XF 2.0 company closed because my site is attacking

Siraç

Member
the firm has shut down because it was attacked from my website
how can i solve this problem
If I apply the security fix here, will the troubleshooting be removed?




Code:
Url: [ma###ba.com/wp-content/plugins/woocommerce/includes/gwoozlmk.php]
Remote connection: [89.252.164.2:32794]
Headers: [array (
  'Host' => 'ma###ba.com',
  'Connection' => 'close',
  'Referer' => 'http://ma###ba.com/wp-content/plugins/woocommerce/includes/gwoozlmk.php',
  'Content-Length' => '155',
  'Content-Type' => 'application/x-www-form-urlencoded',
  'Accept-Language' => 'en-US,en;q=0.8',
  'User-Agent' => 'Mozilla/5.0 (iPhone; CPU iPhone OS 9_2 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Mobile/13C75',
)]
Post data: [Array
(
    [nehlqazxjjnbyurd] => h/.%3Pt%7R9%3N%3N%279jqz%60fz%7Shrlgl%7Spfb%22%2Pb%222%22/%3Qdb%7P%7O%7Ohjdperoj%7O%7Ox%24%27c
)
]
 
Last edited:
Malicious requests received from your server

Code:
Url: [###.os###ti.com/popup/popres/minyaturb_1.jpg]
Remote connection: [89.252.164.2:55546]
Headers: [array (
  'Host' => '###.os###ti.com',
  'Accept-Encoding' => 'identity',
  'Accept' => 'image/*,*/*;q=0.8',
  'User-Agent' => 'XenForo/2.x (https://www.example.com)',
)]

Code:
Url: [RATANJHADIGITAL.COM/2019/xmlrpc.php]
Remote connection: [89.252.164.2:54572]
Headers: [array (
  'Host' => 'RATANJHADIGITAL.COM',
  'Accept-Charset' => 'utf-8,ISO-8859-2;q=0.8,*;q=0.7',
  'Accept-Language' => 'en-us;q=0.7,en;q=0.3',
  'Accept' => 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
  'User-Agent' => 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36',
  'Content-Length' => '342',
  'Content-Type' => 'application/x-www-form-urlencoded',
)]
Post data: [Array
(
    [<?xml version] => '1.0'?>
        <methodCall>
         <methodName>wp.getProfile</methodName>
         <params>
          <param><value><int>0</int></value></param>
          <param><value><string>admin</string></value></param>
          <param><value><string>1q2w3e4r5t</string></value></param>
         </params>
        </methodCall>
        
)
]
 
In what way was it attacked? Your examples in code blocks aren't particularly clear.

I only see one that looks like it was triggered by XF and that's this one:
Code:
Url: [###.os###ti.com/popup/popres/minyaturb_1.jpg]
Remote connection: [89.252.164.2:55546]
Headers: [array (
  'Host' => '###.os###ti.com',
  'Accept-Encoding' => 'identity',
  'Accept' => 'image/*,*/*;q=0.8',
  'User-Agent' => 'XenForo/2.x (https://www.example.com)',
)]

But this looks like it could just be downloading an image via the image proxy system.
 
Back
Top Bottom