How to block this kind of wordpress scan?

garconcn

• October 19, 2015 12:04

Recently, I've seen lots of scanning traffic like follows on wordpress sites. How to block those? Is there a way to deny any request for the string "abdullkarem" in modsecurity? Thanks Oct 19 09:55:32 176.31.248.135 - - [18/Oct/2015:20:26:54 -0700] "GET /wp-content/wp-restore.php?450699=1&php4=1&root=1&upl=1&wphp4=1&abdullkarem=1&wp=1&module=1&php=1&php5=1&wphp5=1 HTTP/1.0" 404 domain.com 223 Oct 19 09:55:32 176.31.248.135 - - [18/Oct/2015:20:26:54 -0700] "GET /wp-restore.php?450699=1&php4=1&root=1&upl=1&wphp4=1&abdullkarem=1&wp=1&module=1&php=1&php5=1&wphp5=1 HTTP/1.0" 404 domain.com 212

• 

  Infopro

  • October 19, 2015 18:26

  Do you have CSF installed? It has options for blocking an IP after x 404s. You might find something of use here as well (some random links pulled form google): WordPress " Support " Non-existent page for xmlrpc.php Server very high load when wordpress was attacked

  0
• 

  garconcn

  • October 19, 2015 18:36

  Do you have CSF installed? It has options for blocking an IP after x 404s. You might find something of use here as well (some random links pulled form google): WordPress " Support " Non-existent page for xmlrpc.php Server very high load when wordpress was attacked

  
  Yes, I have CSF and also do block IP after 100 404 errors. The problem is the attack come with a big wave of connections, sometimes from many different IPs.

  0
• 

  quizknows

  • October 20, 2015 00:49

  If you have ModSecurity you can easily add a rule to drop or deny the requests.
  SecRule REQUEST_URI wp-restore.php "drop,id:28945,chain" SecRule QUERY_STRING "root=1"
  This will drop the connection with a TCP reset. If you'd rather return an error page then change "drop" to "deny" however this may cause more load on the server. If you would rather drop based on the string "abdullkarem" then change "root=1" to that string. If they hit URL's other than wp-restore.php you could just use this rule instead:
  SecRule QUERY_STRING "abdullkarem" "drop,id:28946"
  

  0
• 

  garconcn

  • October 21, 2015 23:30

  If you would rather drop based on the string "abdullkarem" then change "root=1" to that string. If they hit URL's other than wp-restore.php you could just use this rule instead:
  SecRule QUERY_STRING "abdullkarem" "drop,id:28946"
  

  
  It works, this is exactly what I want. Thank you very much. Your modsec rule was always very helpful.

  0
• 

  quizknows

  • October 21, 2015 23:51

  Always glad to help. Cheers. Edit: It appears many other people are seeing this scan. I'm also seeing it all over my network in audit logs, because other modsecurity rules I use were catching some of the requests. I'll probably deploy a rule widely to my customer base to deny these across the board. WordPress " Support " Whois Abdull Karem and why are they scanning?

  0

Please sign in to leave a comment.