Herself's Webtools

Scripts, HowTos, Templates, Plugins, Widgets, Tips

Requests I’m blocking

with 8 comments

Your WP Security plugin only catches bad bots if you tell it who the bad bots are and what requests to blog. This is my current list of bad requests. You can just copy and paste it into the request blacklist after your current list and hit the update button and it will add them to your list.

12/3/09
DOCUMENT_ROOT

12/30/2008 While you can turn off trackbacks in WP 2.7 settings it doesn’t stop spam comments coming through that way. If you do not allow trackbacks add
trackback
to your banished request list.

12/30/2008 Nathan ( site unknown ) send me a great list of requests to block. But I’m only adding a few of them here since many will catch users who haven’t whitelisted themselves. These ones are all bad requests and didn’t give any false positives on WP

cmd.exe
root.exe
shell.exe
_vti_bin
cltreq.asp

8/29/08

$_GET
(java|vb)
.gif?
.jpg?
.txt?
.xml?
</script>
<SCRIPT>
ASCII
CAST
com_jd-wp
CONCAT
DECLARE
DELETE
DOCUMENT_ROOT
formmail
includedir=
index.php?template=
INSERT
lwp-trivial
OPTIONS
passwd
PATH=
POST /xmlrpc.php
PROPFIND
register++++
SELECT
SERVER
sidebar.php?
UNION
UPDATE
word-tube-button.php?
wp-config
wp-table-button.php?
wp-trackback.php?
x-aaaaaaaaa

Notes:

I’m also checking Emerging Threats Rules downloads, it is a great site to learn a bit more about security. Go to emerging web_sql and scroll down to the WordPress section.

8/28/08
<SCRIPT>
</script>

8/11/08
CAST
DECLARE

Grumpy old man emailed to tell me a MySQL injection attack had been tried on his site using these terms that had not been caught by the security tool. I’m adding them to my list today and suggest you do as well. See SQL injection attack using DECLARE or New SQL Injection Attack Infecting Machines for more details.

7/16/08
Removed wp-login.php?redirect_to=http%3A%2F%2F it keeps tripping on WP 2.6

7/9/08 All of these were part of several attempted but failed hacks recently
com_jd-wp
index.php?template=
board.php?see=ftp

7/6/08 I added ‘PATH=’ to the list

New additions 6/18/08 ( still testing these )
passwd

New addition 6/17/08
$_GET

New addition 6/15/08
register+++

New addition 6/13/08:
.gif?
.jpg?

Written by Linda MacPhee-Cobb

June 10th, 2008 at 8:21 am

Posted in security

Digg this

Twitter this

Stumble it!

Email this page

«
»

8 Responses to 'Requests I’m blocking'

Subscribe to comments with RSS

  1. I just got blocked from my own site due to this request made by the ajax tag lookup on the post edit page:

    /wp-admin/admin-ajax.php?action=ajax-tag-search&q=origi

    After a moment of panic, I was able to access my database and delete the rules.

    You may want to tweak that.

    jmanpa

    6 Jul 08 at 1:58 pm

  2. Thanks, I took that off the list.

    ljmacphee

    6 Jul 08 at 2:39 pm

  3. Hi, after this latest update I keep ending up on the bad IP list every time I add a new post. I think the issue might be when adding tags to the article. Below is the entry. (I have ‘x’ my IP on purpose)

    IP: xxx.xx.xx.xx January 06 2010 06:20:38
    Request: /wp-admin/admin-ajax.php?action=oembed-cache&post=6215
    Code: Attempted hack
    Accept: */*
    Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.6) Gecko/20091201 Firefox/3.5.6 GTB6 (.NET CLR 3.5.30729)

    puentes

    6 Jan 10 at 8:31 am

  4. White list your ip number. There are directions at the top of the plugin if you open it in an editor and also here: http://herselfswebtools.com/2008/07/how-to-add-a-white-list-to-the-ttc-security-plugin.html

    timestocome

    7 Jan 10 at 8:45 am

  5. the problems are kinda fixed. I am still facing the problem with the statistics plugin. my error log looks like this:

    [Fri Aug 20 12:03:08 2010] [error] [client 196.210.163.212] Directory index forbidden by Options directive: /var/www/clients/clientxx/webxx/web/wp-content/plugins/wp-wall/, referer: http://pacura.ru/
    [Fri Aug 20 12:03:09 2010] [error] [client 196.210.163.212] Directory index forbidden by Options directive: /var/www/clients/clientxx/webxx/web/wp-content/plugins/wp-slimstat-ex/lib/, referer: http://pacura.ru/wp-admin/admin.php?page=wp-slimstat-ex

    any ideas what is happening here?

    After reading the last persons comment about locking himself out, I am also interested in knowing if I can whitelist myself by username as I have a dynamic IP and I can’t possibly whitelist all possible IPs that my ISP is assigning me. I mean the plugin could check if I am logged in as an admin and totally ignore all my actions?

    ovidiu

    20 Aug 10 at 4:06 am

  6. sorry I spoke too soon, I can’t reach any of my admin pages, getting the message:

    The page isn’t redirecting properly

    Firefox has detected that the server is redirecting the request for this address in a way that will never complete.

    ovidiu

    20 Aug 10 at 4:07 am

  7. Firefox does that often, Gmail especially seems to be a problem. Close and restart Firefox.

    timestocome

    26 Aug 10 at 7:06 pm

  8. btw. this one is problematic, you might want to take it off the above list: admin-ajax.php?

    this is me using a plugin checking for broken links.

    Request: /wp-admin/admin-ajax.php?action=blc_dashboard_status&random=0.16194743337109685

    ovidiu

    21 Jul 11 at 2:21 am

Leave a Reply

You must be logged in to post a comment.