Search found 46 matches
- 11 Apr 2013, 18:46
- Forum: General Discussion (csf)
- Topic: Multiple attempts to hack into wp-login from same IP
- Replies: 34
- Views: 78634
Re: Multiple attempts to hack into wp-login from same IP
Sergio, Yes, the lines are identical, except the nolog/log and your msg which says "Patrick..." I'll try changing the log back to nolog to see if that makes a difference. Where did you put the ErrorDocument 406 "Not Acceptable" line? Patrick stated it would/should work within the...
- 11 Apr 2013, 18:17
- Forum: General Discussion (csf)
- Topic: Multiple attempts to hack into wp-login from same IP
- Replies: 34
- Views: 78634
Re: Multiple attempts to hack into wp-login from same IP
Sergio, Good idea. I changed mine to do the same. Have an issue though... Now I'm getting the following: [Thu Apr 11 12:13:46 2013] [error] [client 81.213.192.113] ModSecurity: Warning. Unconditional match in SecAction. [file "/usr/local/apache/conf/modsec_rules/modsec/05_pat_brute_force_wp-log...
- 11 Apr 2013, 14:35
- Forum: General Discussion (csf)
- Topic: Multiple attempts to hack into wp-login from same IP
- Replies: 34
- Views: 78634
Re: Multiple attempts to hack into wp-login from same IP
I *think* Patrick's solution worked for us. Too early to tell yet. Out of curiosity, how did everyone else implement Patrick's solution? I added a file called: 05_pat_bruteforce_wp-login.conf to the mod sec rules directory I have (that contains the ASL files from GotRoot.com), with his solution in p...
- 10 Apr 2013, 19:11
- Forum: General Discussion (csf)
- Topic: Multiple attempts to hack into wp-login from same IP
- Replies: 34
- Views: 78634
Re: Multiple attempts to hack into wp-login from same IP
The links provided by dvk01 to the mod sec rules didn't work :( The attacks started at exactly 1:00 PM central time. Before then, all was fine and quiet. They will continue from now until about 5:30 PM central time (which is when they stopped yesterday). I'm about to try the links that sawbuck just ...
- 09 Apr 2013, 21:45
- Forum: General Discussion (csf)
- Topic: Multiple attempts to hack into wp-login from same IP
- Replies: 34
- Views: 78634
Re: Multiple attempts to hack into wp-login from same IP
Here are my settings. # [*]Enable failure detection of repeated Apache mod_security rule triggers LF_MODSEC = "5" LF_MODSEC_PERM = "1" These IP's do NOT show up in any MOD SEC logs. Mod Security is NOT catching these since they are only calling a direct link to wordpress login UR...
- 09 Apr 2013, 20:01
- Forum: General Discussion (csf)
- Topic: Multiple attempts to hack into wp-login from same IP
- Replies: 34
- Views: 78634
Re: Multiple attempts to hack into wp-login from same IP
Exactly. Mine is also set to 5. Here's an example as this has happened today now for all of our servers... multiple times yet. In /home/username/access-logs/domainname.tld are over 1300 of these... 189.18.139.42 - - [09/Apr/2013:13:57:31 -0500] "POST /wp-login.php HTTP/1.1" 500 358 "-...
- 08 Apr 2013, 16:03
- Forum: Suggestions (cxs)
- Topic: Send mail to scripts owner (victims)
- Replies: 13
- Views: 32003
Re: Send mail to scripts owner (victims)
Ok, got this to work. Just can't change any of the From: To: CC: lines. They MUST be set as what the default template is set to. What I would like to know is can the template be modified any further? For example: ----------- SCAN REPORT ----------- (/usr/sbin/cxs --allusers --clamdsock /var/clamd --...
- 08 Apr 2013, 15:51
- Forum: General Discussion (csf)
- Topic: Multiple attempts to hack into wp-login from same IP
- Replies: 34
- Views: 78634
Re: Multiple attempts to hack into wp-login from same IP
Ked, Agreed. I already have Mod Sec and the GotRoot rules installed. While this does help, it does not prevent a brute force attack on a customers wordpress site (specifically wp-admin.php) So the same IP address is constatnly hitting hXXp://www.somesite.tld/wp-admin over and over again trying to br...
- 15 Mar 2013, 17:11
- Forum: General Discussion (csf)
- Topic: Monitor REFUSED/denied DNS queries in /var/log/messages
- Replies: 1
- Views: 3446
Re: Monitor REFUSED/denied DNS queries in /var/log/messages
In case anyone else runs into this. Setting LF_BIND to 250 did the trick for me.
- 14 Mar 2013, 16:20
- Forum: General Discussion (csf)
- Topic: Monitor REFUSED/denied DNS queries in /var/log/messages
- Replies: 1
- Views: 3446
Monitor REFUSED/denied DNS queries in /var/log/messages
Is there a way (and if not, can it be added), to monitor the /var/log/messages file for denied/REFUSED dns queries and block the IP addresses that hit a specific site more than so many times..? Example: Mar 14 11:09:47 HOSTNAME named[11275]: client 97.107.20.11#19420: query (cache) 'domainname.com/M...