false positive wordpress

Hello. I have a false positive on my WordPress site. I tried uploading images, but it banned me. When I check the logs, I see requests with status 404. Also, the upload happens in the wp-admin section. So far, this is normal and fits the "http-admin-interface-probing" scenario. However, I don't understand why it's returning a 404 error. I have a question: To avoid the ban happening again, is it better to whitelist the IP address or the event? Or is there something else I should do? I'm open to ideas. Has this happened to others as well? I’ll share the alert.

 - ID           : 153685
 - Date         : 2025-03-23T19:58:05Z
 - Machine      : helloitsme
 - Simulation   : false
 - Remediation  : true
 - Reason       : crowdsecurity/http-admin-interface-probing
 - Events Count : 5
 - Scope:Value  : Ip:1.2.3.4
 - Country      : FR
 - AS           : blablabla
 - Begin        : 2025-03-23 19:58:04.644701827 +0000 UTC
 - End          : 2025-03-23 19:58:04.649825356 +0000 UTC
 - UUID         : cb52be9b-3226-4f93-84c6-5a0acee17bd5
╭──────────────────────────────────────────────────────────────────────────╮
│ Active Decisions                                                         │
├───────────┬─────────────────┬────────┬────────────┬──────────────────────┤
│     ID    │   scope:value   │ action │ expiration │      created_at      │
├───────────┼─────────────────┼────────┼────────────┼──────────────────────┤
│ 156798750 │ Ip:1.2.3.4      │ ban    │ 1h22m48s   │ 2025-03-23T19:58:05Z │
╰───────────┴─────────────────┴────────┴────────────┴──────────────────────╯
 - Context  :
╭────────────┬──────────────────────────────────────────────────────────────╮
│     Key    │                             Value                            │
├────────────┼──────────────────────────────────────────────────────────────┤
│ method     │ GET                                                          │
│ status     │ 404                                                          │
│ target_uri │ /wp-admin/auk/auk/ctp-identifiant.png                        │
│ target_uri │ /wp-admin/auk/auk/ctp-blacklist.png                          │
│ target_uri │ /wp-admin/auk/auk/ctp-login.png                              │
│ target_uri │ /wp-admin/auk/auk/ctp-mdp.png                                │
│ target_uri │ /wp-admin/auk/auk/ctp-certificat.png                         │
│ user_agent │ Mozilla/5.0 (X11; Linux x86_64; rv:136.0) Gecko/20100101     │
│            │ Firefox/136.0                                                │
╰────────────┴──────────────────────────────────────────────────────────────╯

 - ID           : 153685
 - Date         : 2025-03-23T19:58:05Z
 - Machine      : helloitsme
 - Simulation   : false
 - Remediation  : true
 - Reason       : crowdsecurity/http-admin-interface-probing
 - Events Count : 5
 - Scope:Value  : Ip:1.2.3.4
 - Country      : FR
 - AS           : blablabla
 - Begin        : 2025-03-23 19:58:04.644701827 +0000 UTC
 - End          : 2025-03-23 19:58:04.649825356 +0000 UTC
 - UUID         : cb52be9b-3226-4f93-84c6-5a0acee17bd5
╭──────────────────────────────────────────────────────────────────────────╮
│ Active Decisions                                                         │
├───────────┬─────────────────┬────────┬────────────┬──────────────────────┤
│     ID    │   scope:value   │ action │ expiration │      created_at      │
├───────────┼─────────────────┼────────┼────────────┼──────────────────────┤
│ 156798750 │ Ip:1.2.3.4      │ ban    │ 1h22m48s   │ 2025-03-23T19:58:05Z │
╰───────────┴─────────────────┴────────┴────────────┴──────────────────────╯
 - Context  :
╭────────────┬──────────────────────────────────────────────────────────────╮
│     Key    │                             Value                            │
├────────────┼──────────────────────────────────────────────────────────────┤
│ method     │ GET                                                          │
│ status     │ 404                                                          │
│ target_uri │ /wp-admin/auk/auk/ctp-identifiant.png                        │
│ target_uri │ /wp-admin/auk/auk/ctp-blacklist.png                          │
│ target_uri │ /wp-admin/auk/auk/ctp-login.png                              │
│ target_uri │ /wp-admin/auk/auk/ctp-mdp.png                                │
│ target_uri │ /wp-admin/auk/auk/ctp-certificat.png                         │
│ user_agent │ Mozilla/5.0 (X11; Linux x86_64; rv:136.0) Gecko/20100101     │
│            │ Firefox/136.0                                                │
╰────────────┴──────────────────────────────────────────────────────────────╯

CrowdSec•11mo ago•

2 replies

bbuddha

false positive wordpress

 - ID           : 153685
 - Date         : 2025-03-23T19:58:05Z
 - Machine      : helloitsme
 - Simulation   : false
 - Remediation  : true
 - Reason       : crowdsecurity/http-admin-interface-probing
 - Events Count : 5
 - Scope:Value  : Ip:1.2.3.4
 - Country      : FR
 - AS           : blablabla
 - Begin        : 2025-03-23 19:58:04.644701827 +0000 UTC
 - End          : 2025-03-23 19:58:04.649825356 +0000 UTC
 - UUID         : cb52be9b-3226-4f93-84c6-5a0acee17bd5
╭──────────────────────────────────────────────────────────────────────────╮
│ Active Decisions                                                         │
├───────────┬─────────────────┬────────┬────────────┬──────────────────────┤
│     ID    │   scope:value   │ action │ expiration │      created_at      │
├───────────┼─────────────────┼────────┼────────────┼──────────────────────┤
│ 156798750 │ Ip:1.2.3.4      │ ban    │ 1h22m48s   │ 2025-03-23T19:58:05Z │
╰───────────┴─────────────────┴────────┴────────────┴──────────────────────╯
 - Context  :
╭────────────┬──────────────────────────────────────────────────────────────╮
│     Key    │                             Value                            │
├────────────┼──────────────────────────────────────────────────────────────┤
│ method     │ GET                                                          │
│ status     │ 404                                                          │
│ target_uri │ /wp-admin/auk/auk/ctp-identifiant.png                        │
│ target_uri │ /wp-admin/auk/auk/ctp-blacklist.png                          │
│ target_uri │ /wp-admin/auk/auk/ctp-login.png                              │
│ target_uri │ /wp-admin/auk/auk/ctp-mdp.png                                │
│ target_uri │ /wp-admin/auk/auk/ctp-certificat.png                         │
│ user_agent │ Mozilla/5.0 (X11; Linux x86_64; rv:136.0) Gecko/20100101     │
│            │ Firefox/136.0                                                │
╰────────────┴──────────────────────────────────────────────────────────────╯

 - ID           : 153685
 - Date         : 2025-03-23T19:58:05Z
 - Machine      : helloitsme
 - Simulation   : false
 - Remediation  : true
 - Reason       : crowdsecurity/http-admin-interface-probing
 - Events Count : 5
 - Scope:Value  : Ip:1.2.3.4
 - Country      : FR
 - AS           : blablabla
 - Begin        : 2025-03-23 19:58:04.644701827 +0000 UTC
 - End          : 2025-03-23 19:58:04.649825356 +0000 UTC
 - UUID         : cb52be9b-3226-4f93-84c6-5a0acee17bd5
╭──────────────────────────────────────────────────────────────────────────╮
│ Active Decisions                                                         │
├───────────┬─────────────────┬────────┬────────────┬──────────────────────┤
│     ID    │   scope:value   │ action │ expiration │      created_at      │
├───────────┼─────────────────┼────────┼────────────┼──────────────────────┤
│ 156798750 │ Ip:1.2.3.4      │ ban    │ 1h22m48s   │ 2025-03-23T19:58:05Z │
╰───────────┴─────────────────┴────────┴────────────┴──────────────────────╯
 - Context  :
╭────────────┬──────────────────────────────────────────────────────────────╮
│     Key    │                             Value                            │
├────────────┼──────────────────────────────────────────────────────────────┤
│ method     │ GET                                                          │
│ status     │ 404                                                          │
│ target_uri │ /wp-admin/auk/auk/ctp-identifiant.png                        │
│ target_uri │ /wp-admin/auk/auk/ctp-blacklist.png                          │
│ target_uri │ /wp-admin/auk/auk/ctp-login.png                              │
│ target_uri │ /wp-admin/auk/auk/ctp-mdp.png                                │
│ target_uri │ /wp-admin/auk/auk/ctp-certificat.png                         │
│ user_agent │ Mozilla/5.0 (X11; Linux x86_64; rv:136.0) Gecko/20100101     │
│            │ Firefox/136.0                                                │
╰────────────┴──────────────────────────────────────────────────────────────╯

false positive wordpress

false positive wordpress

Similar Threads

Similar Threads

Similar Threads