WordPress.org

Ready to get started?Download WordPress

Forums

blog being attacked!? plz help (4 posts)

  1. pickled
    Member
    Posted 4 years ago #

    Hi All,

    I use WordPress Firewall plugin on my site and the last two days I seem to be getting hit a few times per minute with some sort of attack. 1000s of alerts and growing!

    I think, I'm not too sure on these messages, most are easy to tell what is going on but I'm lost with these.

    Can anyone else clue me in here? Am I being attacked, or is there some sort of misconfig causing this?

    Sample alerts
    -------------------
    Web Page: http://www.ThisIsMyBlogDomain.com/ (hidden for privacy)
    Warning: URL may contain dangerous content!
    Offending IP: 206.207.80.165 [ Get IP location ]
    Offending Parameter: PHPSESSID = cd425be27def1acbe77d2e1bd4bdc4bc, wp_ozh_wsa_visits=1, wp_ozh_wsa_visit_lasttime=1264066592, alpha=178502cc412b00001a6d594b35610800783e0000, CFID=35069126, CFMAGIC=35069126:92000169, CFTOKEN=92000169
    -------------------
    Web Page: http://www.ThisIsMyBlogDomain.com/ (hidden for privacy)
    Warning: URL may contain dangerous content!
    Offending IP: 216.145.24.240 [ Get IP location ]
    Offending Parameter: PHPSESSID = 91f59f87191e99c3529a2766c2e9f4b3, wp_ozh_wsa_visits=1, wp_ozh_wsa_visit_lasttime=1264153003, alpha=26d56bd181130000faca594b1f160700e3120000, XTCsid=6c5d5732586af445d192a89ecbb70870, CFID=20592936, CFTOKEN=79796267, SPC_LQ=|
    --------------------

    So looking at the above:

    I see 'ozh' which makes me think this has something to do with the Who Sees Ads plugin (made by Ozh), which it could be, but I also see CFID and CFTOKEN etc and that is Coldfusion which I don't use on my site. The offending ips are also not mine.

    If anyone has a clue here I'd really appreciate any help you can provide as it makes me very nervous to be getting so many alerts like this!

    Thanks!

  2. Ozh
    Member
    Posted 4 years ago #

    You're just seeing the cookies (named wp_ozh_wsa_XXX) that are being set. Nothing related to my plugin.

  3. pickled
    Member
    Posted 4 years ago #

    thank a lot for the reply Ozh!

    so someone/thing is hitting my site with a coldfusion script and setting off WSAs cookies?

  4. John Hoff
    Member
    Posted 3 years ago #

    Just had the same thing happen to me.

    Does this mean that someone did try and hack their way in?

    Thank

Topic Closed

This topic has been closed to new replies.

About this Topic