The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How to block this kind of wordpress scan?

Discussion in 'Security' started by garconcn, Oct 19, 2015.

  1. garconcn

    garconcn Well-Known Member

    Joined:
    Oct 29, 2009
    Messages:
    98
    Likes Received:
    1
    Trophy Points:
    8
    Recently, I've seen lots of scanning traffic like follows on wordpress sites. How to block those? Is there a way to deny any request for the string "abdullkarem" in modsecurity? Thanks

    Oct 19 09:55:32 176.31.248.135 - - [18/Oct/2015:20:26:54 -0700] "GET /wp-content/wp-restore.php?450699=1&php4=1&root=1&upl=1&wphp4=1&abdullkarem=1&wp=1&module=1&php=1&php5=1&wphp5=1 HTTP/1.0" 404 domain.com 223

    Oct 19 09:55:32 176.31.248.135 - - [18/Oct/2015:20:26:54 -0700] "GET /wp-restore.php?450699=1&php4=1&root=1&upl=1&wphp4=1&abdullkarem=1&wp=1&module=1&php=1&php5=1&wphp5=1 HTTP/1.0" 404 domain.com 212​
     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,448
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
  3. garconcn

    garconcn Well-Known Member

    Joined:
    Oct 29, 2009
    Messages:
    98
    Likes Received:
    1
    Trophy Points:
    8
  4. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    If you have ModSecurity you can easily add a rule to drop or deny the requests.

    Code:
    SecRule REQUEST_URI wp-restore.php "drop,id:28945,chain"
    SecRule QUERY_STRING "root=1"
    
    This will drop the connection with a TCP reset. If you'd rather return an error page then change "drop" to "deny" however this may cause more load on the server.

    If you would rather drop based on the string "abdullkarem" then change "root=1" to that string. If they hit URL's other than wp-restore.php you could just use this rule instead:

    Code:
    SecRule QUERY_STRING "abdullkarem" "drop,id:28946"
    
     
    garconcn likes this.
  5. garconcn

    garconcn Well-Known Member

    Joined:
    Oct 29, 2009
    Messages:
    98
    Likes Received:
    1
    Trophy Points:
    8
    It works, this is exactly what I want. Thank you very much. Your modsec rule was always very helpful.
     
  6. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Always glad to help. Cheers.

    Edit: It appears many other people are seeing this scan. I'm also seeing it all over my network in audit logs, because other modsecurity rules I use were catching some of the requests. I'll probably deploy a rule widely to my customer base to deny these across the board.

    WordPress › Support » Whois Abdull Karem and why are they scanning?
     
    #6 quizknows, Oct 21, 2015
    Last edited: Oct 21, 2015
Loading...

Share This Page