Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

How to block this kind of wordpress scan?

Discussion in 'Security' started by garconcn, Oct 19, 2015.

  1. garconcn

    garconcn Well-Known Member

    Joined:
    Oct 29, 2009
    Messages:
    132
    Likes Received:
    6
    Trophy Points:
    68
    Recently, I've seen lots of scanning traffic like follows on wordpress sites. How to block those? Is there a way to deny any request for the string "abdullkarem" in modsecurity? Thanks

    Oct 19 09:55:32 176.31.248.135 - - [18/Oct/2015:20:26:54 -0700] "GET /wp-content/wp-restore.php?450699=1&php4=1&root=1&upl=1&wphp4=1&abdullkarem=1&wp=1&module=1&php=1&php5=1&wphp5=1 HTTP/1.0" 404 domain.com 223

    Oct 19 09:55:32 176.31.248.135 - - [18/Oct/2015:20:26:54 -0700] "GET /wp-restore.php?450699=1&php4=1&root=1&upl=1&wphp4=1&abdullkarem=1&wp=1&module=1&php=1&php5=1&wphp5=1 HTTP/1.0" 404 domain.com 212​
     
    #1 garconcn, Oct 19, 2015
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    16,339
    Likes Received:
    402
    Trophy Points:
    583
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #2 Infopro, Oct 19, 2015
  3. garconcn

    garconcn Well-Known Member

    Joined:
    Oct 29, 2009
    Messages:
    132
    Likes Received:
    6
    Trophy Points:
    68
    #3 garconcn, Oct 19, 2015
  4. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    1,010
    Likes Received:
    87
    Trophy Points:
    78
    cPanel Access Level:
    DataCenter Provider
    If you have ModSecurity you can easily add a rule to drop or deny the requests.

    Code:
    SecRule REQUEST_URI wp-restore.php "drop,id:28945,chain"
SecRule QUERY_STRING "root=1"
    This will drop the connection with a TCP reset. If you'd rather return an error page then change "drop" to "deny" however this may cause more load on the server.

    If you would rather drop based on the string "abdullkarem" then change "root=1" to that string. If they hit URL's other than wp-restore.php you could just use this rule instead:

    Code:
    SecRule QUERY_STRING "abdullkarem" "drop,id:28946"
     
    #4 quizknows, Oct 19, 2015
    garconcn likes this.
  5. garconcn

    garconcn Well-Known Member

    Joined:
    Oct 29, 2009
    Messages:
    132
    Likes Received:
    6
    Trophy Points:
    68
    It works, this is exactly what I want. Thank you very much. Your modsec rule was always very helpful.
     
    #5 garconcn, Oct 21, 2015
  6. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    1,010
    Likes Received:
    87
    Trophy Points:
    78
    cPanel Access Level:
    DataCenter Provider
    Always glad to help. Cheers.

    Edit: It appears many other people are seeing this scan. I'm also seeing it all over my network in audit logs, because other modsecurity rules I use were catching some of the requests. I'll probably deploy a rule widely to my customer base to deny these across the board.

    WordPress › Support » Whois Abdull Karem and why are they scanning?
     
    #6 quizknows, Oct 21, 2015
    Last edited: Oct 21, 2015
(You must log in or sign up to post here.)
Loading...
Similar Threads - block kind wordpress
  1. Shood

    Prevent users from sending emails that gets server IP blocked?

    Shood, Sep 14, 2018, in forum: E-mail Discussion
    Replies:
    8
    Views:
    124
    Shood
    Sep 21, 2018 at 3:49 AM
  2. joaosavioli

    Blocked distributed ftpd attack emails and LFD going down

    joaosavioli, Sep 10, 2018, in forum: Security
    Replies:
    3
    Views:
    97
    joaosavioli
    Sep 20, 2018 at 9:25 AM
  3. PumpinIron

    SOLVED Block incoming email with multiple recipients (CCs)?

    PumpinIron, Sep 9, 2018, in forum: E-mail Discussion
    Replies:
    3
    Views:
    68
    cPanelLauren
    Sep 10, 2018
  4. Hays Sleiman

    SOLVED CSF Blocking Google DNS + dig Command

    Hays Sleiman, Sep 5, 2018, in forum: Bind/DNS/Nameserver
    Replies:
    7
    Views:
    107
    cPanelLauren
    Sep 7, 2018
  5. Marani

    Have I been Blocked?

    Marani, Aug 26, 2018, in forum: General Discussion
    Replies:
    3
    Views:
    131
    cPanelLauren
    Aug 27, 2018

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...
    Dismiss Notice