webdeepak
Forum Replies Created
-
Forum: Plugins
In reply to: [Pods - Custom Content Types and Fields] Create 800 customer post type pagesI went on the Slack support channel yesterday and asked the question.
Did get told that the WordPress internal import can handle this. I’m not sure how but will investigate and update here.Also got told that the free version of these plugins can carry out the import, I’ve looked at the descriptions to “Import Custom Post Type” you would need a license. Will check and report back.
Also fell into a rabbit hole with the data structure of WordPress and Pods for the first time. post and podsrel seem to be the table of interest. Not sure I have the time to do the detail investigation here.
Forum: Plugins
In reply to: [Pods - Custom Content Types and Fields] Create 800 customer post type pagesThanks @bkantique,
Would you be able to share the mappings and the link to the plugin.Regards
As per my understanding WordFence might not be getting the request with the Malware at all. It is not picking up the request ahead of the PHP/WordPress.
The AV is picking up the Malware and killing it, and it breaks the request hence a 403.One final thing, I’m trying here for IIS users using Request Filtering
I do not want the requests to even get processed and the malware dropped. So testing with the following now.
<denyUrlSequences>
<add sequence=”..” />
<add sequence=”:” />
<add sequence=”\” />
<add sequence=”/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php” />
</denyUrlSequences>Please close the ticket if not already done so
@wfadam
Thanks for the update. This is exactly what is happening.In my understanding a WAF Web Application Firewall picks up the request before the application and forwards or stops it based on the rules. Also when I read the documentation when it said that let WordFence load before wordpress I thought that is what it meant.
WAF -> Application (PHP)
But in this case all the items are a bit mixed. WordFence is picking up the request too late in the process to stop the malware through. In this case the AV software stopped the malware but there is no guarantee that WordFence can do that and consistently and I would not expect it to as its not a AV product.
But its not also a true WAF either and that’s fine with me. Also I can also see that it does not learn from the type of calls being made. If I have to jump in each time then I can add the same items to RequestFilter attribute in web.config which is what I’ve resorted to do.
For anyone else having these issues, you can try the following
1) Install Microsoft Security Essentials
2) Install a Malware protector and bad IP protector.
3) Use WordFence and use it as a WAF and it will Log to IIS Logs as 503
4) Use LogReader (15 year old software) Still good to use to scan the logs and a simple powershell script to block the IPs from the server.Job Done.
Also when WordFence stops the request I get a 503 in the logs.
So when the request was moved from IIS to WordPress/WordFence the request was carried out/executed. The Payload / Malware was dropped but the AntiVirus was able to pick and clean this up.It seems WordFence was not able to stop the request even though the rules does say to reject the request to this end point.
404 are stops by IIS
403 calls where the calls that went through and dropped the Malware.To confirm the following rules were in place WordFence under
Immediately block IPs that access these URLs/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php
/.env
/wp-content/plugins/wp-file-manager*As of the above attack I’m using WordFence Version 7.4.11 and WordPress 5.5.1
@wfadam
Your explanation is correct to the far the 404 19 are IIS request filtering which can stop the requests when there is no post data. When there is payload the request goes through to WordPress/WordFence and here it is not stopping it2020-10-12 13:04:31 IPaddress POST /wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php – 443 – 27.75.24.8 Mozilla/5.0+(Macintosh;+Intel+Mac+OS+X+10.15;+rv:77.0)+Gecko/20100101+Firefox/77.0 https://mysite/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php 404 19 0 250
2020-10-12 13:04:33 IPaddress POST /wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php – 443 – 118.173.220.248 Mozilla/5.0+(Macintosh;+Intel+Mac+OS+X+10.15;+rv:77.0)+Gecko/20100101+Firefox/77.0 https://mysite/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php 404 19 0 187
2020-10-12 13:04:37 IPaddress POST /wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php – 443 – 103.70.130.238 Mozilla/5.0+(Macintosh;+Intel+Mac+OS+X+10.15;+rv:77.0)+Gecko/20100101+Firefox/77.0 https://mysite/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php 403 0 0 2250
2020-10-12 13:04:56 IPaddress POST /wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php – 443 – 123.25.218.6 Mozilla/5.0+(Macintosh;+Intel+Mac+OS+X+10.15;+rv:77.0)+Gecko/20100101+Firefox/77.0 https://mysite/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php 403 0 0 843
2020-10-12 13:05:01 IPaddress POST /wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php – 443 – 113.181.100.89 Mozilla/5.0+(Macintosh;+Intel+Mac+OS+X+10.15;+rv:77.0)+Gecko/20100101+Firefox/77.0 https://mysite/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php 403 0 0 625
2020-10-12 13:05:03 IPaddress POST /wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php – 443 – 223.229.253.0 Mozilla/5.0+(Macintosh;+Intel+Mac+OS+X+10.15;+rv:77.0)+Gecko/20100101+Firefox/77.0 https://mysite/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php 403 0 0 453
2020-10-12 13:05:04 IPaddress POST /wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php – 443 – 188.163.22.193 Mozilla/5.0+(Macintosh;+Intel+Mac+OS+X+10.15;+rv:77.0)+Gecko/20100101+Firefox/77.0 https://mysite/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php 403 0 0 265@wfadam
To also confirm, I do not use wf-file-manager. This folder does not exists under plugins.
And I have seen the link you have provided, the IP addresses are not the ones in the above log and also I have setup the rules that would block the requests.THanks
Hi WFAdam,
Sorry for the late response I only got a notification today when responded to @mongobongo.The 3 logs are as follows
2020-09-29 10:34:29 POST /wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php – 443 – 192.82.65.72 Mozilla/5.0+(Macintosh;+Intel+Mac+OS+X+10.15;+rv:77.0)+Gecko/20100101+Firefox/77.0 https://mysite/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php 404 19 0 125
2020-09-29 10:34:30 POST /wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php – 443 – 188.234.192.55 Mozilla/5.0+(Macintosh;+Intel+Mac+OS+X+10.15;+rv:77.0)+Gecko/20100101+Firefox/77.0 https://mysite/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php 404 19 0 93
2020-09-29 10:34:35 POST /wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php – 443 – 112.207.96.23 Mozilla/5.0+(Macintosh;+Intel+Mac+OS+X+10.15;+rv:77.0)+Gecko/20100101+Firefox/77.0 https://mysite/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php 403 0 0 656
The return code for the first two was 404 the third one was 403 and this is what deployed the malware which did get picked up by the AntiVirus and killed it. It was deployed in /tmp folder as suggested.
I do have a couple of rules for this as they started calling in readme etc files as well.
/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php
/wp-content/plugins/wp-file-manager*Similar to as stated before I do not have wp-file-manager plugin.
Windows 2012 with IIS 8.0
Wordpress 5.5.1