How to block this kind of wordpress scan?

garconcn · Oct 19, 2015

Recently, I've seen lots of scanning traffic like follows on wordpress sites. How to block those? Is there a way to deny any request for the string "abdullkarem" in modsecurity? Thanks

Oct 19 09:55:32 176.31.248.135 - - [18/Oct/2015:20:26:54 -0700] "GET /wp-content/wp-restore.php?450699=1&php4=1&root=1&upl=1&wphp4=1&abdullkarem=1&wp=1&module=1&php=1&php5=1&wphp5=1 HTTP/1.0" 404 domain.com 223

Oct 19 09:55:32 176.31.248.135 - - [18/Oct/2015:20:26:54 -0700] "GET /wp-restore.php?450699=1&php4=1&root=1&upl=1&wphp4=1&abdullkarem=1&wp=1&module=1&php=1&php5=1&wphp5=1 HTTP/1.0" 404 domain.com 212

Infopro · Oct 19, 2015

Do you have CSF installed? It has options for blocking an IP after x 404s.

You might find something of use here as well (some random links pulled form google):
WordPress › Support » Non-existent page for xmlrpc.php
Server very high load when wordpress was attacked

garconcn · Oct 19, 2015

Infopro said: ↑

Do you have CSF installed? It has options for blocking an IP after x 404s.

You might find something of use here as well (some random links pulled form google):
WordPress › Support » Non-existent page for xmlrpc.php
Server very high load when wordpress was attacked
Click to expand...

Yes, I have CSF and also do block IP after 100 404 errors. The problem is the attack come with a big wave of connections, sometimes from many different IPs.

quizknows · Oct 19, 2015

If you have ModSecurity you can easily add a rule to drop or deny the requests.
Code:
SecRule REQUEST_URI wp-restore.php "drop,id:28945,chain"
SecRule QUERY_STRING "root=1"
This will drop the connection with a TCP reset. If you'd rather return an error page then change "drop" to "deny" however this may cause more load on the server.

If you would rather drop based on the string "abdullkarem" then change "root=1" to that string. If they hit URL's other than wp-restore.php you could just use this rule instead:
Code:
SecRule QUERY_STRING "abdullkarem" "drop,id:28946"

garconcn · Oct 21, 2015

quizknows said: ↑
If you would rather drop based on the string "abdullkarem" then change "root=1" to that string. If they hit URL's other than wp-restore.php you could just use this rule instead:
Code:
SecRule QUERY_STRING "abdullkarem" "drop,id:28946"
Click to expand...
It works, this is exactly what I want. Thank you very much. Your modsec rule was always very helpful.

quizknows · Oct 21, 2015

Always glad to help. Cheers.

Edit: It appears many other people are seeing this scan. I'm also seeing it all over my network in audit logs, because other modsecurity rules I use were catching some of the requests. I'll probably deploy a rule widely to my customer base to deny these across the board.

WordPress › Support » Whois Abdull Karem and why are they scanning?

Forums

The Community Forums

Interact with an entire community of cPanel & WHM users!

How to block this kind of wordpress scan?

garconcn Well-Known Member

Infopro cPanel Sr. Product Evangelist
Staff Member

garconcn Well-Known Member

quizknows Well-Known Member

garconcn Well-Known Member

quizknows Well-Known Member

lfd keeps blocking one particular user

Exceeded allotted quota of disk blocks error

Trying to find Cause of CBL blocking

Blocked IP traffic to UK

Configure SpamAssassin to block outgoing form mail

Share This Page

Useful Searches

The Community Forums

Interact with an entire community of cPanel & WHM users!

How to block this kind of wordpress scan?

garconcn Well-Known Member

Infopro cPanel Sr. Product Evangelist Staff Member

garconcn Well-Known Member

quizknows Well-Known Member

garconcn Well-Known Member

quizknows Well-Known Member

lfd keeps blocking one particular user

Exceeded allotted quota of disk blocks error

Trying to find Cause of CBL blocking

Blocked IP traffic to UK

Configure SpamAssassin to block outgoing form mail

Share This Page

Infopro cPanel Sr. Product Evangelist
Staff Member