WordPress.org

Forums

Simple Security Firewall
[resolved] Firewall Block Alert - Is this an attack or issue with plugin? (5 posts)

  1. m-Aurelius
    Member
    Posted 1 year ago #

    I've gotten this message a few times on just one of my sites (I have WordPress Simple Firewall installed on a whole bunch of sites). I'm trying to determine if it is actually an attack, or an issue with how I have it configured and how it is relating to another plugin? This is the failure notification:

    WordPress Simple Firewall has blocked a page visit to your site.
    Log details for this visitor are below:
    - IP Address: 208.115.113.82
    - Page Request URI: /index.php?option=com_gcalendar&view=event&eventID=M3FrcmdsZ2UyNDQ4%3Cbr%20/%3E%3C/td%3E%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%3C/tr%3E%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%3Ctr%3E%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%3Ctd%20bgcolor=
    - Visitor IP was neither white-listed nor black-listed. Firewall checking started...
    - Page parameter failed firewall check. The offending value was M3FrcmdsZ2UyNDQ4
    </td> </tr> <tr> <td bgcolor=
    - Firewall Blocked: Field Truncation
    - Firewall Block Response: Visitor connection was killed with wp_die() and message
    You can look up the offending IP Address here: http://ip-lookup.net/?ip=208.115.113.82

    https://wordpress.org/plugins/wp-simple-firewall/

  2. MickeyRoush
    Member
    Posted 1 year ago #

    That looks like it's searching for a Joomla vulnerability. Because that URI is for the Joomla Google Calendar Component. Plus the IP is coming from a hosting service. Probably just a script kiddie running scripts. Your site just happened to be in its path.

    So yes, it looks like an attack.

  3. Paul G.
    Member
    Plugin Author

    Posted 1 year ago #

    Nothing wrong with the plugin here. It's designed, based on your settings to detect certain patterns in the GET/POST variables (http://support.icontrolwp.com/support/solutions/articles/3000001060-how-exactly-does-the-firewall)

    Looks like something in there wasn't to the firewall's liking and blocked it. If it's a legitimate user, they'll probably contact you to say there's a problem and you may need to whitelist something.

    Sounds like MickeyRoush knows more here about this however, and your site was pinged for a security vulnerability. If that's the case, nice to hear about the firewall doing its job ;)

    Cheers!
    Paul.

  4. m-Aurelius
    Member
    Posted 1 year ago #

    Well there you go...I guess I won't worry about it! It looked strange and different to me than other alerts, but I guess it's must more of the same. Thanks for the insights!

  5. Paul G.
    Member
    Plugin Author

    Posted 1 year ago #

    No problem, just glad to hear it's all working to your liking! :)

    Cheers!
    Paul.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic

Tags

No tags yet.