Hi,
The WHOIS is showing who owns the netblock and the owner’s company’s address. Not the location of the IP which is what you see in our geo data.
Regarding the 0.0 version, let me know if you see that again because it may be a bug.
Regards,
Mark.
Thread Starter
wnthne
(@wnthne)
It gets worse. It seems I have been hacked due to a known WordFence vulnerability. 🙁
http://www.websecuritywatch.com/wordpress-wordfence-security-xss-and-iaa-vulnerabilities/
http://healingpetloss.com/?_wfsf=unlockEmail
Http Code: 200
date/time: 6/7/14 10:20 AM
100.199.78.125.broad.pt.fj.dynamic.163data.com.cn
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/537.31
Protocol: HTTP/1.1
bytes: 242
method: GET
The irony is I just signed up yesterday to be a premium customer and I specifically blocked all hits from China. How is it possible that the country blocking is not working? And why is the Cross-Site Scripting Vulnerability (apparently) not fixed?
Now, my website is inaccessible and I cannot log in to WordPress. I am waiting for my hosting provider to fix it. I have cpanel access, but I do not know how to verify the problem and fix it myself.
Additionally, leading up to this attack was a series of attacks over a 48 hour period, see below:
An unknown location at IP 0.0.0.0 visited http://site
20 minutes ago IP: 0.0.0.0 [block]
Browser: Yahoo! Slurp version 3.0
Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
An unknown location at IP 0.0.0.0 left http://sitepet/ and visited http://site
23 minutes ago IP: 0.0.0.0 [block]
Browser: Chrome version 30.0 running on Win7
Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.13014 YaBrowser/13.12.1599.13014 Safari/537.36
An unknown location at IP 0.0.0.0 lefthttp://site and visited http://site
23 minutes ago IP: 0.0.0.0 [block]
Browser: Chrome version 30.0 running on Win7
Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.13014 YaBrowser/13.12.1599.13014 Safari/537.36
BTW, there have been dozens of these attacks with IP 0.0.0.0.
Please advise. Thanks in advance.
Thread Starter
wnthne
(@wnthne)
I forgot to mention, there have been several “version 0.0” hits before the site went down.
I put the following code in .htaccess and I hope that will prevent any more of the CSS attacks described above (provided I get the site working again).
# Removes wordfence security vunerability
RewriteRule ^(.*)unlockEmail /$1 [L,NC,R=301]
Thread Starter
wnthne
(@wnthne)
Another question is why does the hackers IP show a Chinese server when the IP is in Kansas? Does this explain why blocking IPs in china didn’t keep the hacker out?
100.199.78.125.broad.pt.fj.dynamic.163data.com.cn
See:
http://ip-api.com/100.199.78.125
So how can I tell what is real and what is fake? And how can WordFence tell the difference?
Thanks.
The vulnerability you’re referring to is over 2 years old and was fixed before it was publicly disclosed. Just for fun I went and counted how many versions ago this was fixed: Thirty Seven versions ago.
In fact the product that was affected is now end-of-life if you look at the top of our forums. It no longer even works.
So you weren’t hacked via Wordfence unless you’re running a version that is severely out of date.
Start by setting your “How does Wordfence get IP’s” setting on the Wordfence options page to the “REMOTE_ADDR” option. Save. Then see if IP address reporting improves.
Regards,
Mark.
Just wanted to add: As a paid customer, please use http://support.wordfence.com to start a support ticket with us. You will get a much faster and comprehensive response there because we have multiple staff members working the ticketing system.
Regards,
Mark.