Page 1 of 1

Question regarding suspicious PHP

Posted: 21 Dec 2022, 21:26
by cglmicro
Hi guys.

I saw your post viewtopic.php?t=2985 regarding blocking suspicious PHP files, but I have questions regarding this...

I receive batch of emails like this from time to time:
Scanning web upload script file... Time : Wed, 21 Dec 2022 13:36:03 -0500 Web referer URL : www.google.com Local IP : 192.XXX.XXX.XXX Web upload script user : mywebsite
(1008) Web upload script owner: mywebsite (1008) Web upload script path : /home/mywebsite/public_html/wp-admin/admin-ajax.php Web upload script URL : ....ca/wp-admin/admin-ajax.php?action=uploadFontIcon Remote IP : 172.71.95.13 Deleted : No Quarantined
: Yes [/home/mywebsite/.quarantine/20221221-133602-Y6NSEvZMj1ODjbhUdUZ3ggAAACM-file-QG4hkN.1671647763_1]

or

Scanning web upload script file... Time : Wed, 21 Dec 2022 13:36:18 -0500 Web referer URL : www.google.com Local IP : 192.XXX.XXX.XXX Web upload script user : mywebsite
(1008) Web upload script owner: () Web upload script path : /home/mywebsite/public_html/wp-content/plugins/divi-contact-extended Web upload script URL : ....ca/wp-content/plugins/divi-contact-extended/includes/upload.php Remote IP : 172.71.98.197
Deleted : No Quarantined : Yes [/home/mywebsite/.quarantine/20221221-133617-Y6NSIT7nWVx48U2q_vD8NgAAAAY-file-fTQChE.1671647778_1] NOTE: [/home/mywebsite/public_html/wp-content/plugins/divi-contact-extended] does not exist on this server. However, ModSecurity
is still triggering cxs to scan the attempted uploading of potentially malicious data

My questions are:

- For the first example, why is my WordPress allow someone to upload a file using the "admin-ajax.php" located inside the /wp-admin/ ? Shouldn't he be blocked and asked a password before being able to access "http://www.cglmicro.ca/wp-admin/admin-a ... adFontIcon" ? Does it mean he has an admin access of some kind in my WordPress ?

- For the second example, I can see I don't have the mentioned plugin "/public_html/wp-content/plugins/divi-contact-extended", so the hacker can't exploit that plugins to gain access to my site, and the "web upload script owner" is empty. Is it normal that an hacker can try many URL to see if I have a vuln without being blocked ?

- What should I do to prevent anyone to upload PHP files, except for admin users that are logged in WordPress ?

Thank you.

Re: Question regarding suspicious PHP

Posted: 02 Jan 2023, 23:58
by Sergio
First, check permissions on your files and folders, change any folder with "777" access to 755.
Also, check all WP files and they should be 644. For me the only file that should have "444" is the wp_config file as in there are sensitive info.

If you have folders with "777", that give hackers an open door and can upload malicious files without the need to have your admin password.

Regarding "Is it normal that an hacker can try many URL to see if I have a vuln without being blocked ?" yes it is normal. To mitigate that, you should check the triggered ModSecurity rules and create a CSF rule to block any IP that triggers that rules at the first attempt.

Sergio

Re: Question regarding suspicious PHP

Posted: 03 Jan 2023, 15:07
by cglmicro
Thank you Sergio, will check this.