WordPress.org

Ready to get started?Download WordPress

Forums

Stop Spammers
spammer with ip of 127.0.0.1 (6 posts)

  1. ds123
    Member
    Posted 8 months ago #

    Hi Keith can you tell me is it safe to add this spammer which is some guy from china who somehow has managed to show up as an ip of 127.0.0.1 to the blacklist?

    thanks!

    http://wordpress.org/plugins/stop-spammer-registrations-plugin/

  2. kpgraham
    Member
    Plugin Author

    Posted 8 months ago #

    127.0.0.1 is "localhost" or the IP number that the machine uses to talk to itself. I would guess that someone is using the keyboard on your server or there is a proxy server running that is reporting that IP.

    It could also be a virus on your machine that is running a script to access your blog.

    Keith

  3. ds123
    Member
    Posted 8 months ago #

    thanks for the reply .... it's not my machine as the site is on a remote server (rackspace managed server) .... i highly doubt its rackspace server either they have way too many sites at risk if that was the case

    i googled around some and are you 100% positive that a hacker in china can't spoof that ip address?

    http://wordpress.org/support/topic/log-real-ip?replies=6
    http://stackoverflow.com/questions/5092563/how-to-fake-serverremote-addr-variable

    note this is a recent thing has not happened have been using your plugin successfully for months

    maybe this is what i need to do?
    It is called spoofing and a fairly common practice and easy to do with IP addresses. You'll need to trace back his requests in the web server's log to find his real IP address and ban it.
    http://www.vbulletin.com/forum/forum/vbulletin-3-8/vbulletin-3-8-questions-problems-and-troubleshooting/327266-being-harrassed-by-a-user-ip-127-0-0-1

    there are a number of new accounts registered reporting 127.0.0.1 as their ip and they basically do what the others do ..post spam with links to whatever so the same exact type accounts i've been blocking just seems like lately they found a new trick

  4. kpgraham
    Member
    Plugin Author

    Posted 8 months ago #

    Apache gets the IP address from the request. It can only be spoofed from the inside out. It has to be a bad plugin with a vulnerability or some kind of script that has been uploaded to the server.

    I think it might be time to backup your database, wipe wordpress and reinstall it. I think someone sneaked some kind of back door onto your site and this is the only way to fix it.

    Download my "Threat Scan" program and run it. See if it finds anything.

    Keith

  5. ds123
    Member
    Posted 8 months ago #

    thanks Keith for advice i will try running the threat scan you mentioned ....what im seeing in my raw logs are like 500 hits a day from 127.0.0.1 requesting kind of normal things like images its almost all GET requests ...but weird thing is its requesting them not like its a page load where all files would be close together in time requested

    i've also checked for any changed files and not seeing anything i didn't know about there

    here is an example ...... it also requests some theme files

    Line 229162: 127.0.0.1 - - [25/Nov/2013:23:52:37 -0600] "GET /wp-content/uploads/2013/10/2t-shirt.jpg HTTP/1.1" 304 241 "-" "Mozilla/4.0 (compatible;)"
    Line 230450: 127.0.0.1 - - [26/Nov/2013:00:00:28 -0600] "GET /wp-content/uploads/avatars/443/4bbdfgfge8651-bpthumb.jpg HTTP/1.1" 304 241 "-" "Mozilla/4.0 (compatible;)"

  6. kpgraham
    Member
    Plugin Author

    Posted 8 months ago #

    You might try an htaccess file with a "deny 127.0.0.1" and see what happens. I am not an htaccess expert so you would have to google how to block a domain with htaccess. Be prepared to fix it quick if something goes screwy.

    It might be some plugin trying to get a file, it would be interesting to see what the log says after you deny access.

    Keith

Reply

You must log in to post.

About this Plugin

About this Topic

Tags