Support » Fixing WordPress » SUHOSIN messing with WordPress

  • Suhosin messing with WordPress installation as well as posting, creating pages etc.

    Posting the contents of /var/log/messages


    Jan 30 12:14:24 vps22 suhosin[25052]: ALERT - ASCII-NUL chars not allowed within request variables - dropped variable 'data[wp_autosave][content]' (attacker 'ip.address.hidden', file '/home/username/public_html/wp-admin/admin-ajax.php')
    Jan 30 12:14:24 vps22 suhosin[25052]: ALERT - ASCII-NUL chars not allowed within request variables - dropped variable 'data[wp_autosave][excerpt]' (attacker 'ip.address.hidden', file '/home/username/public_html/wp-admin/admin-ajax.php')
    Jan 30 12:14:24 vps22 suhosin[25052]: ALERT - ASCII-NUL chars not allowed within request variables - dropped variable 'data[wp_autosave][catslist]' (attacker 'ip.address.hidden', file '/home/username/public_html/wp-admin/admin-ajax.php')
    Jan 30 12:14:24 vps22 suhosin[25052]: ALERT - dropped 3 request variables - (0 in GET, 3 in POST, 0 in COOKIE) (attacker 'ip.address.hidden', file '/home/username/public_html/wp-admin/admin-ajax.php')
    Jan 30 12:14:39 vps22 suhosin[25064]: ALERT - ASCII-NUL chars not allowed within request variables - dropped variable 'auto_draft' (attacker 'ip.address.hidden', file '/home/username/public_html/wp-admin/post.php')
    Jan 30 12:14:39 vps22 suhosin[25064]: ALERT - ASCII-NUL chars not allowed within request variables - dropped variable 'wp-preview' (attacker 'ip.address.hidden', file '/home/username/public_html/wp-admin/post.php')
    Jan 30 12:14:39 vps22 suhosin[25064]: ALERT - ASCII-NUL chars not allowed within request variables - dropped variable 'hidden_post_password' (attacker 'ip.address.hidden', file '/home/username/public_html/wp-admin/post.php')
    Jan 30 12:14:39 vps22 suhosin[25064]: ALERT - ASCII-NUL chars not allowed within request variables - dropped variable 'post_password' (attacker 'ip.address.hidden', file '/home/username/public_html/wp-admin/post.php')
    Jan 30 12:14:39 vps22 suhosin[25064]: ALERT - ASCII-NUL chars not allowed within request variables - dropped variable 'parent_id' (attacker 'ip.address.hidden', file '/home/username/public_html/wp-admin/post.php')
    Jan 30 12:14:39 vps22 suhosin[25064]: ALERT - ASCII-NUL chars not allowed within request variables - dropped variable 'metakeyinput' (attacker 'ip.address.hidden', file '/home/username/public_html/wp-admin/post.php')
    Jan 30 12:14:39 vps22 suhosin[25064]: ALERT - ASCII-NUL chars not allowed within request variables - dropped variable 'metavalue' (attacker 'ip.address.hidden', file '/home/username/public_html/wp-admin/post.php')
    Jan 30 12:14:39 vps22 suhosin[25064]: ALERT - ASCII-NUL chars not allowed within request variables - dropped variable 'post_name' (attacker 'ip.address.hidden', file '/home/username/public_html/wp-admin/post.php')
    Jan 30 12:14:39 vps22 suhosin[25064]: ALERT - dropped 8 request variables - (0 in GET, 8 in POST, 0 in COOKIE) (attacker 'ip.address.hidden', file '/home/username/public_html/wp-admin/post.php')
    Jan 30 12:14:49 vps22 pure-ftpd: (?@127.0.0.1) [INFO] New connection from 127.0.0.1
    Jan 30 12:14:49 vps22 pure-ftpd: (?@127.0.0.1) [INFO] __cpanel__service__auth__ftpd__*************************** is now logged in
    Jan 30 12:14:49 vps22 pure-ftpd: (__cpanel__service__auth__ftpd__***************************@127.0.0.1) [INFO] Logout.

    The problem is only with latest version of WordPress, messages are similar to the null byte attack.

Viewing 2 replies - 1 through 2 (of 2 total)
  • Is this a fresh install of WordPress or an upgrade? Do you have any plugins running?

    If Suhosin is reporting nulls, it’s possible that a plugin or the theme is altering the data on saving a post and that’s causing the problems. Switch to a default theme (Twenty Sixteen or Twenty Fifteen) and disable all plugins and see if Suhosin detects any more ASCII-NUL issues. If you have access to WP-CLI, you can use it to verify the checksums of the core files (see http://wp-cli.org/commands/core/verify-checksums/).

    There are no plugins. Fresh installation of WordPress. Normally it will get installed without showing error in the front-end. We have intrusion detection enabled in the server, so our IP gets blocked at every button press of first wizard as well as new post etc.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘SUHOSIN messing with WordPress’ is closed to new replies.