Upgrade and addtion to this great plugin

(@webmasteral)

Feel free to evaluate these additions iv made and if you like them feel free to roll them into your next build.

adding around line 1231 (after return $result;} )

// WSP ADDED		

// Start Trace
function generateCallTrace()
{
$e = new Exception();
$trace = explode("\n", $e->getTraceAsString());
// reverse array to make steps line up chronologically
$trace = array_reverse($trace);
array_shift($trace); // remove {main}
array_pop($trace); // remove call to this method
$length = count($trace);
$result = array();		

for ($i = 0; $i < $length; $i++)
{
$result[] = ($i + 1)  . ')' . substr($trace[$i], strpos($trace[$i], ' ')); // replace '#someNum' with '$i)', set the right ordering
}		

return "\t" . implode("\n\t", $result);
}		

// WSP END

Add output around line 2351 after $fails['total'], $this->options['login_fail_minutes']) . '\n\n"

// WSP Edit
. sprintf(__("The URL Trace is \n\n ")). $this->generateCallTrace() . "\n\n" . "End Trace \n\n"
// WSP End

Back in vr 4.X adding this would tell me exactly what URL they were trying to use to process a login. Maybe someone can come up with a better trace solution report.

Hope you all find this useful. Iv been able to plug up a few wp leaks because of it.

https://wordpress.org/plugins/login-security-solution/

Viewing 2 replies - 1 through 2 (of 2 total)

Thread Starter webmasteral
(@webmasteral)

8 years, 2 months ago

Example of email I get from the plugin with these additions

Your website, Example, is undergoing a brute force attack.

There have been at least 5 failed attempts to log in during the past 120 minutes that used one or more of the following components:

The URL Trace is

1) /public_html/client/example/index.php(17): require(‘/hermes/bosoraw…’)
2) /public_html/client/example/wp-blog-header.php(12): require_once(‘/hermes/bosoraw…’)
3) /public_html/client/example/wp-load.php(37): require_once(‘/hermes/bosoraw…’)
4) /public_html/client/example/wp-config.php(81): require_once(‘/hermes/bosoraw…’)
5) /public_html/client/example/wp-settings.php(374): do_action(‘wp_loaded’)
6) /public_html/client/example/wp-includes/plugin.php(503): call_user_func_array(Array, Array)
7) [internal function]: WPS_Hide_Login->wp_loaded(”)
8) /public_html/client/example/wp-content/plugins/wps-hide-login/wps-hide-login.php(442): require_once(‘/hermes/bosoraw…’)
9) /public_html/client/example/wp-login.php(806): wp_signon(”, ”)
10) /public_html/client/example/wp-includes/user.php(83): wp_authenticate(‘Luigi52P9141404’, ‘bfEL9kH1i’)
11) /public_html/client/example/wp-content/plugins/login-lockdown/loginlockdown.php(451): do_action(‘wp_login_failed’, ‘Luigi52P9141404’)
12) /public_html/client/example/wp-includes/plugin.php(503): call_user_func_array(Array, Array)
13) [internal function]: login_security_solution->wp_login_failed(‘Luigi52P9141404’)
14) /public_html/client/example/wp-content/plugins/login-security-solution/login-security-solution.php(913): login_security_solution->process_login_fail(‘Luigi52P9141404’, ‘bfEL9kH1i’)
15) /public_html/client/example/wp-content/plugins/login-security-solution/login-security-solution.php(2421): login_security_solution->notify_fail(‘x.x.x.x’, ‘Luigi52P9141404’, ‘4ab05e8bcb086f6…’, Array)

End Trace

Component Count Value from Current Attempt
———————— —– ——————————–
Network IP 3 x.x.x.?
Username 3 Luigi52P9141404
Password MD5 3 4ab05e8bcb086f64ffdbc28579e16d59

The most recent attempt came from the following IP address: x.x.x.x

What I find most helpful is the trace telling me the username and password they are trying
Luigi52P9141404', 'bfEL9kH1i'

Ill next post an old alert email and you can see the trace difference

Thread Starter webmasteral
(@webmasteral)

8 years, 2 months ago

Your website, Example, is undergoing a brute force attack.

There have been at least 5 failed attempts to log in during the past 120 minutes that used one or more of the following components:

The URL Trace is

1) /public_html/client/example/wp-login.php(770): wp_signon(”, ”)
2) /public_html/client/example/wp-includes/user.php(81): wp_authenticate(‘admin’, ‘awesome’)
3) /public_html/client/example/wp-includes/pluggable.php(575): do_action(‘wp_login_failed’, ‘admin’)
4) /public_html/client/example/wp-includes/plugin.php(505): call_user_func_array(Array, Array)
5) [internal function]: login_security_solution->wp_login_failed(‘admin’)
6) /public_html/client/example/wp-content/plugins/login-security-solution/login-security-solution.php(903): login_security_solution->process_login_fail(‘admin’, ‘awesome’)
7) /public_html/client/example/wp-content/plugins/login-security-solution/login-security-solution.php(2437): login_security_solution->notify_fail(‘x.x.x.x’, ‘admin’, ‘819e0b8667e408a…’, Array)
POST DATA:
admin
awesome
Log In
http://www.example.com/wp-admin/
1

Component Count Value from Current Attempt
———————— —– ——————————–
Network IP 1 x.x.x.*
Username 5 admin
Password MD5 1 819e0b8667e408a58e680f346520d89e

The most recent attempt came from the following IP address: x.x.x.x

The Login Security Solution plugin (0.49.0) for WordPress is repelling the attack by making their login failures take a very long time. This attacker will also be denied access in the event they stumble upon valid credentials.

Further notifications about this attacker will only be sent if the attack stops for at least 120 minutes and then resumes.

Notice the POST DATA tells us exactly what url tried to process the login attempt. Sadly the trace stopped exporting this data. Maybe someone else can alter the code again trace the url that tried to process the login attempt.

Anyways, thanks for taking the time to look at my code additions to your plugin.

Viewing 2 replies - 1 through 2 (of 2 total)

The topic ‘Upgrade and addtion to this great plugin’ is closed to new replies.

Tags