Is it working?

  • Resolved gregl7

    (@gregl7)


    2 years, 9 months ago

    I installed the free plugin a few weeks ago because every few weeks my site gets hit with a jillion bots scanning my entire site. Today I noticed they were at it again, as I can see visitor logs of random IPs scanning every public item on my site. I was under the impression BBQ was supposed to identify and block bot scanning, which made me wonder if it was actually working. I noticed on the plugin page under “how to test the plugin is working”, it mentions using the “eval(” line, which is supposed to return a 403 error. When I run the “eval(” line on my site all I get is a blank page. Is BBQ supposed to be blocking these random bot scans of my entire site? And is not displaying the 403 page a sign it’s not working? Thanks.

    As an update to what I just wrote above, it looks like ModSecurity, which is running on my server, may have blocked the “eval” command from running.

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Author Jeff Starr

    (@specialk)

    2 years, 9 months ago

    Yes, getting a blank page instead of a 403 error is a sign that there may be an issue somewhere. The first/best thing to check would be the site’s error/debug logs. Look for any entries that happen when you perform test requests. If there is any information it would help to figure out what’s happening, etc.

    Thread Starter gregl7

    (@gregl7)

    2 years, 9 months ago

    Apparently the blank page showing instead of 403 is a Firefox thing, as other browsers I’ve tested actually show the 403 page when I run the eval command.

    I mentioned ModSecurity; whenever eval is run ModSecurity pops up with a warning in the error logs. It looks like more of a warning however than actually blocking what BBQ is doing since I get the 403 page:
    ——————————————————-
    ModSecurity: Warning. Pattern match “(?i)\\\\b(?:s(?:e(?:t(?:_(?:e(?:xception|rror)_handler|magic_quotes_runtime|include_path)|defaultstub)|ssion_s(?:et_save_handler|tart))|qlite_(?:(?:(?:unbuffered|single|array)_)?query|create_(?:aggregate|function)|p?open|exec)|tr(?:eam_(?:context_create| …” at REQUEST_FILENAME. [file “/etc/apache2/conf.d/modsec_vendor_configs/imunify360-full-apache/001_i360_1_generic.conf”] [line “24”] [id “77134463”] [msg “IM360 WAF: PHP Injection Attack: High-Risk PHP Function Call Found||T:APACHE||MVN:REQUEST_FILENAME||MV:/eval()||SC:/home/gleeshot/public_html/eval()”] [severity “NOTICE”] [tag “service_o”] [tag “service_i360”] [tag “noshow”] [hostname “gleeshots.com”] [uri “/eval()”] [unique_id “YOtGYD01d2O1rsQVHTgX4gAAAxg”]`

    ——————————————–

    If I disable BBQ and run eval, I get the 404 page instead, which I would assume then means BBQ is working.

    Having said all that, if BBQ is working, what is it supposed to be doing when all these random bot attacks take place and my entire site is being scanned? Thanks.

    Plugin Author Jeff Starr

    (@specialk)

    2 years, 9 months ago

    Yeah it sounds like it is working. If you try testing some of the firewall patterns and get 403 response (in non-Firefox browsers apparently), then that means it’s working.

    “if BBQ is working, what is it supposed to be doing when all these random bot attacks take place and my entire site is being scanned?”

    BBQ is a firewall. It has a defined set of rules that, when detected in any request, tells BBQ to respond with 403 – Forbidden status. You can find more information on the WP homepage and launch post at Perishable Press.

    I hope this helps. Let me know if I can provide any further infos, glad to help anytime.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Is it working?’ is closed to new replies.