Help determining if host-lockout is hack attempt?

  • Hello–I’m not familiar enough with this plugin or how one would hack into a WordPress site to know if the host-lockout action I see in our logs is due to someone trying to hack into our site, or some kind of regular, bot-driven type of situation, or what. The reason I’m particularly curious is because this is a website for a candidate for a state-level office.

    The URL that triggered the lockout was https://danielle4alabama.com/wp-content/plugins/bloom/css/fonts/ET-Bloom.eot?
    And the lockout was due to too many attempts to access a file that does not exist.

    Here’s the RAW details from the log:

    id => 5891
    module => lockout
    type => action
    code => host-lockout::204.29.110.65
    timestamp => 2018-10-23 18:41:20
    init_timestamp => 2018-10-23 18:41:19
    remote_ip => 204.29.110.65
    user_id => [empty string]
    url => https://danielle4alabama.com/wp-content/plugins/bloom/css/fonts/ET-Bloom.eot?
    memory_current => 26202352
    memory_peak => 26545400
    data => Array
    module => four_oh_four
    host => 204.29.110.65
    user_id => [boolean] false
    username => [boolean] false
    module_details => Array
    type => four_oh_four
    reason => too many attempts to access a file that does not exist
    host => [integer] 5
    period => [integer] 60
    whitelisted => [boolean] false
    blacklisted => [boolean] false
    lockout_type => four_oh_four
    lockout_start => 2018-10-23 12:41:19
    lockout_start_gmt => 2018-10-23 18:41:19
    lockout_expire => 2018-10-23 12:56:19
    lockout_expire_gmt => 2018-10-23 18:56:19
    lockout_host => 204.29.110.65

    The Bloom plugin from Elegant Themes is meant for creating opt-in forms, to collect email addresses for a mailing list. We have an opt-in in the sidebar of several pages. I don’t know if a computer could accidentally keep attempting to access a file related to that plugin, or if it could only happen if someone was looking for a site vulnerability, or what.

    If anyone can give me any guidance here I’d appreciate it. Thanks!

    -Frank

Viewing 3 replies - 1 through 3 (of 3 total)

  • Does the https://danielle4alabama.com/wp-content/plugins/bloom/css/fonts/ET-Bloom.eot file actually exist ?

    If not you should contact Elegant Themes and ask for their assistance.
    This seems like a Bloom plugin issue to me.

    May even end up as a browser cache issue (like an updated plugin css file not being auto refreshed).

    nlpro

    (@nlpro)

    I was able to get a copy of the Bloom 1.3.5 (premium) plugin and I can confirm this is a Bloom plugin issue. So the Bloom plugin is generating the 404’s which are then detected by the iTSec plugin 404 Detection module.

    You’ll probably be glad to hear that the resulting lockouts are not because of a hack attack.

    If not already done, contact Elegant Themes. They’ve got some work to do ??

    nlpro

    (@nlpro)

    This is still an issue in the 1.3.6 release of the Bloom plugin.

    Have you had a chance to contact Elegant Themes ?

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Help determining if host-lockout is hack attempt?’ is closed to new replies.

Tags