hub icon indicating copy to clipboard operation
hub copied to clipboard
verified publisher icon crowdsecurity

detect wordpress scanning of txt and md files

Open GNU-Plus-Windows-User opened this issue 11 months ago • 1 comments

Bots don't only scan the php files, they also scan for txt and md files and sometimes will only scan for one file type to try and evade detection.

GNU-Plus-Windows-User avatar Mar 01 '25 11:03 GNU-Plus-Windows-User

Hey 👋🏻

What do you think of only detecting .md and .txt files within wp-content/plugins only? as static files in uploads I guess can contain these file types (even though it not recommend 😆 plus my wp knowledge is basic AF )

  evt.Meta.service == 'http' and
  evt.Meta.log_type in ['http_access-log', 'http_error-log'] and
  evt.Meta.http_status in ['404', '403'] and
  (
  Lower(evt.Meta.http_path) contains "/wp-" and
  Lower(evt.Meta.http_path) endsWith ".(php)"
  ) ||
  (
  Lower(evt.Meta.http_path) contains "/wp-content/plugins" and
  Lower(evt.Meta.http_path) matches "\\.(txt|md)$"
  )

LaurenceJJones avatar Mar 03 '25 14:03 LaurenceJJones