Search found 47 matches

by peterelsner
11 Apr 2013, 18:46
Forum: General Discussion (csf)
Topic: Multiple attempts to hack into wp-login from same IP
Replies: 34
Views: 59301

Re: Multiple attempts to hack into wp-login from same IP

Sergio, Yes, the lines are identical, except the nolog/log and your msg which says "Patrick..." I'll try changing the log back to nolog to see if that makes a difference. Where did you put the ErrorDocument 406 "Not Acceptable" line? Patrick stated it would/should work within the file itself, but I ...
by peterelsner
11 Apr 2013, 18:17
Forum: General Discussion (csf)
Topic: Multiple attempts to hack into wp-login from same IP
Replies: 34
Views: 59301

Re: Multiple attempts to hack into wp-login from same IP

Sergio, Good idea. I changed mine to do the same. Have an issue though... Now I'm getting the following: [Thu Apr 11 12:13:46 2013] [error] [client 81.213.192.113] ModSecurity: Warning. Unconditional match in SecAction. [file "/usr/local/apache/conf/modsec_rules/modsec/05_pat_brute_force_wp-login.co...
by peterelsner
11 Apr 2013, 14:35
Forum: General Discussion (csf)
Topic: Multiple attempts to hack into wp-login from same IP
Replies: 34
Views: 59301

Re: Multiple attempts to hack into wp-login from same IP

I *think* Patrick's solution worked for us. Too early to tell yet. Out of curiosity, how did everyone else implement Patrick's solution? I added a file called: 05_pat_bruteforce_wp-login.conf to the mod sec rules directory I have (that contains the ASL files from GotRoot.com), with his solution in p...
by peterelsner
10 Apr 2013, 19:11
Forum: General Discussion (csf)
Topic: Multiple attempts to hack into wp-login from same IP
Replies: 34
Views: 59301

Re: Multiple attempts to hack into wp-login from same IP

The links provided by dvk01 to the mod sec rules didn't work :( The attacks started at exactly 1:00 PM central time. Before then, all was fine and quiet. They will continue from now until about 5:30 PM central time (which is when they stopped yesterday). I'm about to try the links that sawbuck just ...
by peterelsner
09 Apr 2013, 21:45
Forum: General Discussion (csf)
Topic: Multiple attempts to hack into wp-login from same IP
Replies: 34
Views: 59301

Re: Multiple attempts to hack into wp-login from same IP

Here are my settings. # [*]Enable failure detection of repeated Apache mod_security rule triggers LF_MODSEC = "5" LF_MODSEC_PERM = "1" These IP's do NOT show up in any MOD SEC logs. Mod Security is NOT catching these since they are only calling a direct link to wordpress login URL's. IE: hXXp://www....
by peterelsner
09 Apr 2013, 20:01
Forum: General Discussion (csf)
Topic: Multiple attempts to hack into wp-login from same IP
Replies: 34
Views: 59301

Re: Multiple attempts to hack into wp-login from same IP

Exactly. Mine is also set to 5. Here's an example as this has happened today now for all of our servers... multiple times yet. In /home/username/access-logs/domainname.tld are over 1300 of these... 189.18.139.42 - - [09/Apr/2013:13:57:31 -0500] "POST /wp-login.php HTTP/1.1" 500 358 "-" "Mozilla/5.0 ...
by peterelsner
08 Apr 2013, 16:03
Forum: Suggestions (cxs)
Topic: Send mail to scripts owner (victims)
Replies: 13
Views: 15231

Re: Send mail to scripts owner (victims)

Ok, got this to work. Just can't change any of the From: To: CC: lines. They MUST be set as what the default template is set to. What I would like to know is can the template be modified any further? For example: ----------- SCAN REPORT ----------- (/usr/sbin/cxs --allusers --clamdsock /var/clamd --...
by peterelsner
08 Apr 2013, 15:51
Forum: General Discussion (csf)
Topic: Multiple attempts to hack into wp-login from same IP
Replies: 34
Views: 59301

Re: Multiple attempts to hack into wp-login from same IP

Ked, Agreed. I already have Mod Sec and the GotRoot rules installed. While this does help, it does not prevent a brute force attack on a customers wordpress site (specifically wp-admin.php) So the same IP address is constatnly hitting hXXp://www.somesite.tld/wp-admin over and over again trying to br...
by peterelsner
15 Mar 2013, 17:11
Forum: General Discussion (csf)
Topic: Monitor REFUSED/denied DNS queries in /var/log/messages
Replies: 1
Views: 1839

Re: Monitor REFUSED/denied DNS queries in /var/log/messages

In case anyone else runs into this. Setting LF_BIND to 250 did the trick for me.
by peterelsner
14 Mar 2013, 16:20
Forum: General Discussion (csf)
Topic: Monitor REFUSED/denied DNS queries in /var/log/messages
Replies: 1
Views: 1839

Monitor REFUSED/denied DNS queries in /var/log/messages

Is there a way (and if not, can it be added), to monitor the /var/log/messages file for denied/REFUSED dns queries and block the IP addresses that hit a specific site more than so many times..? Example: Mar 14 11:09:47 HOSTNAME named[11275]: client 97.107.20.11#19420: query (cache) 'domainname.com/M...