block access to WordPress admin directories

Detect Content Management System (CMS) Hacking Attempts

Star InactiveStar InactiveStar InactiveStar InactiveStar Inactive
 

This is the sixth post in a blog series describing how to build a Web Application Firewall (WAF) using the Apache .htaccess file and Project Honey Pot to help reduce spam traffic hitting your website. 

The Blue Plate WAF is for small websites on basic hosting plans that lack access to more sophisticated web security tools.  These basic plans are often used to host content management systems such as WordPress, Joomla, Drupal, or Typo3 which are ideal for small organizational websites.

Malicious bots continuously scan the internet to locate login screens or vulnerabilities for content management system (CMS) applications.  Once a bot identifies an admin page, directory, or CMS vulnerability, the location of that artifact is passed back to the bot’s command and control (C&C) infrastructure.  These locations are then targeted later to compromise the identified vulnerability or conduct other attacks such as password spray, dictionary, or bruit force to gain access to the content management system. 

The vulnerabilities, file locations, and file names of content management systems are well known and attempts to exploit them can be identified by Apache using .htaccess.  After identifying an access attempt using the .htaccess file, the ID'd traffic can be passed to Project Honey Pot.  This increases the intelligence of your honeypot and leads to proactive blocking of malicious bots that may attempt other attack techniques on your website.  

How To Send Content Management Administrator Console Access Attempts To Your Honeypot Using .htaccess

We will start with the previous .htaccess file we created in the previous blog.  The new code we create uses the framework introduced in previous blog posts to send suspicious traffic to our honeypot webpage using the Project Honey Pot system. 

The code below uses the RewriteRule command to virtually point common content management console admin directories directly to your honey pot.  Only site administrators should be accessing these directories and it is a common practice to rename out-of-the-box admin directories to a non-standard name.   The [NC] switch is used to indicate that the directory string is not case sensitive. The [L] switch is used with RewriteRule to indicate that Apache should stop processing additional rule sets.

 

 

##### Redirect Attempts to Access Content Management Admin Directories -- START

RewriteRule (?:^|/)wp-admin/(.*) /honeypot.php/ [NC,L] #Wordpress

RewriteRule (?:^|/)wp-admin(.*) /honeypot.php/[NC,L] #Wordpress

RewriteRule (?:^|/)administrator(.*) /honeypot.php/ [NC,L] #Joomla

RewriteRule (?:^|/)administrator/(.*) /honeypot.php/ [NC,L] #Joomla

##### Redirect Attempts to Access Content Management Admin Directories -- END

 

 

How To Send Content Management Core Application Access Attempts To Your Honeypot Using .htaccess

Directories that contain core application files should not be accessed by external users and we have observed malicious bots targeting such directories. The same RewriteRule technique used on administrative directories can be used to virtually point requests to core application directories to your honey pot. 

Core application file directories are used only by the content management system itself and should only be modified during an official application update.  The following links have additional details on popular content management application directory structures:

The code below uses the RewriteRule command to virtually point common content management core application directories directly to your honey pot.  The [NC] switch is used to indicate that the directory string is not case sensitive. The [L] switch is used with RewriteRule to indicate that Apache should stop processing additional rule sets.

 

 

##### Redirect Attempts to Access Content Management Core Application Code Directories -- START

RewriteRule (?:^|/)wp-includes/(.*) /honeypot.php/ [NC,L] #WordPress directory to store core application files

RewriteRule (?:^|/)wp-includes(.*) /honeypot.php/ [NC,L] #WordPress directory to store core application files

RewriteRule (?:^|/)includes/(.*) /honeypot.php/ [NC,L] #Joomla directory to store core application files

RewriteRule (?:^|/)includes(.*) /honeypot.php/ [NC,L] #Joomla directory to store core application files

RewriteRule (?:^|/)core/(.*) /honeypot.php/ [NC,L] #Drupal 8 directory to store core application files

RewriteRule (?:^|/)core(.*) /honeypot.php/ [NC,L] #Drupal 8 directory to store core application files

RewriteRule (?:^|/)typo3/(.*) /honeypot.php/ [NC,L] #Typo3 directory to store core application files

RewriteRule (?:^|/)typo3(.*) /honeypot.php/ [NC,L] #Typo3 directory to store core application files

##### Redirect Attempts to Access Content Management Core Application Code Directories -- END

 

 

How To Send Unused Content Management User Content Directories and Log-In Directories To Your Honeypot Using .htaccess

Add an additional layer of detection to your honeypot by sending requests to access specific content management system (CMS) user content and CMS log-in directories for CMS systems that are not installed on your server to your honey pot

These RewriteRules should only be used when the specified CMS system is not installed on your server.  Using these RewriteRules when the CMS is installed on your server will cause some content to be inaccessible by legitimate users.

The code below uses the RewriteRule command to virtually point unused content management directories directly to your honey pot.  The [NC] switch is used to indicate that the directory string is not case sensitive. The [L] switch is used with RewriteRule to indicate that Apache should stop processing additional rule sets.

 

  

##### Redirect Attempts to Access Unused Content Management System Related Directories -- START

RewriteRule (?:^|/)wp-content/(.*) /honeypot.php/ [NC,L] #Wordpress CMS user content

RewriteRule (?:^|/)wp-content(.*) /honeypot.php/ [NC,L] #Wordpress CMS user content

RewriteRule (?:^|/)wp-login/(.*) /honeypot.php/ [NC,L] #Wordpress CMS log-in directory

RewriteRule (?:^|/)wp-login(.*) /honeypot.php/ [NC,L] #Wordpress CMS log-in directory

RewriteRule (?:^|/)wordpress/(.*) /honeypot.php/ [NC,L] #Wordpress CMS home directory

RewriteRule (?:^|/)wordpress(.*) /honeypot.php/ [NC,L] #Wordpress  CMS home directory

RewriteRule (?:^|/)wp-json/(.*) /honeypot.php/ [NC,L] #Wordpress CMS APIs directory

RewriteRule (?:^|/)wp-json(.*) /honeypot.php/ [NC,L] #Wordpress CMS APIs directory

RewriteRule (?:^|/)wp/(.*) /honeypot.php/ [NC,L] #Wordpress  CMS home directory

##### Redirect Attempts to Access Unused Content Management System Related Directories -- END 

 

 

How To Send Content Management Core Application and Admin File Access Attempts To Your Honeypot Using .htaccess

Core application and admin files should not be accessed by external users and we have observed malicious bots targeting these specific files. The same RewriteRule technique can be used to virtually point core and admin file requests to your honey pot.   

The following links have additional details on popular content management application core application and admin files:

The code below uses the RewriteRule command to virtually point core and admin file requests directly to your honey pot.  The [NC] switch is used to indicate that the directory string is not case sensitive. The [L] switch is used with RewriteRule to indicate that Apache should stop processing additional rule sets.

 

 

##### Redirect Attempts to Access Content Management Configuration and Admin Specific Files -- START

RewriteRule (?:^|/)admin-ajax\.php /honeypot.php/ [NC,L] #WordPress AJAX UI admin console file

RewriteRule (?:^|/)wp-config\.php /honeypot.php/ [NC,L] #WordPress configuration file

RewriteRule (?:^|/)configuration\.php /honeypot.php/ [NC,L] #Joomla configuration file

RewriteRule (?:^|/)settings\.php /honeypot.php/ [NC,L] #Drupal configuration file

RewriteRule (?:^|/)default\.settings\.php /honeypot.php/ [NC,L] #Drupal configuration file

RewriteRule (?:^|/)LocalConfiguration\.php /honeypot.php/ [NC,L] #Typo3 configuration file

RewriteRule (?:^|/)AdditionalConfiguration\.php /honeypot.php/ [NC,L] #Typo3 configuration file

##### Redirect Attempts to Access Content Management Configuration and Admin Specific Files -- END

 

 

How To Use RewriteCond To detect CMS Vulnerability Exploitation Attempts and Send Malicious Traffic To Your Honeypot

The code below uses the RewriteCond command to scan the HTTP_USER_AGENT variable for specific commands that have been injected into HTTP_USER_AGENT and are related to known vulnerabilities

The [NC] switch in the code below is used with RewriteCond to indicate that the string is not case sensitive.  If a string match is detected, the command RewriteRule is used to direct the suspicious traffic to the honeypot.  The [L] switch is used with RewriteRule to indicate that Apache should stop processing additional rule sets.

 

Joomla vulnerability CVE-2015-8562

 

 

##### Block Joomla vulnerabilities in user-agent  -- START

RewriteCond %{HTTP_USER_AGENT} "JDatabaseDriverMysqli" [NC,OR]

RewriteCond %{HTTP_USER_AGENT} "JSIMPLEPIEFACTORY" [NC]

RewriteCond %{REQUEST_URI} !honeypot.php 

RewriteRule ^(.*)$ /honeypot.php/ [NC,L]

##### Block Joomla vulnerabilities in user-agent -- END

 

 

The code below uses the RewriteCond command to scan the X-FORWARDED-FOR variable for specific commands that have been injected into X-FORWARDED-FOR and are related to known vulnerabilities

 

Joomla vulnerability CVE-2015-8566

 

 

##### Block Joomla vulnerabilities in HTTP:X-FORWARDED-FOR  -- START

RewriteCond %{HTTP:X-FORWARDED-FOR} "JDatabaseDriverMysqli" [NC,OR]

RewriteCond %{HTTP:X-FORWARDED-FOR} "JSIMPLEPIEFACTORY" [NC]

RewriteCond %{REQUEST_URI} !honeypot.php

RewriteRule ^(.*)$ /honeypot.php/ [NC,L]

##### Block Joomla vulnerabilities in HTTP:X-FORWARDED-FOR  -- END

 

 

The working file is available for download here.  We welcome questions, comments, and thoughts on these techniques, reach out to the PCCS Labs Team at This email address is being protected from spambots. You need JavaScript enabled to view it..

 

About Private Client Cyber Security

Former U.S. defense industry cybersecurity executives founded PCCS after struggling to convince large cybersecurity companies to address the cyber risks of public persons and small sized business. 

PCCS provides enterprise-grade cybersecurity consulting and services to professional practices, executives, athletes, and high net worth families.

We strive to provide a personal, professional and a next-generation technology level of cyber protection to our clients. 

 

Twitter @PCCyberSecurity


RT @NCSCgov: Protect your #tech! Restrictions on technology exports to Russia could prompt Russia to step up its illicit targeting of tech…

RT @briankrebs: 1/ So you go shopping for a PIV card reader, because the US govt gave you one and you're curious to look at what's on it. Y…
Follow Private Client Cyber Security on Twitter

Search