C
CrowdSec6mo ago
bbuddha

false positive wordpress

Hello. I have a false positive on my WordPress site. I tried uploading images, but it banned me. When I check the logs, I see requests with status 404. Also, the upload happens in the wp-admin section. So far, this is normal and fits the "http-admin-interface-probing" scenario. However, I don't understand why it's returning a 404 error. I have a question: To avoid the ban happening again, is it better to whitelist the IP address or the event? Or is there something else I should do? I'm open to ideas. Has this happened to others as well? I’ll share the alert. 
 - ID           : 153685
 - Date         : 2025-03-23T19:58:05Z
 - Machine      : helloitsme
 - Simulation   : false
 - Remediation  : true
 - Reason       : crowdsecurity/http-admin-interface-probing
 - Events Count : 5
 - Scope:Value  : Ip:1.2.3.4
 - Country      : FR
 - AS           : blablabla
 - Begin        : 2025-03-23 19:58:04.644701827 +0000 UTC
 - End          : 2025-03-23 19:58:04.649825356 +0000 UTC
 - UUID         : cb52be9b-3226-4f93-84c6-5a0acee17bd5
╭──────────────────────────────────────────────────────────────────────────╮
│ Active Decisions                                                         │
├───────────┬─────────────────┬────────┬────────────┬──────────────────────┤
│     ID    │   scope:value   │ action │ expiration │      created_at      │
├───────────┼─────────────────┼────────┼────────────┼──────────────────────┤
│ 156798750 │ Ip:1.2.3.4      │ ban    │ 1h22m48s   │ 2025-03-23T19:58:05Z │
╰───────────┴─────────────────┴────────┴────────────┴──────────────────────╯
 - Context  :
╭────────────┬──────────────────────────────────────────────────────────────╮
│     Key    │                             Value                            │
├────────────┼──────────────────────────────────────────────────────────────┤
│ method     │ GET                                                          │
│ status     │ 404                                                          │
│ target_uri │ /wp-admin/auk/auk/ctp-identifiant.png                        │
│ target_uri │ /wp-admin/auk/auk/ctp-blacklist.png                          │
│ target_uri │ /wp-admin/auk/auk/ctp-login.png                              │
│ target_uri │ /wp-admin/auk/auk/ctp-mdp.png                                │
│ target_uri │ /wp-admin/auk/auk/ctp-certificat.png                         │
│ user_agent │ Mozilla/5.0 (X11; Linux x86_64; rv:136.0) Gecko/20100101     │
│            │ Firefox/136.0                                                │
╰────────────┴──────────────────────────────────────────────────────────────╯
 - ID           : 153685
 - Date         : 2025-03-23T19:58:05Z
 - Machine      : helloitsme
 - Simulation   : false
 - Remediation  : true
 - Reason       : crowdsecurity/http-admin-interface-probing
 - Events Count : 5
 - Scope:Value  : Ip:1.2.3.4
 - Country      : FR
 - AS           : blablabla
 - Begin        : 2025-03-23 19:58:04.644701827 +0000 UTC
 - End          : 2025-03-23 19:58:04.649825356 +0000 UTC
 - UUID         : cb52be9b-3226-4f93-84c6-5a0acee17bd5
╭──────────────────────────────────────────────────────────────────────────╮
│ Active Decisions                                                         │
├───────────┬─────────────────┬────────┬────────────┬──────────────────────┤
│     ID    │   scope:value   │ action │ expiration │      created_at      │
├───────────┼─────────────────┼────────┼────────────┼──────────────────────┤
│ 156798750 │ Ip:1.2.3.4      │ ban    │ 1h22m48s   │ 2025-03-23T19:58:05Z │
╰───────────┴─────────────────┴────────┴────────────┴──────────────────────╯
 - Context  :
╭────────────┬──────────────────────────────────────────────────────────────╮
│     Key    │                             Value                            │
├────────────┼──────────────────────────────────────────────────────────────┤
│ method     │ GET                                                          │
│ status     │ 404                                                          │
│ target_uri │ /wp-admin/auk/auk/ctp-identifiant.png                        │
│ target_uri │ /wp-admin/auk/auk/ctp-blacklist.png                          │
│ target_uri │ /wp-admin/auk/auk/ctp-login.png                              │
│ target_uri │ /wp-admin/auk/auk/ctp-mdp.png                                │
│ target_uri │ /wp-admin/auk/auk/ctp-certificat.png                         │
│ user_agent │ Mozilla/5.0 (X11; Linux x86_64; rv:136.0) Gecko/20100101     │
│            │ Firefox/136.0                                                │
╰────────────┴──────────────────────────────────────────────────────────────╯
2 Replies
CrowdSec
CrowdSec6mo ago
Important Information
Thank you for getting in touch with your support request. To expedite a swift resolution, could you kindly provide the following information? Rest assured, we will respond promptly, and we greatly appreciate your patience. While you wait, please check the links below to see if this issue has been previously addressed. If you have managed to resolve it, please use run the command /resolve or press the green resolve button below.
Log Files
If you possess any log files that you believe could be beneficial, please include them at this time. By default, CrowdSec logs to /var/log/, where you will discover a corresponding log file for each component.
Guide Followed (CrowdSec Official)
If you have diligently followed one of our guides and hit a roadblock, please share the guide with us. This will help us assess if any adjustments are necessary to assist you further.
Screenshots
Please forward any screenshots depicting errors you encounter. Your visuals will provide us with a clear view of the issues you are facing.
© Created By WhyAydan for CrowdSec ❤️
bbuddha
bbuddhaOP6mo ago
I should mention that it's a server with multiple client sites. So, I think whitelisting the IP address is really not a good option.

Did you find this page helpful?