Firewall – weird whitelisted URLs

  • wwwolf

    (@wwwolf)


    8 years ago

    When I configure the Firewall (in Learning Mode), some odd exclusions are randomly appearing the ‘Whitelisted URLs’ on some sites (but not others). For example, the site I just did gave me:

    /wp-content/plugins/aviary-image-editor-add-on-for-gravity-forms/includes/upload.php
    and
    /wp-content/plugins/inboundio-marketing/admin/partials/csv_uploader.php

    I have neither of these plugins on this site or any other I manage, viewed either on the WordPress Plugins page or on the file system. Where did it get these from, and why has it suddenly added them? As I say, one or two similar things (though different examples) on other sites, while others have none at all.

    Thanks, Jon

    https://wordpress.org/plugins/wordfence/

Viewing 4 replies - 1 through 4 (of 4 total)
  • Sue

    (@suelaren)

    8 years ago

    I’m seeing similar stuff on many of the sites I manage. The IP addresses are typically Russian, Ukranian, Chinese, French, etc – and match users locked out from login.

    So my thinking is that these are attempts to get into the site via a plugin upload script , perhaps an old plugin or one that hasn’t been updated in awhile. (The Aviary add on to Gravity forms hasn’t been updated in 10 months, Inboundio has been 9 months since an update). Hackers looking for vulnerabilities … so if you don’t have that plugin, Disable the whitelist and block the IP that tried to use it.

    As I see it, that whitelist showed me just one more way hackers try to gain access to my sites – in addition to trying to login with bogus usernames, admin, the site name, and others, they are also looking for vulnerabilities in old or out of date plugin files.

    mountainguy2

    (@mountainguy2)

    8 years ago

    Better than playing whack-a-mole with manual IP blocking, on occasion try adding those file paths to the Banned URLs, in my experience that’s a good way to honey trap the bad guys without taking your time. I’ve added quite a few bad URLs to the Banned URL list and it seems to be working really well.

    What’s surprising is that those bad actors make it through the Wordfence Security Network. Whatever, set it up and they won’t make it through your own DIY security network 😉 !

    Only glitch to this is when you see a “Banned URL” listing in the block list, Wordfence doesn’t tell you what URL the criminal was using, which makes it tough to tune things. I heard that might be a feature request, but at this point I’m not holding my breath.

    MTN

    mountainguy2

    (@mountainguy2)

    8 years ago

    Here is the list I’ve been using for the “Immediately block IP’s that access these URLs: list in Wordfence Options. The more this stuff gets used the more criminals get banned, or at least stop hitting our servers with these bogus requests. Use with caution, you might not want to block some of below, but presented as example.

    Remember that these files have to NOT exist on server, otherwise the Wordfence ban/block won’t work. Thus, if you do have a vulnerable file and a bot finds it, this won’t do you any good. It’s just a honey pot.

    /plus/Shijian.asp,/install/m7lrv.php,/admin/mazi.asp,/utility/convert/data/config.inc.php,/plus/mytag_js.php, /inc/config.asp,/images/cache.asp,/passwords.php,/weki.php,/upload/uploaxsd.asp,/zx.asp,/jiuge.asp,/xyr/confings.asp,/xz.asp%3b.jpg,/readme.txt,/readme.html,/readme.php,/sjutd.txt,/computers-electronics/,/ffl/error,/apps/,/js/libs/jquery/1.4.4/plugin/tipsy/css/tipsy.css,/themes/elastixneo/ie.css,/wp-content/plugins/dzs-videogallery/,/wp-content/plugins/mailz/,/wp-content/plugins/akismet/Sec-War.php,/pole.php,blog-single.html,/includes/showdebuginfo/serverDetails.asp,/uploadify/uploadify.css,/user/insert.page,/uploadify/uploadify.php,/tiny_mce/plugins/tinybrowser/upload_file.php,/wrecksite.aspx,/master/upload.php,/user/register,/inc.php,

    mountainguy2

    (@mountainguy2)

    7 years ago

    Some of you who are using Wordfence to full potential might be tweaking the “Immediately Ban URL” list under Wordfence/Options. In my opinion this is incredibly useful as it acts as a honey pot to catch bad actors before they can just stomp on your site with endless attacks. I block them all at least 48 hours, and keep an eye for those that need permanent blocks. I thought I’d share my latest list of bad URLs, some of these are probably not necessary, but I still get attacked on quite a few of them, and am constantly surprised at what Wordfence does NOT block. (Don’t use this list as is, customize for yourself or risk blocking yourself or your blog readers.)

    /wp-login.php*
    /login.html
    /login
    /author/*//wp-login.php
    /administrator/index.php
    /administrator
    /administrator/
    /*/node/add
    /node/add
    /*/*/ckeditor-for-wordpress/*
    /*/ckeditor-for-wordpress/*
    /*/*/thecartpress/*
    /*/thecartpress/*
    /data/wallet.dat
    /wp-content/*/*/a-a.css
    /a-a.css
    /wp-content/*/*/gallery-plugin.php
    /gallery-plugin.php
    /whitehat
    /plugins/lim4wp/editor_plugin.js
    /*/plugins/lim4wp/editor_plugin.js
    /xerte-online/logo.png
    /*/plugins/xerte-online/logo.png
    /user-photo/admin.css
    /*/plugins/user-photo/admin.css
    /*/mac-dock-gallery/bugslist.txt
    /*/*/mac-dock-gallery/bugslist.txt
    /MySQLDumper
    /*/*/*/destination.php
    /front-end-upload/destination.php
    /*/front-end-upload/destination.php
    /*/*/*/readme.txt
    /wp-tmp.php
    /license.php
    /gemb.php
    /lic.php
    /nicesite.php
    /sample.php
    /security.php
    /tmp.php
    /wp-checking.php
    /wp-config-sample.php
    /wp-config.txt
    /wp-config.cfg
    /*/wp-config.cfg
    /wp-config.old
    /wp-config.bak
    /wp-config.orig
    /*/wp-config.orig
    /wp-config.original
    /wp-config-backup.txt
    /wp-config-backup.php
    /wp-config.htm
    /wp-config.html
    /.wp-config.php.swp
    /%23wp-config.php%23
    /*/wp-installation.php
    /wp-installation.php
    /wsdl.php
    /manager
    /manager/
    /manager/html
    /admin/
    /admin
    /admin.php
    /*/*/*/*/*/upload_settings_image.php
    /xsvip.php
    /wp-mail.php
    /sql_dump.php
    /security.php
    /wp/*
    /wp-content/plugins/wp-photonav/*
    /plus/Shijian.asp
    /install/m7lrv.php
    /admin/mazi.asp
    /utility/convert/data/config.inc.php
    /plus/mytag_js.php
    /inc/config.asp
    /images/cache.asp
    /passwords.php
    /SQLiteManager/*
    /weki.php
    /upload/uploaxsd.asp
    /zx.asp
    /jiuge.asp
    /xyr/confings.asp
    /xz.asp%3b.jpg
    /readme.txt
    /readme.html
    /readme.php
    /sjutd.txt
    /ffl/error
    /apps/
    /js/libs/jquery/*/*/tipsy/css/tipsy.css
    /themes/elastixneo/ie.css
    /wp-content/plugins/dzs-videogallery/
    /wp-content/plugins/mailz/
    /wp-content/plugins/akismet/Sec-War.php
    /pole.php
    /*/showdebuginfo/serverDetails.asp
    /uploadify/uploadify.css
    /uploadify/uploadify.php
    /*/*/*/*/*/uploadify.php
    /*/*/*/*/*/upload_settings_image.php
    /*/passwords-list-3.html
    /passwords-list-3.html
    /passwords-list-2.html
    /user/insert.page
    /*/*/tinybrowser/upload_file.php
    /wrecksite.aspx
    /master/upload.php
    /register/
    /register.php
    /*/register
    /*/component/user/register
    /component/user/register
    /login-register.html
    /?q=user/register
    /?q=user%2Fregister
    /inc.php
    /seo-joy.cgi
    /thumbopen.php
    /*/shareChat.asp
    /short-term-cash-*/
    /*/*/|
    /*/*/%7C
    /*/*/*/*/jquery.ui.draggable.min.js
    /explore
    /*/*/*/fm.php
    /*/*/fm.php
    /*/upfilees.php
    /upfilees.php
    /*/*/wp-quick-booking-manager/*
    /*/wp-quick-booking-manager/*
    /*/*/logs/xml.log
    /*/logs/xml.log
    /*/*/*/MF_Constant.php
    /*/*/MF_Constant.php
    /utility/*/*
    /typo3/
    /*/typo3/
    /following-are-just-random-to-catch-enumeration-attempts
    /?author=2
    /?author=4
    /?author=5
    /?author=7
    /?author=50
    /*/*/front-end-upload/destination.php
    /*/*/*/wp-installation.php
    /test.php
    /cache/clean.php
    /cache/clean.php*
    /*/*/*/ninja_forms.php
    /.nksdjs
    /*/*/Cms_Wysiwyg/directive/*/
    /*/Cms_Wysiwyg/*/*/
    /*/*/delete-all-comments/*
    /*/*/delete-all-comments/
    /xml.log
    /*/xml.log
    /*/*/xml.log
    /*/*/*/xml.log
    /*/*/*/*/xml.log
    /*/*/cielo-xml.log
    /wso.php.suspected
    /wso.php
    /c99.php
    /mko.php
    /tmp.php.suspected
    /bubus.php
    /bubus.php.suspected
    /*/*/*/README_OFFICIAL.txt
    /*/*/*/lgpl.txt
    /wp-content/themes/mTheme-Unus/*/*
    /product.php
    /product.php/
    /product.php*
    /wp-content/*/smart-videos/*
    /wp-content/*/zen-mobile-app-native/*
    /blog/
    /*/*/mobile-app-builder-by-wappress/*
    /autodiscover.wildsnow.com/*/*
    /*/Exchange.asmx
    /bitrix
    /wp-admin/customize.php
    /wp-content/plugins/wp-base-seo/*
    /wp-content/plugins/wp-symposium.php
    /wp-content/plugins/wp-mobile-detector.php
    /wp-content/plugins/recent-backups.php
    /wp-content/plugins/db-backup.php
    /wp-content/plugins/really-simple-guest-post.php
    /wp-content/plugins/wp-pagenavi.php
    /wp-content/plugins/history-collection.php
    /wp-content/plugins/ibs-mappro.php
    /wp-content/plugins/image-export.php
    /plugins/stop-user-enumeration/
    /*/changelog.txt
    /*/*/*/changelog.txt
    /c3843fdbd548cf7a5c0d3cf617492957.html
    /wp-admin/js/wp-fullscreen.js
    /layout2b.css

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Firewall – weird whitelisted URLs’ is closed to new replies.