WordPress.org

Ready to get started?Download WordPress

Forums

WordPress Firewall has detected and blocked a potential attack - please help (5 posts)

  1. MetteM
    Member
    Posted 2 years ago #

    Hi,

    I just got ten or so emails with a message saying:
    WordPress Firewall has detected and blocked a potential attack!

    The attacks are mainly Directory Traversal Attack and look like this:
    http://www.bestselfexperience.com/cgi-bin/lang/index.php?file=/etc/passwd
    Warning: URL may contain dangerous content!
    67.212.188.154 [ Get IP location ]

    file = /etc/passwd

    What does this mean?? I have just had a guest post up on another site that links to mine... could this be it?

    I hope someone can help me out as to what to do with this.

    Thanks a million!

    Blessings,

    Mette
    http://www.bestselfexperience.com

  2. Brad Markle
    Member
    Posted 2 years ago #

    Hi MetteM, the /etc/passwd file that the warning is referring to:

    /etc/passwd file stores essential information, which is required during login i.e. user account information. /etc/passwd is a text file, that contains a list of the system's accounts, giving for each account some useful information like user ID, group ID, home directory, shell, etc. It should have general read permission as many utilities, like ls use it to map user IDs to user names, but write access only for the superuser (root).

    WordPress is pretty secure as it is, and also web servers have measures in place to prevent user php scripts from tampering with /etc/passwd.

    In my opinion, someone (probably an automated bot even) was trying a random hack on your website. WordPress firewall noticed the obvious (that /etc/passwd was somehow involved and it shouldn't have been) and issued a warning.

    In my opinion, it is safe to ignore this particular message.

    Most likely if such as hack attempt was successful, your server (and all the useres on it would have been compromised), and your hosting provider (most likely BLUEHOST.COM based upon your domain) would be very busy dealing with calls from customers regarding some type of hack on their account.

    I hope this helps. If you have any further questions, I'm happy to help.

  3. MetteM
    Member
    Posted 2 years ago #

    Thanks so much for your reply!!!

    I have been getting literally hundred or so more mails saying that there is an attach on my website! This time it is mainly SQL related:
    Offending IP: 41.216.218.76 [ Get IP location ]

    Offending Parameter: hsfirstvisit = http://www.bestselfexperience.com/yoga/|http://www.facebook.com/ajax/emu/end.php?eid=AQLXd-BJL2Ez47CF4uvIq_Td9AgqBILWG86g_KJrGiY2jtDPg1ThAm6PvOeXgWQDNJfV-LAcx1RhV4Be5uxrhTN0w1PvkZQiiZOWq7_mSKi8o3R3wvRMNVwU3j2QiHGbWXmn77Y0oWoIkHPN284Bvpy7g8UvCg1JU8n79FMLKgmaT6zPyCu4WChPIxJ5JEP8r_i1latUdlYGldtJkYC-_7Mc-33g4k1uif5srNwyhlWyRrfCasvnHATfFeSNtn8YZJJDc5XmOSRRgG2GGdk5rHIW86qcSB7ZssfdkG-mHQmZlB8SBuWQcgMPy_8n93jJHHZLmV65trJlJzDRkwHrUIxaAbRs3DnL0ix2SbZ_BC4CGsx_eYNkM2iODIE8o3M8SllFtZzajHhI-7WwrLYAR-83wdm4Wqyc1Uhfmo5h7JvHsQGT9HIYOxV8FR6cUznGZZRvZbRWxDnpdf6OYNJRTmLS1TZGuOceGUkj74IvXtGQHTA8eChCkNMNfBEaBn8julwP9bM43JpYwFDuCVcPlolaIH8VeySE-YWwfX6dNGOtWPiey_mcse35NI0WOQOgQHuWesK63KCFHW1fD_x9codfpxeZuxbbbe0jn6bYkAYlS-BNsrKwp_ARf0a6Mz2v_NXiAgGiMD7DKanEOFMU-iJ6-nISXYvmGMAfrY4ky1sEKn__B|2012-01-27 04:33:45

    This may be a "WordPress-Specific SQL Injection Attack."

    Should I just ignore these too?? I literally just got 100 of these mails in my mailbox. It's a bit scary...

    Thanks for your help!

    Mette

  4. Brad Markle
    Member
    Posted 2 years ago #

    Hi Mette,

    With a website I manage, I set it up so that whenever there is an error on a webpage, I get an email sent to me with more information. In theory I thought this was an excellent idea, but in reality it floods my inbox with 1000's of emails.

    The problem is that with certain open source applications, like WordPress or Joomla, there are known exploits with either the software or plugins that can be used with the software. People have written scripts the search the internet for websites that run WordPress or Joomla, and then they try these hacks.

    It's all automated (99.9% of it). Most likely there is not someone directly targeting you, but instead there is a bot just crawling the web and trying to get lucky running a generic type of hack.

    It's similar to Google's bot that crawls and searches the web for new web pages to index. Except in this case, the bot has bad intensions.

    I'm not sure how long you've been using WordPress Firewall, but these emails may become a very regular thing. I don't want to say that the exploit is either dangerous or can be ignored, because without fully looking at your WordPress installation, the server you're on, and all the plugins that you're using, I can't say for sure.

    You may want to reach out to others that use WordPress Firewall and find out if anyone is experiencing similar issues as yourself. Unfortunately I'm not familiar with the plugin, so I don't know 100% how it works.

    I hope that helps a bit! Let me know if you have any further questions.

  5. MetteM
    Member
    Posted 2 years ago #

    Hi again,

    Thank you so much for your detailed reply!! Am a lot smarter now!!

    Many blessings,

    Mette

Topic Closed

This topic has been closed to new replies.

About this Topic