wordpress is compromised and clean your blog from hacking.

4. sciamannikoo
   Member
   Posted 5 months ago #

   Thank you Haser,

   as long as something new didn't affected my blog, it supposed to be ok.

   I've recently ran several checks (including a manual one), to see if anything was compromising my blog, as I've been a victim of an attack.
   Right now the site must be quite fine (otherwise, I don't know what else to check), but still, I'm getting these warning from wp-sentinel.

5. Haser76
   Member
   Posted 5 months ago #

   Excuse me Sciamannikoo,
   I answered you in incorrectly mode. i have disable the mail notification for wp-sentinel.

   yes, i have the same alert by wp-sentinel for the ip address 72.233.44.10 and other ips for a attack of the variable "& lt ; ? xml_version"(without white spaces). but only the ip 72.233.44.10 (in my case) is banned in automatic mode.

   I suppose that:
   1) The function to collect attackers data and build a ip address blacklist in a centralized server of wp-sentinel had record the ip and attack.
   It can be a true attack!!!

   2) The ip address 72.233.44.10 is owned by Jetpack Site.
   I hypothesize that because sometimes i have problem viewing the statistics jetpack in the board.
   In this case, it is a problem of wp-sentinel.

   Sorry me, but i don't know other. The author of wp-sentinel plugin should answer these questions, or the Jetpack teem!!

6. sciamannikoo
   Member
   Posted 5 months ago #

   Hello Haser,

   Honestly, to me it doesn't really matter if this is a false positive or not.
   As long as is detected as a potential attack, I take related actions.

   I've checked about the IP address and it belongs to Layered Technologies, Inc.

   I've sent an email to the company, asking to investigate about it and I warmly advice you to do the same: perhaps is not a malicious attack, but is better not to wait and ask the hosting provider.

   If you want to contact them (since the IP address is the same as yours), you can send a message to this email address: abuse@layeredtech.com

   When and if the developer will ever react to this post (I doubt it, looking to the age of this post), with additional information about this warning, we don't know it: we can't just wait until then, risking to get our website compromised, can we?

Reply

You must log in to post.