Risk Question

  • Resolved matrimthegambler

    (@matrimthegambler)


    7 years, 6 months ago

    my firewall log told me the following:

    DATE INCIDENT LEVEL RULE IP REQUEST

    16/Nov/18 14:35:26 #6213014 HIGH 310 153.126.172.106 GET /wp-admin/setup-config.php – Access to a configuration file – [SERVER:SCRIPT_NAME = /wp-admin/setup-config.php] – bayrock.de

    16/Nov/18 15:29:58 #3780445 HIGH 310 194.30.34.181 GET /wp-admin/setup-config.php – Access to a configuration file – [SERVER:SCRIPT_NAME = /wp-admin/setup-config.php] – bayrock.de

    16/Nov/18 17:44:02 #2523487 HIGH 310 2a01:4f8:231:327::2 GET /wp-admin/setup-config.php – Access to a configuration file – [SERVER:SCRIPT_NAME = /wp-admin/setup-config.php] – bayrock.de

    16/Nov/18 20:44:33 #7119992 HIGH 310 31.208.43.209 GET /wp-admin/setup-config.php – Access to a configuration file – [SERVER:SCRIPT_NAME = /wp-admin/setup-config.php] – bayrock.de

    I’m wondering how I should treat this log? Any risk? My wordpress is protected by htaccess, firewall, 2step-veri and so on. Who tried to get sth out of the setup-config? Btw I didn’t even install but used a backup.

Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Author nintechnet

    (@nintechnet)

    7 years, 6 months ago

    Nothing to worry about: this is a scanner probing for WordPress.
    That is a very common issue. NinjaFirewall blocks them and write the incident to the firewall log.

    Thread Starter matrimthegambler

    (@matrimthegambler)

    7 years, 5 months ago

    What happened here? waaaaaa

    01/Dec/18 02:24:52 #2270774 CRITICAL 1353 177.53.36.67 POST /wp-admin/admin-ajax.php – Attempt to modify options table – [POST:data = {“type”:”save_setting”,”append”:false,”option”:”users_can_register”,”value” :”1″}] – http://www.bayrock.de
    01/Dec/18 02:24:53 #3633543 CRITICAL 1353 177.53.36.67 POST /wp-admin/admin-ajax.php – Attempt to modify options table – [POST:data = {“type”:”save_setting”,”append”:false,”option”:”default_role”,”value” :”administrator”}] – http://www.bayrock.de
    01/Dec/18 02:24:54 #3750980 CRITICAL 1354 177.53.36.67 POST /wp-admin/admin-ajax.php – Attempt to modify options table – [POST:args = users_can_register 1] – http://www.bayrock.de
    01/Dec/18 02:24:55 #8157932 CRITICAL 1354 177.53.36.67 POST /wp-admin/admin-ajax.php – Attempt to modify options table – [POST:args = default_role administrator] – http://www.bayrock.de
    01/Dec/18 02:24:56 #6075518 CRITICAL 1444 177.53.36.67 POST /wp-admin/admin-ajax.php – Privilege escalation – [SERVER:SCRIPT_NAME = /wp-admin/admin-ajax.php] – http://www.bayrock.de
    01/Dec/18 02:24:58 #2085182 CRITICAL 1444 177.53.36.67 POST /wp-admin/admin-ajax.php – Privilege escalation – [SERVER:SCRIPT_NAME = /wp-admin/admin-ajax.php] – http://www.bayrock.de
    01/Dec/18 02:25:01 #4919760 CRITICAL 1353 177.53.36.67 POST /wp-admin/admin-ajax.php – Attempt to modify options table – [POST:data = {“type”:”save_setting”,”append”:false,”option”:”users_can_register”,”value” :”0″}] – http://www.bayrock.de
    01/Dec/18 02:25:02 #1698476 CRITICAL 1353 177.53.36.67 POST /wp-admin/admin-ajax.php – Attempt to modify options table – [POST:data = {“type”:”save_setting”,”append”:false,”option”:”default_role”,”value” :”subscriber”}] – http://www.bayrock.de
    01/Dec/18 02:25:03 #2531760 CRITICAL 1354 177.53.36.67 POST /wp-admin/admin-ajax.php – Attempt to modify options table – [POST:args = users_can_register 01] – http://www.bayrock.de
    01/Dec/18 02:25:04 #4495741 CRITICAL 1354 177.53.36.67 POST /wp-admin/admin-ajax.php – Attempt to modify options table – [POST:args = default_role subscriber] – http://www.bayrock.de
    01/Dec/18 02:25:06 #8811914 CRITICAL 1444 177.53.36.67 POST /wp-admin/admin-ajax.php – Privilege escalation – [SERVER:SCRIPT_NAME = /wp-admin/admin-ajax.php] – http://www.bayrock.de
    01/Dec/18 02:25:07 #8118017 CRITICAL 1444 177.53.36.67 POST /wp-admin/admin-ajax.php – Privilege escalation – [SERVER:SCRIPT_NAME = /wp-admin/admin-ajax.php] – http://www.bayrock.de

    Plugin Author nintechnet

    (@nintechnet)

    7 years, 5 months ago

    They are all blocked hacking attempts trying to exploit known privilege escalation vulnerabilities in the WordPress “WP GDPR Compliance” and “Social Sharing Plugin – Kiwi” plugins (available in the wordpress.org repo), as well as the “Newspaper Theme 6.7.1” theme (available at themeforest.net).

    Macho Themes

    (@machothemes)

    7 years, 5 months ago

    @nintechnet – any way you’d be able to elaborate on this? How did you figure it’s coming from Kiwi as I don’t see anything in the users’ logs above.

    Thread Starter matrimthegambler

    (@matrimthegambler)

    7 years, 5 months ago

    Thank you!

Viewing 5 replies - 1 through 5 (of 5 total)

The topic ‘Risk Question’ is closed to new replies.