Hi Edward,
I’m in the early learning stage of my security logs, so would appreciate your feedback on this.
I’ve found a WPADMIN-SBR event code in my security log, with an http/1.1 referres and an OK (?) user agent, as below…
[403 GET / HEAD Request: 17th January 2015 - 10:22 pm] Event Code: WPADMIN-SBR Solution: http://forum.ait-pro.com/forums/topic/security-log-event-codes/ REMOTE_ADDR: 134.249.140.218 Host Name: 134-249-140-218-gprs.kyivstar.net SERVER_PROTOCOL: HTTP/1.1 HTTP_CLIENT_IP: HTTP_FORWARDED: HTTP_X_FORWARDED_FOR: HTTP_X_CLUSTER_CLIENT_IP: REQUEST_METHOD: GET HTTP_REFERER: http://mysite.com REQUEST_URI: /wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php QUERY_STRING: HTTP_USER_AGENT: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.68 Safari/534.30
but the same host name then is also logged for heaps of repeated requests for plugins/themes that I don’t have, so with an event code of BFHS and occasionally PFWR-PSBR-HPR. eg of it is below…
[403 GET / HEAD Request: 17th January 2015 - 10:23 pm] Event Code: PFWR-PSBR-HPR Solution: http://forum.ait-pro.com/forums/topic/security-log-event-codes/ REMOTE_ADDR: 134.249.140.218 Host Name: 134-249-140-218-gprs.kyivstar.net SERVER_PROTOCOL: HTTP/1.1 HTTP_CLIENT_IP: HTTP_FORWARDED: HTTP_X_FORWARDED_FOR: HTTP_X_CLUSTER_CLIENT_IP: REQUEST_METHOD: GET HTTP_REFERER: http://mysite.com/wp-content/plugins/tinymce-thumbnail-gallery/php/download-image.php?href=../../../../wp-config.php REQUEST_URI: /wp-content/plugins/wp-filemanager/incl/libfile.php?&path=../../&filename=wp-config.php&action=download QUERY_STRING: HTTP_USER_AGENT: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.68 Safari/534.30
From the above I’m guessing it’s not something I need to add to my wp-admin skip/bypass rule? Sorry it’s so basic – is this typical of how hacker/probes behave?
Cheers.