Support » Plugin: Sucuri Security - Auditing, Malware Scanner and Security Hardening » What is "Undefined XHR action wp_ajax_nopriv_upload_library"

  • Resolved lukascech

    (@lukascech)


    Hi,

    I have just cleaned my website from hacked content. Now I’m checking Sucuri logs (Audit report on the dashboard) and there’s some entries from:

    user: System
    IP: 91.200.12.60 or 185.93.187.53 or 91.200.12.33
    Event Message> Undefined XHR action wp_ajax_nopriv_upload_library
    /or/ Undefined XHR action wp_ajax_nopriv_bwg_UploadHandler /or/ Undefined XHR action wp_ajax_nopriv_revslider_ajax_action

    After the event, there was malicious code in my index.php root file, which Sucuri notified me about. (About the change in the file).

    But I’m wondering, how did the hacker from an external URL gain access and why didn’t sucuri notify me about it first?

    And of course, what does Undefined XHR action wp_ajax_nopriv_………
    mean?

    Thanks,
    Lukas

    https://wordpress.org/plugins/sucuri-scanner/

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Author yorman

    (@yorman)

    These logs are referring to the HTTP requests used to force the execution of Ajax requests with actions do are not defined in the core WordPress functionality, nor in the installed plugins/themes. These requests are generally part of brute force attacks [1] but in your specific case the requests are associated with a vulnerability in the RevSlider plugin, and more specifically to the file upload mechanism, that is how (probably) someone was able to inject the malicious code.

    Unfortunately I can’t answer the question “how did the hacker […] gain access” because that requires a full investigation of the server logs and the code that is powering your website.

    I can answer why the plugin didn’t send the notification when the malicious person injected the malicious code. This is, basically, because the code that hooks the XHR requests is not smart enough to understand the difference between a false/positive and a real attack due to the way legit requests are constructed. Sending emails for every suspicious request (no matter if legit or not) will annoy most website owners. I prefer to keep that feature simple and report the events via the audit logs.

    I suggest you to put a web application firewall [2] in front of your website to protect it against future attacks like this one. There are many options in the market, feel free to choose the service that you like the most, Sucuri offers CloudProxy [3] which not only acts as a firewall but also improves the performance of the website.

    [1] https://codex.wordpress.org/Brute_Force_Attacks
    [2] https://www.google.com/search?q=web+application+firewall+company
    [3] https://sucuri.net/website-firewall/

    Hi Yorman,

    thank you for an extensive response, it clears things out. I’ll try a firewall.

    thanks,
    Lukas

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘What is "Undefined XHR action wp_ajax_nopriv_upload_library"’ is closed to new replies.