“Alert: File Guard detection”

  • Resolved liquidmind

    (@liquidmind)


    2 years, 1 month ago

    I have been using NinjaFireWall for a few months now, without any issue. Today morning I suddenly got a few “Alert: File Guard detection” emails within a few minutes of each other, all saying “Someone accessed a script that was modified or created less than 10 hour(s) ago”. Thing is, none of these accessed files were changed in months, let alone 10hrs. These files are /public_html/quantiux/wp-load.php, /public_html/quantiux/index.php, /public_html/quantiux/xmlrpc.php, /public_html/quantiux/wp-cron.php. Firewall logs show the following messages around the same time.

    07/Feb/23 15:55:33 #2540097 INFO - 67.20.76.83 POST /wp-cron.php - Access to a script modified/created less than 10 hour(s) ago
    07/Feb/23 16:06:52 #8776139 INFO - 67.20.76.83 HEAD /index.php - Access to a script modified/created less than 10 hour(s) ago
    07/Feb/23 16:06:52 #3433153 INFO - 67.20.76.83 POST /xmlrpc.php - Access to a script modified/created less than 10 hour(s) ago
    07/Feb/23 16:11:32 #6248770 INFO - 107.191.43.101 POST /wp-load.php - Access to a script modified/created less than 10 hour(s) ago

    What bothers me is the word “INFO” in these messages, looks like these were not blocked for some reason, even though every other very similar attempts from the same IPs were blocked.

    Is there anything I need to do to take care of this issue?

    Thanks!

    EDIT: I was mistaken, these files were changed today early hours, along with all other WP core files, probably from an update. These were the ones that were “accessed”.

    • This topic was modified 2 years, 1 month ago by liquidmind.
    • This topic was modified 2 years, 1 month ago by liquidmind.

    The page I need help with: [log in to see the link]

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Author nintechnet

    (@nintechnet)

    Nothing to worry about, as there was a core update, the alert was triggered by the bot when it accessed them.

    Thread Starter liquidmind

    (@liquidmind)

    Thanks! If someone can help me understand what exactly is going on with the logs below? Only a few of several are shown.

    07/Feb/23 19:21:39  #6511475  INFO         -  43.130.144.143   GET /wp-includes/class-wp-block-editor-context.php - Access to a script modified/created less than 10 hour(s) ago
07/Feb/23 19:21:40  #7750325  HIGH         -  43.130.144.143   GET /wp-includes/class-wp-block-editor-context.php - Forbidden direct access to PHP script
07/Feb/23 19:21:41  #5257622  INFO         -  43.130.144.143   GET /wp-includes/class-wp-block-template.php - Access to a script modified/created less than 10 hour(s) ago
07/Feb/23 19:21:42  #5013140  HIGH         -  43.130.144.143   GET /wp-includes/class-wp-block-template.php - Forbidden direct access to PHP script
07/Feb/23 19:21:47  #7158299  INFO         -  43.130.144.143   GET /wp-includes/class-wp-dependencies.php - Access to a script modified/created less than 10 hour(s) ago
07/Feb/23 19:21:48  #5919285  HIGH         -  43.130.144.143   GET /wp-includes/class-wp-dependencies.php - Forbidden direct access to PHP script
07/Feb/23 19:21:51  #7767039  INFO         -  43.130.144.143   GET /wp-includes/class-wp-http.php - Access to a script modified/created less than 10 hour(s) ago
07/Feb/23 19:21:51  #2051672  HIGH         -  43.130.144.143   GET /wp-includes/class-wp-http.php - Forbidden direct access to PHP script
07/Feb/23 19:21:53  #1959518  INFO         -  43.130.144.143   GET /wp-includes/class-wp-scripts.php - Access to a script modified/created less than 10 hour(s) ago
07/Feb/23 19:21:53  #8188491  HIGH         -  43.130.144.143   GET /wp-includes/class-wp-scripts.php - Forbidden direct access to PHP script

    Same IP address trying to access same PHP files, alternated with INFO and HIGH level threat, which means they were both blocked and allowed mere second (or less) apart? I got email alerts yesterday at each of these INFO level access, about 50 emails within a few minutes. Never happened before in the months I have been using NinjaFirewall, which got me worried if something finally broke through the unbreakable Ninja yesterday ??

    Plugin Author nintechnet

    (@nintechnet)

    What happened is that a bot accessed a lot of your files that were just modified due to the update. But also, as the files are all located inside the /wp-includes folder and you have enabled the firewall policy to block direct access to any PHP file located inside that folder, you received a lot of notifications. That’s a bit unusual though.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘“Alert: File Guard detection”’ is closed to new replies.