The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How to block this kind of wordpress scan?

Discussion in 'Security' started by garconcn, Oct 19, 2015.

  1. garconcn

    garconcn Well-Known Member

    Joined:
    Oct 29, 2009
    Messages:
    113
    Likes Received:
    4
    Trophy Points:
    68
    Recently, I've seen lots of scanning traffic like follows on wordpress sites. How to block those? Is there a way to deny any request for the string "abdullkarem" in modsecurity? Thanks

    Oct 19 09:55:32 176.31.248.135 - - [18/Oct/2015:20:26:54 -0700] "GET /wp-content/wp-restore.php?450699=1&php4=1&root=1&upl=1&wphp4=1&abdullkarem=1&wp=1&module=1&php=1&php5=1&wphp5=1 HTTP/1.0" 404 domain.com 223

    Oct 19 09:55:32 176.31.248.135 - - [18/Oct/2015:20:26:54 -0700] "GET /wp-restore.php?450699=1&php4=1&root=1&upl=1&wphp4=1&abdullkarem=1&wp=1&module=1&php=1&php5=1&wphp5=1 HTTP/1.0" 404 domain.com 212​
     
    #1 garconcn, Oct 19, 2015
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    15,620
    Likes Received:
    296
    Trophy Points:
    433
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    #2 Infopro, Oct 19, 2015
  3. garconcn

    garconcn Well-Known Member

    Joined:
    Oct 29, 2009
    Messages:
    113
    Likes Received:
    4
    Trophy Points:
    68
    #3 garconcn, Oct 19, 2015
  4. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    982
    Likes Received:
    75
    Trophy Points:
    78
    cPanel Access Level:
    DataCenter Provider
    If you have ModSecurity you can easily add a rule to drop or deny the requests.

    Code:
    SecRule REQUEST_URI wp-restore.php "drop,id:28945,chain"
SecRule QUERY_STRING "root=1"
    This will drop the connection with a TCP reset. If you'd rather return an error page then change "drop" to "deny" however this may cause more load on the server.

    If you would rather drop based on the string "abdullkarem" then change "root=1" to that string. If they hit URL's other than wp-restore.php you could just use this rule instead:

    Code:
    SecRule QUERY_STRING "abdullkarem" "drop,id:28946"
     
    #4 quizknows, Oct 19, 2015
    garconcn likes this.
  5. garconcn

    garconcn Well-Known Member

    Joined:
    Oct 29, 2009
    Messages:
    113
    Likes Received:
    4
    Trophy Points:
    68
    It works, this is exactly what I want. Thank you very much. Your modsec rule was always very helpful.
     
    #5 garconcn, Oct 21, 2015
  6. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    982
    Likes Received:
    75
    Trophy Points:
    78
    cPanel Access Level:
    DataCenter Provider
    Always glad to help. Cheers.

    Edit: It appears many other people are seeing this scan. I'm also seeing it all over my network in audit logs, because other modsecurity rules I use were catching some of the requests. I'll probably deploy a rule widely to my customer base to deny these across the board.

    WordPress › Support » Whois Abdull Karem and why are they scanning?
     
    #6 quizknows, Oct 21, 2015
    Last edited: Oct 21, 2015
(You must log in or sign up to post here.)
Loading...
Similar Threads - block kind wordpress
  1. electric

    DNS-Only upgrade being blocked

    electric, Aug 18, 2017 at 4:13 PM, in forum: General Discussion
    Replies:
    1
    Views:
    45
    Infopro
    Aug 19, 2017 at 5:48 AM
  2. AbiGoliath

    TLSv1.0 - block for PCI compliance?

    AbiGoliath, Aug 4, 2017, in forum: Security
    Replies:
    1
    Views:
    78
    cPanelMichael
    Aug 4, 2017
  3. Taha Haider

    SMTP PORT Block

    Taha Haider, Aug 3, 2017, in forum: E-mail Discussions
    Replies:
    6
    Views:
    112
    Taha Haider
    Aug 4, 2017
  4. DennisMidjord

    Block incoming emails from domain

    DennisMidjord, Aug 1, 2017, in forum: E-mail Discussions
    Replies:
    3
    Views:
    96
    cPanelMichael
    Aug 1, 2017
  5. RafaelEbarola

    Block Gmail carbon copy on cPanel

    RafaelEbarola, Jul 27, 2017, in forum: E-mail Discussions
    Replies:
    5
    Views:
    95
    cPanelMichael
    Aug 1, 2017

Share This Page