Bad Actor Attempting to Inject Malware or Find Back Door

Viewing 4 replies - 1 through 4 (of 4 total)

  • I have seen increased traffic targeting my contact page from Russia and China. If you don’t want to pay extra for the blocking entire countries IP address feature, you can just manually put the IP addresses in

    Thread Starter Generosus

    (@generosus)

    Hey @darkshadow316,

    Thanks. Aware of those options. That’s not what we’re seeking.

    Cheers.

    Plugin Support wfpeter

    (@wfpeter)

    Hi @generosus, thanks for reaching out!

    I’ve not seen this attack mentioned before specifically, although managed to get a successful block for “Accessed a banned URL” when adding /index.php?m=*&c=*&a=*&pc_hash=* to Wordfence > All Options > Advanced Firewall Options > Immediately block IPs that access these URLs and hitting my site with your example above.

    It’s important to note if I visited index.php there was no block, and if I only matched part of the query string there was no block, such as index.php?m=whatever&c=test, so legitimate users shouldn’t get caught by this.

    If any of the query string parameters remain consistent from this particular attacker, you can try replacing some of the wildcards to further protect innocent visitors getting caught by mistake like /index.php?m=admin&c=*&a=login&pc_hash=*

    Thanks,
    Peter.

    Thread Starter Generosus

    (@generosus)

    Hi Peter,

    Perfect! That’s exactly what we were looking for. Worked like a charm.

    We would have never guessed the URL patterns you provided, but they now serve as a guide for future, similar attacks.

    Thank you so much. Have a great weekend.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Bad Actor Attempting to Inject Malware or Find Back Door’ is closed to new replies.