Spam in error logs

  • Resolved ImageIrene

    (@arlinaite)


    5 years, 2 months ago

    Hi

    In my error log I see a lot of errors like the following:

    [Fri Jan 22 10:26:42.196280 2021] [proxy_fcgi:error] [pid 29748:tid 140283202881280] [client 3.87.213.225:24142] AH01071: Got error 'PHP message: Error Illegal mix of collations (utf8_general_ci,IMPLICIT) and (utf8mb4_unicode_520_ci,COERCIBLE) for operation 'like' de la base de datos de WordPress para la consulta SELECT SQL_CALC_FOUND_ROWS ar3_2_posts.ID FROM ar3_2_posts WHERE 1=1 AND (((ar3_2_posts.post_title LIKE '%\xe2\x80\xbc\xe2\xa2\xbb\xf0\x9f\x97\x82\xef\xb8\x8f www.LloydsPharmacy.online \xf0\x9f\x97\x82\xef\xb8\x8f\xe2\xa2\xbb\xe2\x80\xbc viagra best\xc3\xa4ll apotek online tyskland apoteket recept n\xc3\xa4tet%') OR (ar3_2_posts.post_excerpt LIKE '%\xe2\x80\xbc\xe2\xa2\xbb\xf0\x9f\x97\x82\xef\xb8\x8f www.LloydsPharmacy.online \xf0\x9f\x97\x82\xef\xb8\x8f\xe2\xa2\xbb\xe2\x80\xbc viagra best\xc3\xa4ll apotek online tyskland apoteket recept n\xc3\xa4tet%') OR (ar3_2_posts.post_content LIKE '%\xe2\x80\xbc\xe2\xa2\xbb\xf0\x9f\x97\x82\xef\xb8\x8f www.LloydsPharmacy.online \xf0\x9f\x97\x82\xef\xb8\x8f\xe2\xa2\xbb\xe2\x80\xbc viagra best\xc3\xa4ll apotek online tyskland apoteket recept n\xc3\xa4tet%'))) AND (ar3_2_posts.post_password = '') AND ar3_2_posts.post_type IN ('post', 'page', 'attachment') AND (ar3_2_posts.post_status = 'publish') ORDER BY (CASE WHEN ar3_2_posts.post_title LIKE '%\xe2\x80\xbc\xe2\xa2\xbb\xf0\x9f\x97\x82\xef\xb8\x8f www.LloydsPharmacy.online \xf0\x9f\x97\x82\xef\xb8\x8f\xe2\xa2\xbb\xe2\x80\xbc viagra best\xc3\xa4ll apotek online tyskland apote...'

    In the internal search:

    148.251.8.250 - - [22/Jan/2021:20:34:38 +0000] "GET /es/?s=% F0%9F%8E%8A%F0%9F%80%84%20www.ZavaMed.store%20%F0%9F%80%84%F 0%9F%8E%8A%20Cialis%20rezeptfreie%20online%20apotheke HTTP/1 .1" 200 12346 "-" "Mozilla/5.0 (compatible; MJ12bot/v1.4.8; http://mj12bot.com/) X-Middleton/1"
148.251.8.250 - - [22/Jan/2021:20:34:35 +0000] "GET /es/?s=% 20Bestellen%20priligy%2030%20rezeptfrei.%20Billig%20diflucan %20100%20kaufen%20rezeptfrei.%E2%A2%BE%F0%9F%A4%AA%20www.Coo pPharmacy.store%20%F0%9F%A4%AA%E2%A2%BE%20Kamagra%20oral%20j elly%20billige%20online%20india. HTTP/1.1" 200 12449 "-" "Mo zilla/5.0 (compatible; MJ12bot/v1.4.8; http://mj12bot.com/) X-Middleton/1"
148.251.8.250 - - [22/Jan/2021:20:34:32 +0000] "GET /es/?s=% F0%9F%8D%BE%E2%A3%9B%20www.CoopPharmacy.store%20%E2%A3%9B%F0 %9F%8D%BE%20online%20buy%20Zovirax%20tablets%20cost%20no%20p rescription HTTP/1.1" 200 12367 "-" "Mozilla/5.0 (compatible ; MJ12bot/v1.4.8; http://mj12bot.com/) X-Middleton/1"

    What is it? How to fix?
    Thanks in advance

    The page I need help with: [log in to see the link]

Viewing 9 replies - 1 through 9 (of 9 total)
  • ImageCyrille37

    (@cyrille37)

    5 years, 2 months ago

    Hello,

    the error is Error Illegal mix of collations (utf8_general_ci,IMPLICIT) and (utf8mb4_unicode_520_ci,COERCIBLE). It seems that data and tables have differents encoding. Perhaps changing your tables collation to “utf8mb”. Also look at the wp-config.php at define( 'DB_CHARSET', 'utf8mb4' ) and define('DB_COLLATE', '');.

    The error is because some config does not match the same collation settings.

    Thread Starter ImageIrene

    (@arlinaite)

    5 years, 2 months ago

    Thanks for your answer. Yes I read this in other threads.

    But my request for help is because my site is not about meds. So I don’t understand:
    1) why the bots are searching for pharma
    2) are this error in the error log caused by the internal search?

    The site is clean according to wordfence.

    I will check what you say but could you be more specific. About what I have to change and where?

    Thread Starter ImageIrene

    (@arlinaite)

    5 years, 2 months ago

    I found from where it comes the issue but I cant stop it.

    It is as follows:

    Spam Site:
    Example:
    https://www.cmaxfanatics.com/forum/showthread.php?page=41&t=304356

    Link to my site:
    Example:
    https://my-site.com/?s=šŸøšŸæļø%20www.ZavaMed.store%20šŸæļøšŸø%20vem%20har%20kƶpt%20i%20online%20apotek

    If I look in my access log, I see the following:
    Example:
    13.66.139.2 - - [24/Jan/2021:20:58:27 +0000] "GET /es/?s=%F0 %9F%8E%8D%20www.Getmaple.store%20%F0%9F%8E%8Dviagra%20barata %20online%20espa%C3%B1a/feed/rss2/ HTTP/1.0" 200 12331 "-" " Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/b ingbot.htm) X-Middleton/1"

    In my Error Logs:
    Example:
    [Sun Jan 24 21:13:05.698651 2021] [proxy_fcgi:error] [pid 1030:tid 139875935971072] [client 35.158.99.113:53122] AH01071: Got error 'PHP message: Error Illegal mix of collations (utf8_general_ci,IMPLICIT) and (utf8mb4_unicode_520_ci,COERCIBLE) for operation 'like' de la base de datos de WordPress para la consulta SELECT SQL_CALC_FOUND_ROWS ar3_2_posts.ID FROM ar3_2_posts WHERE 1=1 AND (((ar3_2_posts.post_title LIKE '% Kamagra oral jelly 50mg kaufen Kamagra 100mg kaufen apotheke erfahrungen\xe2\xa3\x97\xf0\x9f\xa7\xb9 www.WebMD.shop \xf0\x9f\xa7\xb9\xe2\xa3\x97 Cialis generika 5mg rezeptfrei%') OR (ar3_2_posts.post_excerpt LIKE '% Kamagra oral jelly 50mg kaufen Kamagra 100mg kaufen apotheke erfahrungen\xe2\xa3\x97\xf0\x9f\xa7\xb9 www.WebMD.shop \xf0\x9f\xa7\xb9\xe2\xa3\x97 Cialis generika 5mg rezeptfrei%') OR (ar3_2_posts.post_content LIKE '% Kamagra oral jelly 50mg kaufen Kamagra 100mg kaufen apotheke erfahrungen\xe2\xa3\x97\xf0\x9f\xa7\xb9 www.WebMD.shop \xf0\x9f\xa7\xb9\xe2\xa3\x97 Cialis generika 5mg rezeptfrei%'))) AND (ar3_2_posts.post_password = '') AND ar3_2_posts.post_type IN ('post', 'page', 'attachment') AND (ar3_2_posts.post_status = 'publish') ORDER BY (CASE WHEN ar3_2_posts.post_title LIKE '% Kamagra oral jelly 50mg kaufen Kamagra 1...'

    Whatā€™s wrong?? All your help would be much appreciated.

    • This reply was modified 5 years, 2 months ago by ImageIrene.
    • This reply was modified 5 years, 2 months ago by ImageIrene.
    Plugin Support Imagewfpeter

    (@wfpeter)

    5 years, 2 months ago

    Hi @arlinaite, thanks for your question. I have seen a similar case to this recently.

    The content you’re seeing, including the pharma searches, look like a bot just dumping spam in every text field it can find, to see what kind of data can be submitted to your pages.

    We assume fixing the collation of the posts table would clear this error. For the record, Wordfence doesnā€™t change database collations and observes the defaults currently set on your server when making changes or plugin updates. WordPress switched to using utf8mb4 quite a while ago, so seeing that thereā€™s a clash between some utf8_general_ci suggests itā€™s possible a WordPress update didnā€™t finish changing your tables back then, or perhaps a migration or restore from backup used the wrong collation so now you could have a mixture.

    Ultimately, fixing the database collation is something to fix outside of Wordfence, possibly with the assistance of your host, but we do not believe this to be a compromise of your site.

    Hereā€™s a WordPress article highlighting the original database change: https://make.wordpress.org/core/2015/04/02/the-utf8mb4-upgrade/

    Thanks,

    Peter.

    Thread Starter ImageIrene

    (@arlinaite)

    5 years, 2 months ago

    Thanks for your answer.

    Can Wordfence help with invalid traffic?
    If the answer is yes, how?

    Can you suggest any other tools.

    My Ezoic account is paused because they say I have invalid traffic.
    Thanks for your time

    Plugin Support Imagewfpeter

    (@wfpeter)

    5 years, 2 months ago

    Hi @arlinaite,

    Absolutely. “Invalid traffic” is basically bot rather than human activity on your site, although preventing it from being harmful to your site and preventing it from occurring are quite different.

    I know it can be frustrating to see many attempts on specific sites over others, especially if your host is flagging it and there seems to be no logical reason, but this is actually quite a normal occurrence. Thereā€™s only so much we can do to prevent attacks from happening, itā€™s more about making sure they arenā€™t successful, which it sounds like Wordfence is doing.

    Thereā€™s a chance that site visibility on the web, or the choice of installed plugins could have an effect, but often these are blanket attempts hoping to find a way in. In fact, many automated attacks donā€™t even check the version of WordPress or whether a specific vulnerable plugin is even installed before trying.

    You might find the following blog post interesting: https://www.wordfence.com/blog/2018/03/ask-wordfence-why-is-an-insignificant-site-like-mine-being-attacked/

    Thanks,

    Peter.

    Thread Starter ImageIrene

    (@arlinaite)

    5 years, 2 months ago

    The problem I have is as follows:

    I have Ezoic integration though Cloudflare.
    Ezoic delivers ads in my site, however now my account is paused because they see invalid traffic. Moreover they didn’t say what this traffic is. They only say that my host Cloudways can possibly help, and that there are tools to know what it is.

    I scanned my site several times with Wordfence, but is clean. I have Wordfence and WAF enabled.

    I have some technical issues with redirections to the homepage that I am trying to fix, however I donā€™t understand if this could be possibly be confused with invalid traffic, because this generates an undesired traffic but this is coming from good bots.

    Thanks for all you patience

    Plugin Support Imagewfpeter

    (@wfpeter)

    5 years, 2 months ago

    Hi @arlinaite, thanks for the extra information.

    In your Live Traffic page, are you seeing a large quantity of non-human visits or blocked bots reported by Wordfence? As I mentioned before, Wordfence will “handle” the traffic on-demand right now.

    It might be worth reaching out to your host/Ezoic to see specifically what they mean and if they have evidence of the traffic causing problems. If it’s coming from specific IPs or ranges of IPs, it could help knowing this information so that you can add them to a firewall blocklist to try mitigating the unwanted traffic. Hopefully they should have some advice for you around this if they strictly restrict your site when it occurs.

    Let me know if there’s any further help I can offer once the source(s) of the traffic is known.

    Thanks,

    Peter.

    Thread Starter ImageIrene

    (@arlinaite)

    5 years, 2 months ago

    Ezoic acts as a revers proxy delivering ads in my site.
    Like AdSense, Ezoic doesn’t informe which is the invalid traffic. This are the policies of most ad networks, because they believe that can be intentional from the publisher side, which most of the time is not.

    It should be interesting if wp security company’s like WordFence, can bring specific solution to the invalid traffic issue, because is a problem that most publishers have.

    Thanks for your interest

Viewing 9 replies - 1 through 9 (of 9 total)

The topic ‘Spam in error logs’ is closed to new replies.