Suspicious Get requests on Live Log but not Firewall Log

  • Resolved Paul Fischer

    (@paulfischer)


    4 years, 2 months ago

    Since I’ve installed the WP Free version, I’ve noticed some questionable activity on the Live Log:

    “GET /%EF%BB%BFhttp:/009consultants.com/cdzn/6lzjt.php?vkjwjq=battlefront-2-error-code-1756” “-” “Mozilla/5.0 (compatible; MJ12bot/v1.4.8; https://mj12bot.com/)”

    “GET /%EF%BB%BFhttps://0800construction.com/pnjgwyu/83udg8l.php?cqlafctzk=freedom-homes” “-” “Mozilla/5.0 (compatible; MJ12bot/v1.4.8; https://mj12bot.com/)”

    “GET /%EF%BB%BFhttps://semplice.optart.biz/fkqyji0/jg5s57z.php?hkvkasbre=toyota-crawler-forums” “-” “Mozilla/5.0 (compatible; MJ12bot/v1.4.8; https://mj12bot.com/)”

    “GET /%EF%BB%BFhttps://aahi.co.uk/acu8/6xkxv.php?ldslhr=texas-bombers-softball-10u” “-” “Mozilla/5.0 (compatible; MJ12bot/v1.4.8; https://mj12bot.com/)”

    etc
    But I’ve not had anything reported on the Firewall Log to do with these.

    Are they something to worry about? Is there any setting I need to activate to block these / have them recorded on the Firewall Log or does NinjaFirewall not see these as something to block? They come in batches of 20-30 GET calls with typically a 10-20 second delay between each GET call from the same IP address for the batch, with different IP addresses for each batch.

Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Author nintechnet

    (@nintechnet)

    That’s not a threat, hence you see it only on the Live Log, not the firewall log.

    What about the IP addresses, do they belong to MJ12Bot.com ?
    If they do, you can block the bot with your robots.txt (it will respect it). If they don’t, you can block it with your .htaccess for instance.

    Thread Starter Paul Fischer

    (@paulfischer)

    I’m blocking most of the IPs. Not all batches have MJ12Bot.com – it was just the batch I listed.
    Some of the IP addresses come back as

    an unknown host on AS25513 PJSC Moscow city telephone network
    an unknown host on AS42313 Albtelecom Sh.a.
    an unknown host on AS8560 1&1 IONOS SE
    an unknown host on asvmi221909.contaboserver.net

    But then around the same times as the “GET /%EF%BB%BF”, I’ve also had logged on the Firewall from the same IP’s (I’ve GDPR’d the IP’s):

    29/Aug/20 01:22:50 #2597862 HIGH – 194.135.xxx.xxx POST /xmlrpc.php – Access to WordPress XML-RPC API – [/xmlrpc.php]

    29/Aug/20 04:46:55 #6739251 HIGH – 79.106.xxx.xxx POST /xmlrpc.php – Access to WordPress XML-RPC API – [/xmlrpc.php]

    29/Aug/20 05:33:51 #1176163 HIGH – 51.15.xxx.xxx POST /xmlrpc.php – Access to WordPress XML-RPC API – [/xmlrpc.php]

    29/Aug/20 10:08:17 #7238198 CRITICAL 1429 212.227.xxx.xxx GET /index.php – WP backdoor plugin – [SERVER:REQUEST_URI = /wp-content/plugins/ioptimization/IOptimize.php?rchk]

    I have set the HTTP error return as 503, with Block any access to the API set.

    Hence the original question, as it looks like part of the same batch of probing/attack vectors from the same operator(s).

    • This reply was modified 4 years, 2 months ago by Paul Fischer.
    • This reply was modified 4 years, 2 months ago by Paul Fischer.
    Plugin Author nintechnet

    (@nintechnet)

    I added a rule to block all GET /%EF%BB%BFhttps://... requests.
    Go to “NinjaFirewall > Security Rules” and check if you have the latest rules or click on “Check for updates now”.

    Thread Starter Paul Fischer

    (@paulfischer)

    Many thanks.

    Thread Starter Paul Fischer

    (@paulfischer)

    The rule is working.
    From todays Firewall Log, only one batch:

    31/Aug/20 08:01:29 #2518737 HIGH 323 92.220.xxx.xxx GET /index.php – Proxy attempt – [SERVER:REQUEST_URI = /%EF%BB%BFhttps://009consultants.com/cdzn/6lzjt.php?vkjwjq=battlefront-2-error-code-1756]
    31/Aug/20 08:01:31 #3858922 HIGH 323 92.220.xxx.xxx GET /index.php – Proxy attempt – [SERVER:REQUEST_URI = /%EF%BB%BFhttps://0800construction.com/pnjgwyu/83udg8l.php?cqlafctzk=freedom-homes]
    31/Aug/20 08:01:33 #6266734 HIGH 323 92.220.xxx.xxx GET /index.php – Proxy attempt – [SERVER:REQUEST_URI = /%EF%BB%BFhttps://100ctr.com/izpwx7u/815rmrz.php?jrhihldjp=red-canoe-nasa-bag]
    31/Aug/20 08:01:34 #4575957 HIGH 323 92.220.xxx.xxx GET /index.php – Proxy attempt – [SERVER:REQUEST_URI = /%EF%BB%BFhttps://100ctr.com/zqdfr2p/0yjysga.php?hpbzohikt=katar-of-quaking-quest-ragnarok-mobile]
    31/Aug/20 08:01:42 #3859118 HIGH 323 92.220.xxx.xxx GET /index.php – Proxy attempt – [SERVER:REQUEST_URI = /%EF%BB%BFhttps://111posters.com/loggers/a7og/7jne9.php?qphxlu=moonlight-characters]
    31/Aug/20 08:01:43 #4880026 HIGH 323 92.220.xxx.xxx GET /index.php – Proxy attempt – [SERVER:REQUEST_URI = /%EF%BB%BFhttps://162.243.xxx.xxx/wp-content/uploads/2018/05/qcdqwuc/3n5tpft.php?hgeftlcgm=dazn-blocking-vpn]
    31/Aug/20 08:01:45 #8449109 HIGH 323 92.220.xxx.xxx GET /index.php – Proxy attempt – [SERVER:REQUEST_URI = /%EF%BB%BFhttps://2be-up.com/tor4sjq/2cultuh.php?sgahfggzm=lo-fi-jazz-samples]
    31/Aug/20 08:01:46 #6052723 HIGH 323 92.220.xxx.xxx GET /index.php – Proxy attempt – [SERVER:REQUEST_URI = /%EF%BB%BFhttps://aahi.co.uk/acu8/6xkxv.php?ldslhr=texas-bombers-softball-10u]
    31/Aug/20 08:01:48 #4156489 HIGH 323 92.220.xxx.xxx GET /index.php – Proxy attempt – [SERVER:REQUEST_URI = /%EF%BB%BFhttps://semplice.optart.biz/fkqyji0/jg5s57z.php?hkvkasbre=toyota-crawler-forums]

    Thanks again.

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Suspicious Get requests on Live Log but not Firewall Log’ is closed to new replies.

Tags