/** * */ public static function processAttackData() { global $wpdb; $waf = wfWAF::getInstance(); if ($waf->getStorageEngine()->getConfig('attackDataKey', false) === false) { $waf->getStorageEngine()->setConfig('attackDataKey', mt_rand(0, 0xfff)); } $limit = 500; $lastSendTime = wfConfig::get('lastAttackDataSendTime'); $attackData = $wpdb->get_results($wpdb->prepare("SELECT SQL_CALC_FOUND_ROWS * FROM {$wpdb->base_prefix}wfHits\nWHERE action in ('blocked:waf', 'learned:waf')\nAND attackLogTime > %.6f\nLIMIT %d", $lastSendTime, $limit)); $totalRows = $wpdb->get_var('SELECT FOUND_ROWS()'); if ($attackData) { $response = wp_remote_get(sprintf(WFWAF_API_URL_SEC . "waf-rules/%d.txt", $waf->getStorageEngine()->getConfig('attackDataKey'))); if (!is_wp_error($response)) { $okToSendBody = wp_remote_retrieve_body($response); if ($okToSendBody === 'ok') { // Build JSON to send $dataToSend = array(); $attackDataToUpdate = array(); foreach ($attackData as $attackDataRow) { $actionData = (array) wfRequestModel::unserializeActionData($attackDataRow->actionData); $dataToSend[] = array($attackDataRow->attackLogTime, $attackDataRow->ctime, wfUtils::inet_ntop($attackDataRow->IP), array_key_exists('learningMode', $actionData) ? $actionData['learningMode'] : 0, array_key_exists('paramKey', $actionData) ? base64_encode($actionData['paramKey']) : false, array_key_exists('paramValue', $actionData) ? base64_encode($actionData['paramValue']) : false, array_key_exists('failedRules', $actionData) ? $actionData['failedRules'] : '', strpos($attackDataRow->URL, 'https') === 0 ? 1 : 0, array_key_exists('fullRequest', $actionData) ? $actionData['fullRequest'] : ''); if (array_key_exists('fullRequest', $actionData)) { unset($actionData['fullRequest']); $attackDataToUpdate[$attackDataRow->id] = array('actionData' => wfRequestModel::serializeActionData($actionData)); } if ($attackDataRow->attackLogTime > $lastSendTime) { $lastSendTime = $attackDataRow->attackLogTime; } } $response = wp_remote_post(WFWAF_API_URL_SEC . "?" . http_build_query(array('action' => 'send_waf_attack_data', 'k' => $waf->getStorageEngine()->getConfig('apiKey'), 's' => $waf->getStorageEngine()->getConfig('siteURL') ? $waf->getStorageEngine()->getConfig('siteURL') : sprintf('%s://%s/', $waf->getRequest()->getProtocol(), rawurlencode($waf->getRequest()->getHost())))), array('body' => json_encode($dataToSend), 'headers' => array('Content-Type' => 'application/json'), 'timeout' => 30)); if (!is_wp_error($response) && ($body = wp_remote_retrieve_body($response))) { $jsonData = json_decode($body, true); if (is_array($jsonData) && array_key_exists('success', $jsonData)) { // Successfully sent data, remove the full request from the table to reduce storage size foreach ($attackDataToUpdate as $hitID => $dataToUpdate) { $wpdb->update($wpdb->base_prefix . 'wfHits', $dataToUpdate, array('id' => $hitID)); } wfConfig::set('lastAttackDataSendTime', $lastSendTime); if ($totalRows > $limit) { self::scheduleSendAttackData(); } } } } else { if (is_string($okToSendBody) && preg_match('/next check in: ([0-9]+)/', $okToSendBody, $matches)) { self::scheduleSendAttackData(time() + $matches[1]); } } // Could be that the server is down, so hold off on sending data for a little while. } else { self::scheduleSendAttackData(time() + 7200); } } self::trimWfHits(); }
/** * */ public static function processAttackData() { global $wpdb; $waf = wfWAF::getInstance(); if ($waf->getStorageEngine()->getConfig('attackDataKey', false) === false) { $waf->getStorageEngine()->setConfig('attackDataKey', mt_rand(0, 0xfff)); } //Send alert email if needed if (wfConfig::get('wafAlertOnAttacks')) { $alertInterval = wfConfig::get('wafAlertInterval', 0); $cutoffTime = max(time() - $alertInterval, wfConfig::get('wafAlertLastSendTime')); $wafAlertWhitelist = wfConfig::get('wafAlertWhitelist', ''); $wafAlertWhitelist = preg_split("/[,\r\n]+/", $wafAlertWhitelist); foreach ($wafAlertWhitelist as $index => &$entry) { $entry = trim($entry); if (!preg_match('/^(?:\\d{1,3}(?:\\.|$)){4}/', $entry) && !preg_match('/^((?:[\\da-f]{1,4}(?::|)){0,8})(::)?((?:[\\da-f]{1,4}(?::|)){0,8})$/i', $entry)) { unset($wafAlertWhitelist[$index]); continue; } $packed = @wfUtils::inet_pton($entry); if ($packed === false) { unset($wafAlertWhitelist[$index]); continue; } $entry = bin2hex($packed); } $wafAlertWhitelist = array_filter($wafAlertWhitelist); $attackData = $wpdb->get_results($wpdb->prepare("SELECT SQL_CALC_FOUND_ROWS * FROM {$wpdb->base_prefix}wfHits\n\tWHERE action = 'blocked:waf' " . (count($wafAlertWhitelist) ? "AND HEX(IP) NOT IN (" . implode(", ", array_fill(0, count($wafAlertWhitelist), '%s')) . ")" : "") . "AND attackLogTime > %.6f\n\tORDER BY attackLogTime DESC\n\tLIMIT 10", array_merge($wafAlertWhitelist, array($cutoffTime)))); $attackCount = $wpdb->get_var('SELECT FOUND_ROWS()'); if ($attackCount >= wfConfig::get('wafAlertThreshold')) { $durationMessage = wfUtils::makeDuration($alertInterval); $message = <<<ALERTMSG The Wordfence Web Application Firewall has blocked {$attackCount} attacks over the last {$durationMessage}. Below is a sample of these recent attacks: ALERTMSG; $attackTable = array(); $dateMax = $ipMax = $countryMax = 0; foreach ($attackData as $row) { $row->longDescription = "Blocked for " . $row->actionDescription; $actionData = json_decode($row->actionData, true); if (!is_array($actionData) || !isset($actionData['paramKey']) || !isset($actionData['paramValue'])) { continue; } $paramKey = base64_decode($actionData['paramKey']); $paramValue = base64_decode($actionData['paramValue']); if (strlen($paramValue) > 100) { $paramValue = substr($paramValue, 0, 100) . chr(2026); } if (preg_match('/([a-z0-9_]+\\.[a-z0-9_]+)(?:\\[(.+?)\\](.*))?/i', $paramKey, $matches)) { switch ($matches[1]) { case 'request.queryString': $row->longDescription = "Blocked for " . $row->actionDescription . ' in query string: ' . $matches[2] . '=' . $paramValue; break; case 'request.body': $row->longDescription = "Blocked for " . $row->actionDescription . ' in POST body: ' . $matches[2] . '=' . $paramValue; break; case 'request.cookie': $row->longDescription = "Blocked for " . $row->actionDescription . ' in cookie: ' . $matches[2] . '=' . $paramValue; break; case 'request.fileNames': $row->longDescription = "Blocked for a " . $row->actionDescription . ' in file: ' . $matches[2] . '=' . $paramValue; break; } } $date = date_i18n('F j, Y g:ia', floor($row->attackLogTime)); $dateMax = max(strlen($date), $dateMax); $ip = wfUtils::inet_ntop($row->IP); $ipMax = max(strlen($ip), $ipMax); $country = wfUtils::countryCode2Name(wfUtils::IP2Country($ip)); $country = empty($country) ? 'Unknown' : $country; $countryMax = max(strlen($country), $countryMax); $attackTable[] = array('date' => $date, 'IP' => $ip, 'country' => $country, 'message' => $row->longDescription); } foreach ($attackTable as $row) { $date = str_pad($row['date'], $dateMax + 2); $ip = str_pad($row['IP'] . " ({$row['country']})", $ipMax + $countryMax + 8); $attackMessage = $row['message']; $message .= $date . $ip . $attackMessage . "\n"; } self::alert('Increased Attack Rate', $message, false); wfConfig::set('wafAlertLastSendTime', time()); } } //Send attack data $limit = 500; $lastSendTime = wfConfig::get('lastAttackDataSendTime'); $attackData = $wpdb->get_results($wpdb->prepare("SELECT SQL_CALC_FOUND_ROWS * FROM {$wpdb->base_prefix}wfHits\nWHERE action in ('blocked:waf', 'learned:waf', 'logged:waf', 'blocked:waf-always')\nAND attackLogTime > %.6f\nLIMIT %d", $lastSendTime, $limit)); $totalRows = $wpdb->get_var('SELECT FOUND_ROWS()'); if ($attackData && wfConfig::get('other_WFNet', true)) { $response = wp_remote_get(sprintf(WFWAF_API_URL_SEC . "waf-rules/%d.txt", $waf->getStorageEngine()->getConfig('attackDataKey'))); if (!is_wp_error($response)) { $okToSendBody = wp_remote_retrieve_body($response); if ($okToSendBody === 'ok') { // Build JSON to send $dataToSend = array(); $attackDataToUpdate = array(); foreach ($attackData as $attackDataRow) { $actionData = (array) wfRequestModel::unserializeActionData($attackDataRow->actionData); $dataToSend[] = array($attackDataRow->attackLogTime, $attackDataRow->ctime, wfUtils::inet_ntop($attackDataRow->IP), array_key_exists('learningMode', $actionData) ? $actionData['learningMode'] : 0, array_key_exists('paramKey', $actionData) ? base64_encode($actionData['paramKey']) : false, array_key_exists('paramValue', $actionData) ? base64_encode($actionData['paramValue']) : false, array_key_exists('failedRules', $actionData) ? $actionData['failedRules'] : '', strpos($attackDataRow->URL, 'https') === 0 ? 1 : 0, array_key_exists('fullRequest', $actionData) ? $actionData['fullRequest'] : ''); if (array_key_exists('fullRequest', $actionData)) { unset($actionData['fullRequest']); $attackDataToUpdate[$attackDataRow->id] = array('actionData' => wfRequestModel::serializeActionData($actionData)); } if ($attackDataRow->attackLogTime > $lastSendTime) { $lastSendTime = $attackDataRow->attackLogTime; } } $response = wp_remote_post(WFWAF_API_URL_SEC . "?" . http_build_query(array('action' => 'send_waf_attack_data', 'k' => $waf->getStorageEngine()->getConfig('apiKey'), 's' => $waf->getStorageEngine()->getConfig('siteURL') ? $waf->getStorageEngine()->getConfig('siteURL') : sprintf('%s://%s/', $waf->getRequest()->getProtocol(), rawurlencode($waf->getRequest()->getHost())), 't' => microtime(true)), null, '&'), array('body' => json_encode($dataToSend), 'headers' => array('Content-Type' => 'application/json'), 'timeout' => 30)); if (!is_wp_error($response) && ($body = wp_remote_retrieve_body($response))) { $jsonData = json_decode($body, true); if (is_array($jsonData) && array_key_exists('success', $jsonData)) { // Successfully sent data, remove the full request from the table to reduce storage size foreach ($attackDataToUpdate as $hitID => $dataToUpdate) { $wpdb->update($wpdb->base_prefix . 'wfHits', $dataToUpdate, array('id' => $hitID)); } wfConfig::set('lastAttackDataSendTime', $lastSendTime); if ($totalRows > $limit) { self::scheduleSendAttackData(); } if (array_key_exists('data', $jsonData) && array_key_exists('watchedIPList', $jsonData['data'])) { $waf->getStorageEngine()->setConfig('watchedIPs', $jsonData['data']['watchedIPList']); } } } } else { if (is_string($okToSendBody) && preg_match('/next check in: ([0-9]+)/', $okToSendBody, $matches)) { self::scheduleSendAttackData(time() + $matches[1]); } } // Could be that the server is down, so hold off on sending data for a little while. } else { self::scheduleSendAttackData(time() + 7200); } } else { if (!wfConfig::get('other_WFNet', true)) { wfConfig::set('lastAttackDataSendTime', time()); } } self::trimWfHits(); }