Firewall Message – blocked or not

  • Resolved frenchomatic

    (@frenchomatic)


    8 years, 1 month ago

    Hi

    I use your plugin on most of my web sites and it appears to be doing a good job. It is a fine pice of coding. Many of the attacks are labelled as critical and it seems to be getting worse as time passes. As if the hackers are getting increasingly annoyed and determined.

    Along with your plugin, I use a lot of other security measures using local .htaccess to block scripts being run in wp-content and wp-includes, disabling the wp edit in config.php, using the main htaccess to 403 away those trying to access files like config.php, wp-login.php, php.ini, disabling directory traversal, etc I use recaptcha almost everywhere and have cloudflare set on its highest security settings. I have banned 400 IP adresses in cloudflare this week alone. It is just depressing.

    However, my question is this: What does this message mean from the Ninja firewall log? Was the attack blocked or not?

    17/Jan/17 11:59:16 #5884268 critical – 62.210.188.38 POST /mydomain.com/index.php – BASE64-encoded injection – [POST:z0 = QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApOyRucGF0aD0kX1NFUlZFUlsnRE9DVU1FTlRfUk9PVCddLkJhU0U2NF9kRWNPZEUoJF9HRVRbJ3o0J10pO2Z1bm…] – https://www.mydomain.com

    Thanks if it is obvious but I wish to confirm that if I see things like this then it was blocked.

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Author nintechnet

    (@nintechnet)

    Hi,

    It was blocked. All entries that are marked as “critical”, “high” or “medium” in the log “LEVEL” column are blocked threats.

    The request was blocked because someone tried to inject a shell script:
    decoding QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApOyRucGF0aD0kX1NFUlZFUlsnRE9DVU1FTlRfUk9PVCddLkJhU0U2NF9kRWNPZEUoJF9HRVRbJ3o0J10pO2Z1bm… gives @ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);$npath=$_SERVER['DOCUMENT_ROOT'].BaSE64_dEcOdE($_GET[.....

    NinjaFirewall detects code injection attempts even if they are base64-encoded.

    Thread Starter frenchomatic

    (@frenchomatic)

    Excellent news – thank you. I thought that would be the case. Hacking never stop. It is persistent.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Firewall Message – blocked or not’ is closed to new replies.