Forum Replies Created

Viewing 15 replies - 1 through 15 (of 202 total)
  • Yes, all other hits are showing up in the live traffic.

    The URL is a fake one (lol), and visits from the US are redirected to another page.

    Can I send you a log where this blocking rule gets fired by WordFence?

    Is this rule working fine for you?

    Thanks,

    Didier.

    ok. I tried as a test.

    Link

    https://www.mydomain.ch/?.bash_history

    gives me a blank page. When looking in my live traffic now, I do not see an entry in the log.

    My http access log gives a 403:

    62.202.191.130 – – [27/Oct/2020:21:22:33 +0100] “GET /?.bash_history HTTP/1.1” 403 0 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0”

    Strange no? Again some hacking ongoing of course.

    No VPN available to connect.

    Thanks,

    Didier.

    Hi Adam,

    Code 200 as shown here:

    /?.bash_history 10/25/2020 1:03:07 PM 103.253.41.111 103.253.41.111 200

    Type: Bot
    Activity Detail
    visited https://www.mydomain.ch/?.bash_history
    10/25/2020 1:03:07 PM (1 day 5 hours ago)
    IP: 103.253.41.111 Hostname: 103.253.41.111
    Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:79.0) Gecko/20100101 Firefox/79.0

    Not working on latest WP 5.5.1: copy service is empty, not able to add a new attribute.

    Version 1.7.8 works perfect.

    ok thanks for the explanation.

    Didier.

    Here I have an example of today for another file that I block: .htpasswd

    My HTTP access log:

    85.248.227.164 - - [25/Oct/2020:05:29:45 +0100] "GET /?.htpasswd HTTP/2" 403 0 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:79.0) Gecko/20100101 Firefox/79.0"

    Entry in LT log:

    /?.htpasswd 10/25/2020 5:29:48 AM 85.248.227.164 tollana.enn.lu 200
    Type: Bot
    Activity Detail
    visited https://www.mydomain.com/?.htpasswd
    10/25/2020 5:29:48 AM (7 hours 23 mins ago)
    IP: 85.248.227.164 Hostname: tollana.enn.lu
    Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:79.0) Gecko/20100101 Firefox/79.0

    My blocking rule

    /?.htpasswd

    Didier.

    I found it myself: use this format \a\t, so my syntax is

    j F Y \a\t H:i

    🙂

    Didier.

    Hi Adam,

    With front-end I mean, that WordFence is for me a backend/admin feature. When I look at the HTML source code of one page, I do not see this WF URL (nor in CSS or Javascript), so I was wondering how this WF URL can show up in the live traffic, that is showing all visits of my webite frontend (my public website).

    Live traffic is not tracking all backend/admin accesses and visits, so how come that I see this WF URL in my live traffic. That’s the only thing that I would like to understand.

    Thanks,

    Didier.

    Hi Adam,

    Thanks for the fast reply.

    But you didn’t answer why these URLs are visible from the front end. I do not see this URL as a link in my page for example.

    So where is it stored in the frontend page that people can visit? Is this appended somewhere automatically?

    Thanks for some technical background information so that I can explain my customer the how, what and why 🙂

    Thanks,

    Didier.

    Hi Jeff,

    I added the code, but I now obtain this in my error log. No text anymore, but the data is still printed. Anyway to get this error completely disabled?

    [09-Oct-2020 06:06:12 UTC] 
    [09-Oct-2020 06:11:33 UTC] 
    [09-Oct-2020 06:16:37 UTC] 
    [09-Oct-2020 06:21:41 UTC] 

    Thanks,

    Didier.

    swissspaceboy

    (@swissspaceboy)

    Hello,

    Is this done now? I couldn’t see in the recent changelogs to have two extra fields for the “Book” schema.

    Many thanks for the great plugin !

    Didier.

    Hi,

    hmm..still wondering where this is coming from “1.1 localhost”. I have no other cache plugins enabled. I use “Autoptimize” and “IP2Location Redirection”, but I contacted all those plugin authors to see if they are responsible of this 1.1 localhost. Nothing from their side.

    I have no clue where these requests are coming from. Anyway, everything seems to be working fine, so I will disable the logging of that filter.

    As last question, can you tell how to disable that filter “blackhole_validate_ip_log” in my custom functions.php ? I am not an expert in WP coding.

    Many thanks.

    Didier.

    aha..I thought too that it was coming from a scraper.

    Anyway, they don’t know how to code. That’s for sure..LOL

    Thanks for the explanation. We can close the ticket.

    Didier.

    Hi,

    Thanks for replying.

    So the log I have sent is coming from a site with WP4.9.8 and plugin v7.4.10. This error is seen very rarely in the live traffic. Maybe 2% max of all entries.

    The error is coming from file user-agent.js of code “user-agents” of intoli (https://github.com/intoli/user-agents/pull/1/files). That’s the only reference in Google that I could find.

    Another website is on WP5.4.2 with plugin version 7.4.10. and it gives this kind of Javascript errors too:

    
     Ashburn, Virginia, United States visited https://www.xx.yy/evolution-travail-externalisation/
    10/5/2020 10:06:20 AM (13 hours 9 mins ago)  
    IP: 3.236.117.185 Hostname: ec2-3-236-117-185.compute-1.amazonaws.com
    class s extends Function{constructor(e){if(super(),d.call(this),h(this,g(e)),0===this.cumulativeWeightIndexPairs.length)throw new Error("No user agents matched your filters.");return this.randomize(),new Proxy(this,{apply:()=>this.random(),get:(e,t,i)=>{if(e.data&&"string"==typeof t&&Object.prototype.hasOwnProperty.call(e.data,t)&&Object.prototype.propertyIsEnumerable.call(e.data,t)){const i=e.data[t];if(void 0!==i)return i}return Reflect.get(e,t,i)}})}}

    This is the only visit from this IP logging this error.

    Here are some other errors from the second website

     Ashburn, Virginia, United States visited https://www.xx.yy/externalisation-developpement-informatique/
    10/4/2020 1:04:44 PM (1 day 10 hours ago)  
    IP: 23.20.35.143 Hostname: ec2-23-20-35-143.compute-1.amazonaws.com
    class s extends Function{constructor(e){if(super(),d.call(this),h(this,g(e)),0===this.cumulativeWeightIndexPairs.length)throw new Error("No user agents matched your filters.");return this.randomize(),new Proxy(this,{apply:()=>this.random(),get:(e,t,i)=>{if(e.data&&"string"==typeof t&&Object.prototype.hasOwnProperty.call(e.data,t)&&Object.prototype.propertyIsEnumerable.call(e.data,t)){const i=e.data[t];if(void 0!==i)return i}return Reflect.get(e,t,i)}})}}
     Ashburn, Virginia, United States visited https://www.xx.yy/externalisation-developpement-informatique/
    10/4/2020 12:21:32 PM (1 day 10 hours ago)  
    IP: 3.235.191.128 Hostname: ec2-3-235-191-128.compute-1.amazonaws.com
    class s extends Function{constructor(e){if(super(),d.call(this),h(this,g(e)),0===this.cumulativeWeightIndexPairs.length)throw new Error("No user agents matched your filters.");return this.randomize(),new Proxy(this,{apply:()=>this.random(),get:(e,t,i)=>{if(e.data&&"string"==typeof t&&Object.prototype.hasOwnProperty.call(e.data,t)&&Object.prototype.propertyIsEnumerable.call(e.data,t)){const i=e.data[t];if(void 0!==i)return i}return Reflect.get(e,t,i)}})}}
    Ashburn, Virginia, United States visited https://www.xx.yy/externalisation-developpement-informatique/
    10/4/2020 9:40:54 AM (1 day 13 hours ago)  
    IP: 3.92.91.60 Hostname: ec2-3-92-91-60.compute-1.amazonaws.com
    class s extends Function{constructor(e){if(super(),d.call(this),h(this,g(e)),0===this.cumulativeWeightIndexPairs.length)throw new Error("No user agents matched your filters.");return this.randomize(),new Proxy(this,{apply:()=>this.random(),get:(e,t,i)=>{if(e.data&&"string"==typeof t&&Object.prototype.hasOwnProperty.call(e.data,t)&&Object.prototype.propertyIsEnumerable.call(e.data,t)){const i=e.data[t];if(void 0!==i)return i}return Reflect.get(e,t,i)}})}}

    Thanks,

    Didier.

    PS: my first website will soon be migrated, and I always keep an eye on plugin security breaches. So the outdated plugins is kind of normal 🙂

    Hi Adam,

    Report sent by email now. Please check.

    Many thanks!

    Didier.

    PS: I got a similar error on another website, so it is maybe related to one of the plugin recent updates.

Viewing 15 replies - 1 through 15 (of 202 total)