sharpweb

I'm working with my host to see what they can do, but will look into this as well. Thanks!

Definitely private. Thanks for your reply, I'll try to look at the PW logs and server logs in more detail. Some of that was pasted above, but I could definitely spend more time looking when I have time.

Hi, extremely long post warning! One of the sites I've built with PW had 15 each of these errors 4 days ago: I figured it was some sort of DoS attack that was destined to fail, but the FieldtypeText errors were a bit curious, possibly part of the overload of the database. Then last night I got a bunch of different errors: This seemed a little more serious to me. It was targeting admin folders. I checked all the /wire/ and /site/ links and they all throw a 404 as expected. They also targeted unpublished pages and a couple of published test pages for some reason, but there are some old links on the site to them that shouldn't be there. I checked the logs are there 18,000 requests from last night from a single IP (I won't post in case they are snooping the internet for that IP). I can share the logs if anyone wants to see but needless to say there are a lot of probing URLs like those quoted below. Notably the last bunch of probes all returned 404 or 500. What I don't understand is why the error "Syntax error or access violation: 3057 Incorrect user-level lock name '1'." shows up 20 times. Were those successful probes? Or closer to successful? Perhaps from their first probe they figured out the site was in PW and then used the second one to attempt to access forbidden areas of the site? The code is in a GIT repo and I can confirm that no files on the server have been changed, although the /site/assets folder is excluded from the repo. I can also confirm that there are no tables added to the database (I have a backup from the day before) and the only tables with new rows were ones that make sense (except the one below) like process_changelog (things I did today) and sessions. The one that stood out was module_sert_keywords (https://github.com/marcostoll/processwire-search-engine-referrer-tracker) which only had a bunch of new rows, but my understanding of the module is that it adds rows when the referrer is Google, so any hack attempt that pretended to come from google would add a record. There were about 220 new records that look like this: So I think the site did it's job and kept the hacker out, but I'm not 100% sure and wanted to share my findings with the PW community. I'm not a security expert, just a security conscious developer. Modules are mostly up to date, but 3 have updates available (Tracy, Changelog and Jumplinks) and the core is still at 3.0.229 I'm happy to share any other details that are needed, possibly by DM if they are sensitive. Thanks for getting to the end! Chris