Apparent attacks and why WordFence is mentioned in the logs

  • Resolved bjf2000

    (@bjf2000)


    5 years, 11 months ago

    For background, we’ve had WF installed since late last year, have had it configured fully as the firewall since almost the beginning, and as of a week ago have been on 7.1.4.

    As of yesterday, we noticed 2-3 minute-long outages (once every hour or two, roughly) that through CPanel we found to coincide with spikes in memory and CPU use.

    Examining the raw logs in CPanel during these times, we found various IPs (it always changes after each burst) accessing single random pages on our site. The IPs are in our region, so I suspect use of a proxy, but the mention of WordFence in all of them is what brought me here. So, for example there will be several hundred lines like this within a couple minutes:

    70.51.79.58 - - [09/May/2018:22:46:11 -0400] "GET /?wordfence_lh=1&hid=E90134FDB662F6FEC88602AD14EFFA46&r=0.9015211105998135 HTTP/1.1" 503 1159 "https://oursite.com/mission-vision-values/our-team/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36"

    Why is WF making an appearance in the URL when being attacked but not normally? Normal access looks like this:

    71.8.133.12 - - [10/May/2018:03:05:02 -0400] "GET /waste-reduction/reduce-waste-resources/ HTTP/1.1" 200 22042 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.189 Safari/537.36 Vivaldi/1.95.1077.55"

    Understanding this may be helpful in understanding what the attacker is trying to accomplish. It would be nice if WF actually blocked the attacks, but that may be asking too much.

    • This topic was modified 5 years, 11 months ago by bjf2000.
    • This topic was modified 5 years, 11 months ago by bjf2000.
Viewing 9 replies - 16 through 24 (of 24 total)
1 2
  • Plugin Author WFMattR

    (@wfmattr)

    5 years, 11 months ago

    Yep, that’s correct about the filenames — the one I see on a test site is only rocket.min.js, and it doesn’t have a rocket-loader.min.js.

    This is the one I currently have:
    https://ajax.cloudflare.com/cdn-cgi/scripts/935cb224/cloudflare-static/rocket.min.js

    -Matt R

    blueeventhorizon

    (@blueeventhorizon)

    5 years, 11 months ago

    Update: Having shut down RocketLoader about 2 hours ago, I am now down to 100 – 200 CPU seconds of usage the last 2 hours, and account executions are now in a similar range.

    What is the prognosis here? Was there an actual problem with RocketLoader, or was it to do with how Wordfence interpreted RocketLoader’s activities? Will there be some notification that the issue is resolved and RocketLoader can be safely brought back on line?

    Thanks, Ian

    Thread Starter bjf2000

    (@bjf2000)

    5 years, 11 months ago

    Wow, when they say “min” they really mean it: 103KB vs 10KB.

    Plugin Author WFMattR

    (@wfmattr)

    5 years, 11 months ago

    @blueeventhorizon: I guess it depends on how you look at it — Rocket Loader is supposed to make your site faster by modifying how other scripts on the site work, and there is always some risk in doing things like that. Wordfence’s code adds some event handlers, and removes them soon after — I think Rocket Loader has modified our event handlers, probably replacing them with their own and calling ours … so when we try to remove them, they never get removed.

    I expect that Cloudflare will make a change to prevent that issue since they’ve been notified, but we’ll also be making a change in Wordfence soon to prevent the issue as well. The Wordfence changelog will mention when we’ve made such a change.

    -Matt R

    blueeventhorizon

    (@blueeventhorizon)

    5 years, 11 months ago

    Thanks for your reply WFMattR!

    I look forward to any changes you guys make at your end – we’ll see what Cloudflare does!
    Ian

    ArkonLabs

    (@arkonlabs)

    5 years, 11 months ago

    I’ve been fighting this for a few days now, my server keeps getting killed with 100% CPU and 100% RAM usage. Looking at my logs shows ...GET /?wordfence_lh... repeated hundreds of times at the exact time intervals that my CPU/RAM usage spikes.

    I ended up having to upgrade my VPS to have more RAM to get it to stay online for longer than 10-15mins.

    Glad to know what the issue is. I’ll disable Live View for now since I don’t actually use it regularly. I’ll enable it as soon as Cloudflare fixes it on their end.

    • This reply was modified 5 years, 11 months ago by ArkonLabs.
    simon-says

    (@simon-says)

    5 years, 11 months ago

    Thanks everyone for reporting this. We (Cloudflare) have found the cause of this issue in the new Rocket Loader code base and we’re currently working on a fix. In the interim – you can either disable the Live Traffic feature in Word Fence or disable Rocket Loader. Either should ensure that specific issue goes away.

    I’ll update here as soon as the fix is rolled out to our network.

    simon-says

    (@simon-says)

    5 years, 11 months ago

    Hi everyone,

    This issue has been fixed so if you experienced issues with Word Fence Live Traffic and Rocket Loader, you can re-enable both features now.

    If you have any issues you can report them direct to Cloudflare support or on our community – there’s a thread on this particular issue here too:

    https://community.cloudflare.com/t/rocket-loader-update-is-active-in-wp-admin/17900/3

    Thanks again!

    Simon

    Plugin Author WFMattR

    (@wfmattr)

    5 years, 11 months ago

    Thanks @simon-says, that’s good to hear! In our update next week, we’ll also be adding an extra check in our event handlers, in case of any similar issues in the future (whether with Rocket Loader or other scripts).

    -Matt R

Viewing 9 replies - 16 through 24 (of 24 total)
1 2
  • The topic ‘Apparent attacks and why WordFence is mentioned in the logs’ is closed to new replies.